Information security in the automotive industry

Are you a supplier or service provider for the automotive industry? Then in future you will only have to provide proof of the security of sensitive information provided to you by clients once every three years - as a participant in theTISAX® procedure via a corresponding assessment. The procedure is applicable across all industries and defines requirements for information security in your company.

(Switch to Chinese Version / 转换到中文网页)

Mutual recognition among all TISAX® participants

Suppliers and service providers achieve greater trust in your audited company

The assessment for TISAX® certification takes place only every three years

Saving time and costs by participating in the TISAX® network

Beschreibung Standard/Regelwerk

Basic information about the TISAX® assessment

TISAX® is a common assessment and exchange procedure for the automotive sector. It is based on the questionnaire (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which in turn is based on key aspects of the international standard ISO/IEC 27001 and has been extended to include a maturity model.

In addition, the responsible bodies at the German Association of the Automotive Industry (VDA) have created the conditions for establishing the joint assessment and exchange mechanism under the nameTISAX® (Trusted Information Security Assessment eXchange).TISAX® is a registered trademark of the ENX Association. The Association of European automotive manufacturers, automotive suppliers and automotive associations monitors the quality ofTISAX® assessments and controls the approval ofTISAX® audit service providers.

Show more
Show less

Why is a TISAX® assessment useful for my company?

As a service provider or supplier in the automotive industry, you need to prove to your customers that you comply with information security requirements. Until now, these assessments were primarily performed by the manufacturers themselves. Registered participants in theTISAX® network can now select an audit service provider via a common online platform and request an assessment. The advantages for companies outweigh the disadvantages:

  • Duplicate and multiple assessments by different customers can be avoided
  • Cross-company recognition of information security assessments forTISAX® participants
  • Reliability of results due to the harmonized VDA ISA test catalog
  • Strengthening of trust in audited companies withTISAX® label
Show more
Show less

What are the requirements of TISAX®?

The TISAX® assessment and exchange procedure contains the requirements of the VDA Information Security Assessments (ISA). This questionnaire on information security in the automotive industry was developed by the VDA working group. However,TISAX® is also based on essential requirements of ISO 27001 (Information Security Management System).

The industry-specific VDA ISA catalog has been available in version 5.1 since 2022. This version has been mandatory for all TISAX® audits since January 2022. The requirements from the international and cross-industry standard for information security ISO 27001, in turn, contribute among other things to companies looking beyond the protection of IT technical systems - namely to all corporate assets to be protected.

Show more
Show less

How does TISAX® work?

InTISAX®, participants can take on two different roles: the "Information Consumer" (passive), for example is a manufacturer who would like to receive information about a vendor, and the "Information Contributor" (active), for example is a parts supplier or service provider who would like to be audited for suitability in order to receive orders from manufacturers.

A company can also take on both participant roles. Anyone wishing to participate inTISAX® as an Information Contributor must take the following four main steps:

  • 1. Register online at
  • 2. Select an ENX-approved audit service provider such as DQS
  • 3. Undergo aTISAX® assessment
  • 4. Exchange the audit results on theTISAX® online platform.
Show more
Show less

TISAX Participation Price Models by ENX

a) Assessment Based Charges (“ABC”) Model (by default) 

  • The standard model covers all costs related to a participant's TISAX Assessment Scope registration.
  • It is one-time per location per TISAX Assessment Scope (discounts automatically apply when applicable for a multi-site registration) for the period of validity of your assessment.
  • The participant can see assessment results of other TISAX Participants if it has a valid TISAX Assessment and share it.
  • To register 20 or more locations and/or a multitude of different scopes, the participant should contact ENX to check the applicability of the Participation Based Charges (“PBC”) Model.

b) Participation Based Charges (“PBC”) Model (optional) 

  • The participant can register an arbitrary number of TISAX Assessment Scopes and Locations with a yearly fee.
  • To register for PBC Model, the participant shall contact ENX.
  • An individual applicability check is necessary to see assessment results of other TISAX Participants without a valid and shared TISAX Assessment Result.

Assessment Level 

  • AL2    -  Remote plausibility check
  • AL2.5 -  Remote full audit (for label of AL2)
  • AL 3   -  On-site full audit
Show more
Show less

Assessment Scope

1. Standard scope

  • The standard scope description is predefined, strongly recommend, and normally accepted by all participants.
  • This is the standard scope description:
    The standard scope comprises all processes and involved resources at the sites defined below that are subject to security requirements from partners in the automotive industry. Involved processes and resources include collection of information, storage of information and processing of information.
  • Examples for involved resources:
    Work equipment, employees, IT systems including cloud services such as infrastructure/ platform/software as a service, physical sites, relevant contractors.
  • Examples for sites:
    Office sites, development sites, production sites, data centres.

