TISAX® Assessment - Information Security in the Automotive Industry in the United States
Mutual recognition among all TISAX® participants
Suppliers and service providers achieve greater trust in your audited company
The assessment for TISAX® certification takes place only every three years
Saving time and costs by participating in the TISAX® network

Basic information about the TISAX® assessment
ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).
In addition, the responsible bodies at the German Association of the Automotive Industry (VDA) have created the conditions for establishing the joint assessment and exchange mechanism under the name TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark of the ENX Association. The Association of European automotive manufacturers, automotive suppliers and automotive associations monitors the quality of TISAX® assessments and controls the approval of TISAX® audit service providers.
More than 10,000 locations have now been assessed according to TISAX®, making this standard the second most widely implemented set of rules for information security worldwide after ISO 27001. VDA and ENX have formed international working groups for TISAX® and the ISA catalog to develop the standard further. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.

TISAX® 2.2 - Mandatory from April 1, 2024 - Transition notes
The new ISA Catalog 6.0 is an important milestone for TISAX®. The assessment catalog leads to adjustments of the requirements for audit providers, which were defined in the TISAX® ACAR 2.2 regulations. The change of the main language to English underlines the global perspective and the joint efforts for worldwide development. Further translations of TISAX VDA 6.0 are planned.
The most important changes in the new ISA catalog 6.0 are
Changes to the security labels:
- The Information Security label is replaced by the Availability and Confidentiality labels. Depending on your role in the supply chain, Availability or Confidentiality or both may be relevant to you.
- An existing "Information Security High" label will be replaced with the combined "Availability High" and "Confidential" labels. The same applies to an existing Information Security Very High label. It will be replaced by "Availability very high" and "Strictly confidential".
- Both labels must meet the same set of baseline requirements. In addition, each label has specific requirements for high and very high protection needs. The assessment process is driven by the labels, taking into account your role in the supply chain. It is therefore worth checking with your customers which labels are relevant to your role.
Increased focus on information security and OT systems in the supply chain
- Relevant companies in the supply chain must meet "high availability" or "very high availability" requirements.
- Emphasis on Operational Technology (OT) systems in production and other areas in the TISAX® assessment.
- References to IEC 62443-2-1 and new ISA catalog requirements promote OT focus.
- Inclusion of Industrial Communication and Control Systems (IACS).
- Companies in this category must demonstrate adequate protection of sensitive data in development and production.
- Many of the requirements overlap with "High Sensitivity" or "Very High Sensitivity".
- Companies in the supply chain that are not highly relevant but are entrusted with sensitive information must demonstrate that this information can be adequately protected.
- The "Confidential" or "Strictly Confidential" labels are used to select the TISAX® requirements that contribute to this protection objective.
- The main purpose of the selective assessment described above is to ensure that companies only have to meet the requirements of the ISA catalog that are relevant to their role.
New Challenges for Manufacturing Companies
- OT systems must be subject to management similar to that which is generally required for TISAX® IT systems.
- As a result, the OT in asset management is identified with its specific risks, analyzed for potential vulnerabilities, managed by competent employees, subjected to ISMS-compliant processes for remote maintenance and other best management practices.

What are the advantages of a TISAX® assessment for your company?
- Duplicate and multiple assessments by different clients can be avoided, saving time and money.
- Cross-company recognition of assessments for TISAX® participants
- Reliable results thanks to the harmonized assessment catalog, which ensures a consistent assessment process
- Increased trust in the assessed company through a TISAX® label
After a successful assessment you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.

How does TISAX® work?

How does a TISAX® assessment work?
Before you start with the TISAX® assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.
A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.
The results of the TISAX® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.
Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.
The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX® process with the corresponding test label. In contrast to other certifications, there is no TISAX® certificate.

What does the TISAX® assessment cost?
The protection goals, for example, are about whether you want to include topics such as prototype protection or data protection in the assessment. If you want to get involved in the TISAX® procedure, talk to DQS, your approved audit service provider, as early as possible. This is the only way we can determine the correct calculation for the assessment scope, and provide you with a reliable quote for the cost of your TISAX® certification.

What you can expect from us
- More than 35 years of experience in the certification of management systems and processes
- Certificates with international acceptance
- Personal, smooth support from our specialists - regionally, nationally and internationally
- Individual offers with flexible contract terms without hidden costs

TISAX® Assessment
DQS GmbH is a registered TISAX® participant and has undergone a TISAX® assessment for the "Information Security Very High" label at Assessment Level 3. TISAX® assessments are performed by ENX accredited assessment service providers. TISAX® assessment results are not intended for the general public. The result of the assessment at DQS GmbH is available to registered participants via the ENX portal: https://portal.enx.com/
Master TISAX ISA 6.0 in Our Free Webinar Recording
Dive into the essential changes in the new TISAX® ISA 6.0. From important dates, a new label system, general trends, and major and minor adjustments to the ISMS, this recording will equip you and your organization with the knowledge and insights needed to ensure continued compliance.