TISAX

Why Automotive Clients Demand TISAX® and What Suppliers Must Do About It

The ultimate guide to understanding TISAX®, who needs it, and how suppliers can prepare without the stress.

Alex Fuerst

Alex Fuerst

21 min read
Get on the Fast Track to TISAX®
Get on the Fast Track to TISAX®

Table of Contents

Introduction

 
TISAX® often appears without warning. Usually, it shows up in an email from an automotive client asking for it before a deal can move forward.

There is no explanation. Just a firm expectation. And when the research begins, it quickly leads to a maze of unfamiliar terms, complex frameworks, and very few practical answers.

This is not just frustrating. It can put business at risk. Opportunities may be delayed or lost entirely if there is no clear understanding of what TISAX® is or how to meet its requirements.

That is why clarity matters.

This article explains what TISAX® is, who actually needs it, how it compares to frameworks like ISO 27001, and what the certification process involves from start to finish. It is written to remove the guesswork so decisions can be made quickly and confidently, whether for internal planning or client negotiations.

What the heck is TISAX®?

 
TISAX stands for Trusted Information Security Assessment Exchange. It is a security assessment and exchange framework developed specifically for the automotive industry. Its main purpose is to ensure that suppliers and service providers handling sensitive information are meeting agreed standards for information security.

The TISAX framework was created by the ENX Association, a body supported by major European automotive manufacturers. It is based on ISO 27001 but tailored to the specific needs of the automotive sector, such as protecting design data, prototypes, and production information.

TISAX is not a certificate. Instead, it provides a label after a successful assessment. This label can be shared securely with partners through a central platform, which means a supplier only needs to complete one recognized assessment instead of going through repeated audits with every client.

In short, TISAX helps automotive companies trust that their suppliers are taking information security seriously. It simplifies risk management and reduces duplication of audits across the supply chain.

Who actually needs TISAX®?

 
TISAX® is aimed at companies working within the automotive supply chain that handle sensitive information. If a business is dealing with product design files, prototype data, or internal systems used by automotive clients, it is likely that a TISAX® label will be required.

This includes companies that provide:

  • Parts and components suppliers
  • Engineering or design services
  • Prototype development and testing
  • Hosting or IT infrastructure
  • Custom software or connected car services
  • Physical security where prototypes or confidential data are involved

What matters is not the size or type of the business, but the sensitivity of the information handled: It is confirmed that one OEM asked their cleaning service provider to provide a valid TISAX® label. Not because the cleaners managed any data systems, but because they had unsupervised access to prototype areas during off-hours.

The good news: you will not have to guess

TISAX® is rarely optional. If it is needed, you will be told by a client in a formal request. It is also possible that you have already committed to obtaining the TISAX® label - perhaps unknowingly - by signing a contract with an OEM, as this requirement is often included in the standard terms and conditions.

Some companies pursue TISAX® before it is requested, especially if they want to be seen as a secure and trusted partner across the automotive industry. But for most companies there is no need to self-diagnose or jump in blindly unless there is a business case to prepare ahead of time.

Understanding TISAX® Assessment Levels

 
TISAX® assessments are not one size fits all. They are divided into three assessment levels, each reflecting the sensitivity of the information being handled and the level of assurance a client requires.

The assessment level defines how deep the audit goes and who performs it.

Assessment Level 1 – Self assessment

This is the lightest level. It is based entirely on a company's answers to the VDA ISA catalogue. There is no external review.

It is rarely used because most automotive clients want independent assurance. However, it can be useful for internal benchmarking or very low risk situations.

Assessment Level 2 – Third party plausibility check

This is the most common level. A TISAX® accredited auditor reviews the company's answers to the VDA ISA catalogue for completeness and plausibility. The audit is usually done remotely, based on submitted documentation and interviews.

Level 2 is often requested when a supplier handles sensitive information but not information that would cause critical damage if exposed.

Assessment Level 3 – On site audit

This is the most detailed level. It includes an on site visit and in depth validation of how the company meets the VDA ISA requirements. Level 3 is typically required when:

  • Prototypes are being handled
  • Highly sensitive design or test data is involved
  • The client classifies the risk as very high

Level 3 requires more time, effort, and preparation than the other levels. It also demands strong documentation and mature processes.

Who decides the assessment level?

Another good news: You do not have to decide. The client does. When a company is asked to complete a TISAX® assessment, the required level will normally be specified by the client based on their risk classification.

There is no need to guess whether Level 2 is sufficient or whether Level 3 is necessary. If TISAX® is being requested, the required level will be included in the request.

Why Choosing the Right Assessment Level Matters

 
The assessment level is not just a formality. It defines how deep the audit will go, how much time it will take, and how much it will cost. Selecting the right level or questioning a requested one can save months of work and thousands of euros.

The impact of assessment levels

  • Level 1 requires only a self assessment. It is fast and inexpensive but rarely accepted by clients.
  • Level 2 adds third party validation. It is the most common level, usually remote, and strikes a balance between assurance and effort.
  • Level 3 involves an on site audit. It is the most demanding and costly option and is only necessary for very sensitive data such as prototypes.

If a supplier accepts Level 3 without questioning it, they may end up investing far more time and money than is truly needed.

The current trend

In practice, many clients now request Level 3 for all suppliers regardless of the sensitivity of the work being done. This is often driven by risk aversion and the desire for uniformity across the supply chain.

Even if this trend continues, it is still worth questioning the decision. By opening the discussion, a supplier can at least confirm whether Level 3 is being applied across the board or whether it is a targeted request. Knowing that all suppliers are being treated equally is valuable insight and prevents the sense of being singled out.

