TISAX （Trusted Information Security Assessment and Exchange）

Authoritative guide for information security assessment framework in the automotive industry

With the acceleration of digital transformation in the automotive industry, the rapid development of intelligent connected vehicles, autonomous driving technology, and the Internet of Vehicles has led to a sharp increase in information security risks.
At the same time, the globalization and complexity of the automotive supply chain have led to sensitive data (such as design drawings, customer information, vehicle testing data, etc.) facing threats such as leakage and tampering when circulating across enterprises.
Although traditional information security standards such as ISO/IEC 27001 have universality, they lack specificity for the specific needs of the automotive industry.
As a result, TISAX emerged, with its core value lying in:
1. Unified evaluation criteria: eliminate differences in understanding of information security requirements among different vendors and reduce the cost of duplicate audits.
2. Strengthen supply chain trust: Through a standardized evaluation result mutual recognition mechanism, enhance the efficiency of industrial chain collaboration.
3. Meet regulatory requirements: comply with the compliance requirements of EU regulations such as the General Data Protection Regulation (GDPR) for cross-border data transmission

1. Applicable objects
TISAX certification covers all participants in the automotive industry chain, including:
Vehicle manufacturers (OEMs): such as German OEMs and their global branches;
Component suppliers: Level 1 to Level 3 suppliers, covering hardware, software, and service providers;
Service providers: IT service providers, research and development institutions, testing laboratories, and data processing companies.

2. Certification conditions
The enterprise must be a legal operating entity and a key link in the automotive supply chain;
Sensitive information of the host factory or partners must be handled (such as design data, customer information, vehicle parameters, etc.);
Establish an Information Security Management System (ISMS) that meets TISAX requirements, including confidentiality, integrity, and availability control measures;
Passed external audits by ENX authorized institutions and met the maturity rating requirements defined in VDA ISA standards.

1. Scope and Object of Evaluation
TISAX focuses on three core areas:
Prototype vehicles and intellectual property protection: preventing the leakage of undisclosed research and development data;
Customer data privacy management: ensuring compliance with privacy regulations such as GDPR;
Third party connection security: ensuring the security of data interfaces with partners, cloud service providers, etc.

2. Classification of evaluation levels
TISAX provides three-level evaluation criteria based on the risk level of enterprise business scenarios:
Level 1 (Basic Level): Suitable for low-risk scenarios, verified through self-assessment questionnaires;
Level 2 (Standard Level): For medium to high-risk scenarios, on-site audits by third-party auditing agencies are required;
Level 3 (Advanced): Implement more rigorous penetration testing and process validation for enterprises involving core secrets such as autonomous driving algorithms.

3. Evaluation process and mutual recognition mechanism
Registration and Scope Definition: Enterprises register through the ENX platform, specifying the scope and level of evaluation;
Self assessment and document preparation: Sort out control items based on the VDA-ISA (Information Security Assessment) directory;
On site audit: conducted by ENX accredited audit firms (such as DEKRA, T Ü V);
Mutual recognition of results: Enterprises evaluated can obtain TISAX labels, and the results can be shared among OEMs (such as Volkswagen and BMW) to avoid duplicate audits.

1. Industry relevance
Enterprises need to belong to the automotive industry chain, including OEMs, suppliers (Tier 1/2/3), technology service providers (such as software development and cloud services), or partners (such as logistics and testing institutions).

2. Driven by customer or business needs
It is necessary to clarify the TISAX evaluation level (Level 1/2/3) and coverage scope (such as prototype protection and third-party connection security) that needs to be met according to customer requirements (such as Volkswagen, BMW, and other OEMs).

3. Fundamentals of Information Security Management System (ISMS)
An ISMS framework that complies with the ISO/IEC 27001 standard has been established (or promised to be built synchronously during the certification process).

4. ENX platform registration
Enterprises need to complete registration on the ENX Association's official website, pay an annual fee (approximately 200-500 euros), and obtain TISAX platform operation permissions

（I.） Core application materials
1. System documents
Information Security Policy: Clarify enterprise information security objectives, division of responsibilities, and management principles.
Risk Assessment Report: Based on TISAX requirements, identify risks and response measures for data, systems, and physical environments.
Control Measures Document: Detailed explanation of access control, encryption policies, vulnerability management, and other technical and management measures.
Business Continuity Plan: covers data backup, disaster recovery, and emergency response processes.

2. Process record class
Internal Audit Report: Proving that the company regularly conducts ISMS internal audits.
Employee training records: including information security awareness training attendance sheet and assessment results.
Event Management Log: Records and processing reports of security incidents (such as data breaches) in the past 12 months.

3. Technical validation category (only required for Level 2/3)
Penetration testing report: The network security penetration testing results issued by a third-party organization.
Vulnerability scan results: Regular vulnerability scan reports for critical systems such as servers and databases.
Data Flow Analysis Diagram: Explanation of Storage and Transmission Paths for Sensitive Data (such as Design Drawings, Customer Information).

4. Relevant materials of the cooperating party
Supplier Security Management Agreement: Information security constraint clauses signed with third-party service providers (such as cloud platforms and outsourcing teams).
Customer request document: such as TISAX evaluation level and scope description provided by the host factory.

（II.） Precautions
1. Material format specifications
All documents must be in English or German, and if other languages are used, official translations must be attached.
The technical report needs to be issued by a qualified third-party organization (such as a CNAS accredited laboratory).

2. Timeliness requirements
Risk assessment, penetration testing, and other reports must be generated within 6 months prior to submission.

3. Compliance focus
Ensure that the materials correspond to each item in the TISAX control catalog (VDA-ISA questionnaire) to avoid missing key control points (such as prototype vehicle data encryption and physical area isolation).

The following is the core process of TISAX certification, summarized into 5 key steps: