🚨  NIS2 is now in effect. Security awareness is now legally required in the EU.

Check compliance
Start your free trial
Back to Resource Center

TISAX certification: what it is, the requirements and how it differs from ISO 27001

If you supply to the automotive industry, sooner or later a customer will ask about TISAX. Manufacturers such as Volkswagen, BMW and Mercedes-Benz only share sensitive information, from prototype data to customer data, with suppliers and service providers that have proven their information security. TISAX, short for Trusted Information Security Assessment Exchange, is the standard they use for that proof.

In this article we cover what a TISAX label actually declares, the requirements you are assessed against in 10 themes, why the standard reaches far beyond direct suppliers, and how TISAX compares to ISO 27001.

What is TISAX certification?

Strictly speaking, TISAX is not a certification. You do not receive a certificate but a TISAX label, valid for three years, which you share with customers through the portal of ENX Association, the organization that manages TISAX on behalf of the German automotive association VDA. The label declares that an accredited audit provider has verified that your information security meets the requirements of the VDA ISA catalogue, at the assessment level your customer demands.

That assessment level depends on how sensitive the information is that you handle. At AL1 the auditor only checks that a completed self-assessment exists, which is why hardly any manufacturer accepts it. AL2 adds a plausibility check on your self-assessment with evidence sampling, usually remote. AL3, required for prototypes and other strictly confidential information, means a full on-site audit with interviews and observations.

In the run-up to the assessment, before you engage an audit provider, you complete a self-assessment against the VDA ISA catalogue. That is also the moment to get security awareness training in place with a tool like Guardey. The catalogue requires demonstrably trained staff, and because the auditor scores maturity rather than a snapshot, a training program that has been running for months is worth far more than one that started last week.

Working toward your TISAX label?

Guardey's gamified security awareness training gives you the training records auditors ask for, from day one. (Set up in minutes, no payment details required.)

Try Guardey free for 14 days

TISAX requirements: the VDA ISA catalogue in 10 themes

The TISAX requirements come from the VDA ISA catalogue (version 6), a questionnaire with over 300 questions spread across three modules: information security, prototype protection and data protection. For every control the auditor scores your maturity on a scale from 0 to 5, and the target is maturity level 3: the process does not just exist, it is documented and demonstrably followed. Summarized in 10 themes, this is what the assessment covers:

  1. Policy and organization. An information security policy, assigned responsibilities and risk management, the foundation of your ISMS.
  2. People and awareness. Screened employees, confidentiality agreements and demonstrable security awareness training for everyone, with records of who was trained and when.
  3. Physical security. Zoning, access control to buildings and secure handling of visitors.
  4. Identity and access management. Least privilege, strong authentication and revoking access on time.
  5. IT and cyber security. Hardening, malware protection, patch management, network security and logging.
  6. Incident management and continuity. Recognizing, reporting and handling incidents, plus backup and availability.
  7. Supplier relationships. Passing security requirements on to your own subcontractors and service providers.
  8. Compliance. Meeting legal and contractual requirements and periodically testing that yourself.
  9. Prototype protection. A separate module for anyone working with prototypes, test vehicles or camouflage.
  10. Data protection. A separate GDPR module for anyone processing personal data on behalf of the manufacturer.

Theme 7 explains why TISAX keeps spreading through the supply chain. Manufacturers require the label from their direct suppliers, who in turn must impose the requirements on their own subcontractors. And the scope is wider than parts: engineering firms, logistics providers, IT companies and even marketing agencies fall under it as soon as they handle protected information from an automotive customer. The label is shared through the ENX platform, so you are assessed once instead of by every customer separately.

ISO 27001 vs TISAX: the differences

TISAX is built on ISO 27001 and ISO 27002, so the overlap is large. Anyone who has set up an ISMS for ISO 27001 has done most of the groundwork for TISAX. Still, there are four differences that matter in practice:

  • Scope. ISO 27001 is generic and applies to any industry. TISAX is automotive-specific and adds requirements that ISO does not cover, such as prototype protection.
  • Output. ISO 27001 results in a public certificate. TISAX results in a label that is only visible to the partners you share it with through the ENX portal.
  • Assessment method. An ISO auditor assesses whether your management system works. A TISAX auditor scores maturity per control, which makes the result more granular and harder to talk your way through.
  • Recognition. ISO 27001 opens doors in every industry; within automotive it is usually not enough. Manufacturers ask specifically for the TISAX label, and an ISO certificate does not replace it.

The good news: on the human side the two overlap completely. ISO 27001 requires awareness through clause 7.3 and control 6.3, TISAX through its people and awareness controls. One well-documented security awareness program therefore produces evidence for both assessments at once.

Frequently asked questions

How long is a TISAX label valid?

Three years. After that a full reassessment follows. Unlike ISO 27001 there are no annual surveillance audits in between, but you are expected to maintain the assessed level, and your next audit will show whether you did.

Is TISAX mandatory?

Not by law. It is a contractual requirement: manufacturers and large tier 1 suppliers demand the label before sharing protected information. In practice that makes it just as binding, because without a label those orders go elsewhere.

Do I automatically meet TISAX with an ISO 27001 certificate?

No. The overlap is large, but TISAX adds automotive-specific requirements and uses its own maturity assessment. An ISO 27001 certificate speeds up your preparation considerably, but you will still need to go through the TISAX assessment itself.

Whether TISAX is on your roadmap for this year or a customer just dropped the word in a call, the first step is the same: run the self-assessment and see where you stand. The people and awareness theme is one of the few you can get moving on the same day, and it counts toward other compliance frameworks too.

Preparing for a TISAX assessment?

In a 45-minute demo we'll show you how Guardey combines awareness training with phishing simulations, and how the reporting gives your auditor exactly the evidence they ask for.

Schedule a personal demo
Dinela Lokvancic
Dinela Lokvancic Marketing Specialist Dinela keeps Guardey's online presence up to date. She creates content that makes complex cyber security topics accessible, and helps organizations understand why security awareness training matters for their teams.
READY TO GET STARTED?

Join 500+ businesses already protecting their teams with Guardey

Start your free 14-day trial
14 days free · No credit card · Full access · Setup in 5 minutes
Or schedule a personalised demo