
If you manufacture parts for BMW, supply software to Volkswagen, or handle prototype data for Mercedes-Benz, there's a three-word phrase that controls your revenue: TiSAX assessment label. Without one, you don't get the contract. It's that simple.
TiSAX (Trusted Information Security Assessment Exchange) is the automotive industry's standardized framework for evaluating information security across the supply chain. Created by the German Association of the Automotive Industry (VDA) and managed by the ENX Association, it's evolved from a European niche requirement into a global prerequisite for automotive suppliers.
As of December 2025, over 20,000 locations worldwide hold a valid TISAX label — and that number is growing fast. Here's everything you need to know to get yours.
> WHAT IS TISAX AND WHY DOES IT MATTER
Before TiSAX, every OEM ran its own supplier security assessments. BMW had one questionnaire, Volkswagen had another, and Daimler had a third. Suppliers answering to multiple OEMs were drowning in redundant audits — same questions, different formats, different timelines.
QUEST ACCEPTED: Imagine you're a Tier 1 supplier providing brake control modules to five German OEMs. Before TiSAX, that meant five separate security assessments every year. Five audit teams. Five reports. Five sets of findings to remediate. TiSAX replaced all of that with a single assessment that every participating OEM accepts.
The VDA launched TiSAX in 2017 to solve this. The framework provides a standardized assessment mechanism built on the VDA Information Security Assessment (ISA) catalog — which itself is based on ISO 27001 but adds automotive-specific requirements for prototype protection, connected vehicle data, and supply chain integrity.
TiSAX by the Numbers
What makes TiSAX unique is the exchange mechanism. Once you complete your assessment, the results are shared via the ENX portal with authorized partner organizations. Your OEM customers can view your assessment results without you having to send reports, answer questionnaires, or sit through another audit. One assessment, many consumers.
TiSAX is now the second most widely adopted information security standard globally. If you're in the automotive supply chain, it's not optional — it's table stakes.
Actionable takeaway: If any of your customers are German OEMs (BMW, VW, Mercedes-Benz, Audi, Porsche) or their Tier 1 suppliers, check your contracts for TiSAX requirements. Many OEMs now mandate it for any supplier handling sensitive information, not just IT vendors.
> TISAX ASSESSMENT LEVELS DECODED
TiSAX uses three assessment levels with increasing rigor. The level you need depends on the sensitivity of data you handle and what your OEM customer requires. Getting this right upfront saves months of wasted effort.
TiSAX Assessment Levels
Assessment Level 1 (AL 1) — Self-Assessment
AL 1 is an internal self-evaluation using the VDA ISA catalog. You assess your own controls, document findings, and keep the results internally. There is no external audit and no TISAX label is issued. Think of it as a readiness check.
Assessment Level 2 (AL 2) — Remote Audit
AL 2 adds external verification. An accredited TISAX audit provider reviews your self-assessment documentation remotely, verifies that controls and processes are in place, and conducts interviews via video conference. Suitable for suppliers handling data with high protection needs.
Assessment Level 3 (AL 3) — On-Site Audit
AL 3 is the full inspection. An accredited audit provider comes to your facility, reviews documentation, interviews staff, and physically inspects security controls. Required for suppliers handling data with very high protection needs — think prototype designs, ADAS algorithms, or connected vehicle data.
Actionable takeaway: Confirm with your OEM customer exactly which assessment level and objectives they require before engaging an audit provider. Over-scoping wastes budget; under-scoping means doing it twice.
> VDA ISA 6.0: WHAT CHANGED AND WHY IT MATTERS
The VDA published ISA Catalog version 6.0 in October 2023, and it became mandatory for all new TISAX assessments from April 1, 2024. If you're being assessed today, you're on 6.0 — there is no option to use older versions.
All TISAX assessments are now conducted under VDA ISA 6.0. If your ISMS documentation references an older version, you need to update before your next assessment cycle.
