Like many sectors, the automotive industry is rapidly becoming digitalized. And with digital transformation comes data and cybersecurity concerns. This is why TISAX, an information security assessment and certification program for the automotive sector based on ISO 27001, was introduced. Is your company certified yet?
The automotive industry is undergoing a digital transition: autonomous vehicles, explosion of multimedia options behind the wheel, and the success of electric motors. These new technologies and the digital transformation of the supply chain are driving a revolution in security and compliance.
Automotive manufacturers have no choice but to secure the colossal networks of their international suppliers and protect all involved data—an immensely complex task. To address these growing challenges, the industry has found a common solution: the Trusted Information Security Assessment Exchange (TISAX).
Why TISAX ?
Automotive manufacturers collaborate with numerous partners and suppliers for the design, production, and distribution of their vehicles. In doing so, they exchange confidential information, such as new models. If this valuable data isn’t properly protected, it can be lost, altered, or even stolen. Therefore, manufacturers rigorously select each new partner, even for marketing and sales activities.
What is TISAX For ?
TISAX is a common assessment and exchange mechanism that extends beyond the automotive industry. This trademark of the ENX association was developed under the direction of the VDA (German Automotive Industry Association) to ensure impeccable information security levels. TISAX ensures standardization, quality assurance, and mutual recognition of information security audits according to ISO 27001 standards. The main objectives are to guarantee secure information processing by business partners, protect prototypes, and comply with GDPR conditions.
Who Must Comply with TISAX Certification ?
Any company wishing to do business with key entities in the German, and by extension European, automotive industry must apply for TISAX accreditation. This rule applies to all automotive companies and service providers handling confidential data. This includes all information that could identify individuals or vehicles, such as customer data, worker data, and technical details. Additionally, it includes all information about development or production processes that competitors could potentially use to gain a competitive advantage.
What Are the Benefits of TISAX Certification?
- Industry-wide Recognition: Recognized throughout the automotive industry, TISAX certification ensures information security across the supply chain.
- Better Market Position: Automotive industry companies increasingly require their suppliers to comply with TISAX. Your company is better positioned in the market with TISAX certification.
- Enhanced Cybersecurity: The cybersecurity measures required for certification are likely to benefit your company overall. You’ll improve data security not only for your partners but also for your own company.
- Customer Trust: The additional assurance provided by TISAX compliance strengthens partner and customer trust, improves your company’s overall image, and potentially gives you a competitive advantage. Renewal of contracts with existing suppliers will also be simplified.
TISAX Requirements
What are the conditions for obtaining TISAX certification? Many requirements stem from ISO 27001 and NIS2 legislation. Some examples include:
- Implementation of a reliable information management system, including risk assessment and reduction
- Application of secure software development practices
- Adherence to information security best practices
- Ensuring secure IT infrastructure
- Establishment of incident response and disaster recovery plans
- Implementation of appropriate security measures and controls
- Conducting frequent security reviews
- Compliance with relevant legal and regulatory mandates (including GDPR)
TISAX Certification in 2025: What’s Really at Stake for Automotive Suppliers
If your company supplies components, services, or data to any major automotive OEM — BMW, Volkswagen Group, Mercedes-Benz, Stellantis — TISAX certification is no longer optional. Since 2017, the Trusted Information Security Assessment Exchange has become the de facto information security standard for the automotive supply chain. Companies without TISAX certification are increasingly disqualified from RFQs before technical evaluation even begins.
Understanding the TISAX Assessment Levels
TISAX operates on three assessment levels, each with increasing rigor and assurance requirements:
Assessment Level 1 (AL1) is a self-assessment for low-sensitivity information — normal business data. It’s conducted internally using the VDA ISA questionnaire and typically takes 2-4 weeks for prepared organizations.
Assessment Level 2 (AL2) covers confidential information, including personal data and sensitive technical documentation. It requires a plausibility check by an accredited TISAX auditor (ENX-approved audit provider). Most tier-1 and tier-2 suppliers operate at this level.
Assessment Level 3 (AL3) is for highly sensitive information — prototype data, pre-production vehicle designs, and top-secret technical specifications. It requires a full on-site audit with evidence review and interviews. Achieving AL3 can take 6-12 months for organizations starting from scratch.
The VDA ISA Framework: 9 Domains You Must Master
The VDA Information Security Assessment covers 9 domains: Information Security Policy, Organization, Human Resources, Physical and Environmental Security, Identity and Access Management, IT Operations Security, Cryptography, Supplier Relationships, and Incident Management. Each domain has “must” requirements (binary pass/fail) and “should” requirements (scored 0-3). A TISAX result requires all “must” criteria satisfied and an average score ≥ 3.0 on “should” criteria.
Common Gaps Found During TISAX Pre-Assessments
The three most common deficiencies AJA Consulting identifies during TISAX pre-assessments are: absence of a formal Information Security Management System (ISMS) with documented policies and procedures (required by all levels), inadequate access control governance — particularly for privileged accounts and vendor remote access, and missing data classification and handling procedures for prototype and confidential technical data. Addressing these three gaps resolves approximately 70% of typical TISAX non-conformities.
The TISAX Certification Process Step by Step
The certification process involves: (1) registration on the ENX portal and scope definition, (2) gap analysis against VDA ISA 6.0, (3) remediation project (typically 3-6 months), (4) internal pre-assessment to validate readiness, (5) audit by accredited provider (DEKRA, TÜV, Bureau Veritas), and (6) result publication on the ENX exchange platform where your automotive customers can verify your certification. Results are valid for 3 years with an interim assessment in year 2.
How AJA Consulting Accelerates Your TISAX Journey
AJA Consulting has guided Belgian and European automotive suppliers through TISAX AL2 and AL3 certifications, reducing typical preparation time by 40% through our proven gap-to-compliance methodology. We handle ISMS documentation, technical controls implementation, staff training, and audit preparation — so your team can focus on what they do best. Schedule your TISAX readiness assessment today and get a realistic timeline and budget for your certification.