2. Custom scope

2.1 Extended scope

  • An extended scope may be relevant if you want to use your TISAX assessment for internal purposes or outside of the automotive industry.
  • An extended scope always includes the standard scope and will receive TISAX labels.
  • The participant needs to write its own custom scope description.

2.2 Narrowed scope

  • Narrowed scopes don’t receive TISAX labels.
  • The participant can share an assessment result without TISAX label.
  • Other TISAX participants generally don’t accept assessment results of narrowed scopes.
  • The participant needs to write its own custom scope description.
  • An example of narrowed scope:
    Physical security, resources and processes of the part of the data centre that are used to fulfil services of Company XXX.

3. One scope for multiple locations 

  • A single scope can contains more than one location with one assessment report, one assessment result, and one expiration date.

Assessment Objectives 

Based on the type of data handling on behalf of its partner, the participant shall select one or more from 8 TISAX assessment objectives:

  1. Information with high protection needs (Info high)
          -  "Confidential", or
          -  "High Availability"
  2. Information with very high protection needs (Info very high)
          -  "Strictly Confidential", or
          -  "Very High Availability"
  3. Protection of prototype parts and components (Proto parts)
  4. Protection of prototype vehicles (Proto vehicles)
  5. Handling of test vehicles (Test vehicles)
  6. Protection of prototypes during events and film or photo shootings (Events + Shootings)
  7. Data protection (Data)
          According to Article 28 (“Processor”) of (GDPR)
  8. Data protection with special categories of personal data (Special data)
          According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of GDPR


  • Each assessment objective is linked to a criteria catalogue of the ISA.
  • The assessment objectives are linked to the TISAX Labels of the same names.
  • “Information high” is the minimum objective for a TISAX assessment.
  • Depending on the information being handled, the participant may have to add further assessment objectives.
  • Either “Info high” or “Info very high” is the basis for other assessment objectives.
  • We strongly recommend consulting your partners/customers before deciding the assessment objectives.
  • The partners/customers may request the participant to get assessment with a certain “Assessment Level” (AL).
Show more
Show less

How does a TISAX® assessment work?

The requirements of the scope and the assessment level must be defined by you in advance, for example "with or without prototype protection".

As aTISAX® participant, you must first register online, after which the scope ID is assigned by ENX (an annual service fee applies).

In the first step, you can select DQS, approved by ENX, as your TISAX audit service provider.

In the second step, there are:

  • a Kick-off Meeting,
  • a Document Review on the organization's self-assessment report, and
  • an assessment (AL2: remote, AL3: on-site).

Please note:
There is an alternative method for conducting an assessment in Assessment Level 2. Instead of a plausibility check, your audit service provider conducts a full remote assessment. This method is sometimes referred to as "Assessment Level 2.5."
The advantage of an Assessment Level 2.5 is that the approach is methodologically compatible with Assessment Level 3. It is therefore possible to upgrade to a full Assessment Level 3 exam at a later date with manageable effort.

The findings from the audit are recorded in an interim report.

In the event of non-conformities, measures to be implemented are agreed.

If necessary, the implementation of measures is determined within an agreed period of time.

After closing the non-conformities, an effectiveness check is carried out by means of an audit.

The final report is posted online on the ENX® portal. This lists your company as a participant with the corresponding audit label.

Since 2018, DQS has provided TISAX audits for a large number of clients, such as:

Samsung, Bosch, KPMG, NTT, DHL, Verizon, Valeo, Dell, Fischer, Hyundai, LG, Mobis, Yazaki, Delphi, etc.


What does the TISAX® assessment cost?

Two important factors

Two important factors influence the scope of the entire assessment and thus the costs. Assessments are possible on the basis of an extended scope, a standard scope, or a restricted scope. Your decision for a scope should be well prepared and determined by the desired protection goals, but also by the size of your company.

The protection goals, for example, are about whether you want to include topics such as prototype protection or data protection in the assessment. If you want to get involved in theTISAX® procedure, talk to DQS, your approved audit service provider, as early as possible. This is the only way we can determine the correct calculation for the assessment scope, and provide you with a reliable quote for the cost of yourTISAX® certification.

Show more
Show less

What you can expect from us?

  • DQS is an approved audit service provider of the ENX Association
  • Value-adding insights into information security in your organization
  • Accreditations for all relevant regulations in the automotive industry
  • Industry-experienced auditors and experts from the field
  • More than 35 years of experience in the certification of management systems and processes
  • Certificates with international acceptance
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms without hidden costs
Show more
Show less

Request a quote

Your local contact

We would be happy to provide you with a customized offer for the TISAX process.

Request for Whitepaper

Ask for TISAX Whitepaper

TISAX Whitepaper