Here are the changes that matter most:

Actionable takeaway: Download the ISA 6.0 catalog from the ENX portal and compare it against your current ISMS documentation. Pay special attention to Control 1.3.4 (Software Approval) and the new availability requirements — these are the areas where most organizations have gaps.
> TISAX VS ISO 27001: WHICH DO YOU NEED
This is the question every automotive supplier asks: do I need TiSAX, ISO 27001, or both? The answer depends entirely on who you sell to.
Framework Comparison
Key Differences at a Glance
If you already hold ISO 27001 certification, you have a significant head start on TiSAX. The ISA 6.0 catalog explicitly cross-references ISO 27001:2022 controls, so your existing ISMS documentation, risk assessments, and control implementations carry over. You'll primarily need to layer on the automotive-specific requirements: prototype protection, connected vehicle data handling, and the VDA maturity scoring model.
Companies that are already TISAX-compliant are in a strong position to adopt mandatory EU directives like NIS 2.
Actionable takeaway: Map your existing ISO 27001 controls to the ISA 6.0 catalog. Focus your gap remediation on the delta: prototype protection, OT security, software approval processes, and the TiSAX-specific maturity scoring requirements.
> THE TISAX CERTIFICATION ROADMAP
A typical TiSAX journey takes 3 to 6 months depending on your starting maturity and the scope of assessment. Here's the phase-by-phase breakdown.
Phase 1: Scoping & Gap Assessment (Weeks 1–3)
Phase 2: Remediation (Weeks 4–12)
Phase 3: Internal Audit & Readiness Check (Weeks 13–14)
Phase 4: Formal Assessment (Weeks 15–18)
CHECKPOINT SAVED. The most common reason TiSAX assessments stall is documentation debt. You may have strong technical controls but weak evidence. Start collecting screenshots, configuration exports, and process documentation from day one — not the week before the auditor arrives.
Actionable takeaway: Build a 3-month sprint plan with weekly milestones. Assign a TiSAX project lead with authority to drive cross-functional remediation. The biggest delays come from unclear ownership, not technical complexity.
> BEYOND AUTOMOTIVE: WHERE TISAX IS HEADING
TiSAX started as an automotive standard, but its influence is expanding. Organizations in aerospace, rail manufacturing, energy, and defense are adopting TiSAX principles to secure their own supply chains. The assessment-and-exchange model — where one evaluation serves multiple customers — solves a universal problem.
The assessment-and-exchange model solves a universal supply chain problem. Expect TiSAX principles to influence security assessment frameworks well beyond automotive.
For suppliers already on the TiSAX journey, this expansion is good news. Your investment in compliance doesn't just unlock automotive contracts — it positions you for adjacent industries that are adopting the same trust model. And with the continuous compliance approach, maintaining your label becomes an ongoing operational discipline rather than a triennial scramble.
Actionable takeaway: If you're building your ISMS for TiSAX, design it to be framework-extensible. Use the ISA 6.0 cross-references to ISO 27001 and NIST CSF as a foundation that supports multiple compliance targets simultaneously. One ISMS, many frameworks.
The Illumenati // Boutique GRC for the AI-First Era // illumen.io
> SOURCES
- [01]Welcome to TISAX - ENX Association— ENX Portal
- [02]TISAX Certification: Automotive Information Security— DNV
- [03]VDA ISA Catalog 6.0 Overview— VDA ISA Berater
- [04]ISA Catalog 6.0: TISAX Update— DQS Global
- [05]TISAX vs ISO 27001: Similarities, Differences, Mappings— Strike Graph
- [06]TISAX Deep Dive: The Three Assessment Levels— CIS
- [07]Security Maturity: What TISAX 2025 Requirements Say About Trust— DQS Global
- [08]What is TISAX Certification? Everything You Need to Know— Secureframe
- [09]VDA Information Security— VDA
- [10]TISAX Controls and Changes in Version 6 of ISA— Omnex


