AuditXYZ

Compliance Framework

Trusted Information Security Assessment Exchange

TISAX is the automotive industry's standardized information security assessment. This guide covers assessment levels, the VDA ISA catalog, prototype protection, and the path to TISAX labels.

$30,000–$200,0004–12 monthsAudit RequiredVDA ISA 6.0 (2024)
Request a ConsultationSee process
Issuing BodyENX Association (on behalf of the German Association of the Automotive Industry, VDA)
First Published2017-01-01
Latest VersionVDA ISA 6.0 (2024)
Typical Cost$30,000–$200,000
Typical Timeline4–12 months
Audit RequiredYes
Audit FrequencyLabels are valid for 3 years. Assessment by an ENX-accredited audit provider is required.
Geographyeuropean-union, global

TISAX: Automotive Information Security Assessment Guide

TISAX (Trusted Information Security Assessment Exchange) is the standardized information security assessment mechanism for the automotive industry. Managed by the ENX Association and based on the VDA Information Security Assessment (ISA) catalog, TISAX enables suppliers and partners to demonstrate their information security maturity through a single assessment that is recognized across the automotive supply chain — eliminating the need for each OEM to conduct separate audits.

What TISAX Covers

TISAX assessments are based on the VDA ISA catalog, which covers information security, prototype protection, and data protection. The information security module aligns closely with ISO 27001 but adds automotive-specific requirements around supply chain security, project-specific security, and connected vehicle data. The prototype protection module addresses physical security of vehicle prototypes, test vehicles, and pre-release components. The data protection module covers GDPR compliance requirements.

Assessment levels determine the rigor of the evaluation. AL 1 is a self-assessment (rarely accepted). AL 2 involves a remote audit by an accredited provider. AL 3 requires an on-site audit and is mandatory for handling highly sensitive information or prototypes.

Who Needs TISAX

TISAX is required for virtually all companies in the automotive supply chain that handle sensitive information from OEMs. This includes component suppliers, engineering service providers, IT service providers, logistics companies, and toolmakers. Major OEMs including Volkswagen, BMW, Daimler, and others require TISAX labels from their suppliers as a contractual condition.

Implementation Approach

Register on the ENX portal and define your assessment scope. Conduct a self-assessment using the VDA ISA catalog to identify gaps. Remediate gaps by implementing required controls — focus on areas where automotive requirements diverge from general IT security. Select an ENX-accredited audit provider and schedule the assessment. After successful assessment, your TISAX labels are published on the ENX portal for partner verification.

Cost Considerations

Total costs range from $30,000 for smaller suppliers with AL 2 assessments and strong existing security to $200,000 for larger organizations requiring AL 3 with prototype protection. Audit provider fees typically run $15,000 to $40,000 depending on scope and assessment level. Organizations with existing ISO 27001 certification find TISAX preparation significantly easier, with many controls directly transferable.

Get the TISAX starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001iso-21434soc-2

Get matched with a TISAX auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

ISO 21434
Framework
ISO 21434 establishes cybersecurity engineering requirements for road vehicles. This guide covers TARA methodology, cybersecurity management systems, UNECE compliance, and implementation for OEMs and suppliers.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View