
TISAX is the trusted information security assessment standard for the automotive industry. This checklist guides you through the ENX registration process, VDA ISA self-assessment, control implementation, and achieving your TISAX label from an approved audit provider.
TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for information security in the automotive industry, established by the German Association of the Automotive Industry (VDA).
TISAX provides a standardized approach to information security assessments based on the VDA Information Security Assessment (ISA) catalog, which is derived from the ISO/IEC 27001 standard but tailored specifically for the automotive industry.
The primary goal of TISAX is to ensure mutual recognition of information security assessments among participants in the automotive industry, reducing redundant assessments and establishing a common security level across the supply chain.
Assessment Levels
Catalog
Validity
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Understand which assessment level your partners require
TISAX defines three assessment levels with increasing rigor. Assessment Level 1 (AL 1) is a self-assessment only. AL 2 includes a plausibility check by an auditor. AL 3 is a comprehensive on-site assessment. Your OEM partners will specify which level they require, with AL 3 being the most common for suppliers handling confidential data.
Create your participant account on the ENX platform
The ENX portal is the central platform for TISAX registration, assessment management, and result sharing. Registration initiates the formal TISAX process and gives you access to select an approved audit provider and manage your assessment lifecycle.
Choose an ENX-approved audit provider for your assessment
TISAX assessments must be conducted by audit providers approved by the ENX Association. Select a provider with experience in your industry segment and the capacity to conduct the assessment within your desired timeline.
Evaluate your current state against the VDA ISA catalog
The VDA Information Security Assessment (ISA) is the criteria catalog used for TISAX assessments. Conduct a thorough self-assessment against all applicable ISA criteria to understand your current maturity level and identify gaps that need remediation.
Close gaps and achieve target maturity levels
Implement the controls and improvements identified in your self-assessment gap analysis. The VDA ISA uses a maturity model where most controls require at least Level 3 (established process) to pass the assessment. Focus remediation on the highest-risk gaps first.
Organize evidence and brief your team
With controls implemented and gaps remediated, prepare your organization for the external assessment. This includes organizing evidence, briefing staff who will participate in interviews, and ensuring your documentation is complete and current.
Undergo the formal assessment by your ENX-approved audit provider
The formal TISAX assessment evaluates your information security posture against the VDA ISA criteria. For AL 3, this includes an on-site audit with documentation review, staff interviews, and physical inspections. The assessor scores each control and produces a formal assessment report.
Receive your TISAX label and share with partners
Once the assessment is complete and any major findings are resolved, your TISAX labels are published on the ENX portal. You can then share your results with OEM partners and other organizations through the portal's controlled sharing mechanism. Labels are valid for three years.
Feeling overwhelmed? You don't have to do this alone.
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
Including preparation, tooling, and assessment fees
Depending on current maturity and scope
Independent verification of your compliance
Compliance management and evidence collection tools
SIEM, EDR, vulnerability scanning, encryption tools
Hundreds of hours across IT, security, and leadership
Annual reviews, continuous monitoring, recertification
The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:
The question isn't whether you can afford compliance — it's whether you can afford not to have it.

Illumen specializes in helping organizations achieve TISAX compliance — from initial assessment through certification. We meet you wherever you are in the journey.
Know exactly where you stand against requirements
Close gaps with expert guidance and support
Policies, procedures, and evidence packages
Common questions about TISAX compliance and certification.