Why debating the level makes sense

Clients typically request the assessment level they believe matches their risk. However, this is not always clear cut. In some cases a supplier can demonstrate that Level 2 provides sufficient assurance for the type of data they handle.

Discussing this with the client shows a professional approach to risk management. Even if the result is that Level 3 is non negotiable, the conversation clarifies expectations, reveals how strictly it is enforced, and confirms whether the request is universal.

The risks of getting it wrong

  • Over compliance wastes resources and time
  • Under compliance risks losing the contract or damaging trust
  • Not clarifying leads to confusion, delays, and rework if the client later insists on a higher level

The bottom line

The assessment level is not just a technical detail. It shapes the entire TISAX® journey. Accepting a higher level than necessary may impress a client, but it comes at a steep cost. Questioning a Level 3 request will not always change the outcome, but it ensures transparency, helps manage effort realistically, and confirms whether all suppliers are being held to the same bar.

The Importance and the Nightmare of the VDA ISA Catalogue

 
At the centre of every TISAX® assessment is the VDA ISA catalogue. This document is the rulebook. It was created by the German Association of the Automotive Industry and sets out the specific requirements that suppliers and service providers must meet.

The catalogue is divided into modules that cover:

  • Information security
  • Prototype protection
  • Data protection

Every company undergoing TISAX® must complete this catalogue as a self assessment. It is the foundation of the audit. Auditors use it as their checklist, clients use it to compare suppliers, and suppliers use it to measure their own readiness. Without the catalogue there is no TISAX®.

Why it matters

The catalogue ensures consistency across the automotive supply chain. Instead of every manufacturer setting their own security questionnaire, the VDA ISA creates one common standard. This saves suppliers from endless one off audits and provides clients with a level playing field for comparison.

It also brings structure. The catalogue is closely aligned with ISO 27001 but tailored to the realities of automotive suppliers. That means requirements that are often overlooked in generic security standards, such as controlling access to prototype vehicles, are explicitly included.

Why it feels like a nightmare

Anyone opening the VDA ISA for the first time quickly sees why it causes anxiety. The document is long, detailed, and written in precise but often dense language.

Common pain points include:

  • The sheer number of controls to review and document
  • Repetition or overlap that can make it feel never ending
  • The expectation that every control must be addressed, even if the company is small
  • The need to provide evidence for each control, not just a yes or no answer

For many suppliers the catalogue feels less like a checklist and more like an interrogation. It requires time, patience, and often outside help to navigate.

The bottom line

The VDA ISA catalogue is both the strength and the struggle of TISAX®. It guarantees a consistent, industry specific standard but it also introduces the most work. Treating it as a gap analysis tool rather than a simple questionnaire makes it more manageable. The catalogue shows where improvements are needed and forces suppliers to document what they already do well.

Once complete, it not only prepares a company for TISAX® but also provides a solid security baseline that can support ISO 27001, SOC 2, or even CMMC in other industries.

TISAX® vs ISO 27001 vs SOC 2 vs CMMC: Why the Comparison Matters

 
When TISAX® first shows up in a client request, the instinct is often to say, "But we're already ISO 27001 certified", "We're SOC 2 compliant", or more recently, "We've just prepared for CMMC — surely that covers it?"

It's a reasonable assumption. After all, these are all information security frameworks. They all involve controls, audits, and security policies. But there's a key distinction:

TISAX® is not just about security — it's about sector-specific assurance

TISAX® is tailored specifically for the automotive industry. It was created to align the security expectations of manufacturers and suppliers across Europe. Other frameworks like ISO 27001, SOC 2, and CMMC were designed for broader use cases — and often for entirely different industries.

This is why clients may still require TISAX®, even if another certification is already in place.

Note: Some manufacturers may accept ISO 27001 certification instead of TISAX®, depending on the sensitivity of the data involved. For example, PACCAR has been known to accept ISO 27001 in certain supplier engagements — especially where the supplier's role does not involve high-risk prototype or production data.

A quick breakdown:

Framework Industry Origin Primary Audience Audit Type Purpose
TISAX® Automotive OEMs, Tier 1s, suppliers Third-party (via ENX) Supply chain trust, prototype protection
ISO 27001 Global, general-purpose All sectors Third-party (certified) Information security management systems
SOC 2 Technology (US) SaaS, cloud providers Third-party (CPA firms) Customer data handling (trust criteria)
CMMC US Department of Defense Defense suppliers Third-party (C3PAOs) Protecting Controlled Unclassified Info

Why companies compare them:

These frameworks often look similar on the surface. They all include:

  • Risk-based security controls
  • Defined maturity levels
  • Regular audit or assessment processes
  • Documentation and policy requirements

But they are not interchangeable. Each exists to satisfy a different group of buyers. TISAX® satisfies European automotive clients. CMMC satisfies US defence contracts. SOC 2 satisfies American tech buyers. ISO 27001 is global and foundational, but not industry-specific.

Do other certifications still help?

Yes — significantly. If a company already has ISO 27001 or SOC 2, the groundwork for TISAX® is often already in place. CMMC in particular shares the concept of maturity levels, which can make adapting to TISAX® more intuitive.

However, clients will still expect the TISAX® label because it speaks their language. It removes ambiguity and shows that a supplier is aligned with the specific security expectations of the automotive sector.

The TISAX® Process in Plain English

 
Once a client requests TISAX®, the obvious next question is: what do we actually have to do?
On paper, the process is clear and structured. In reality, suppliers often discover it is more complex and full of pitfalls that can delay or derail the audit.

The official TISAX® process

Register with the ENX platform
TISAX® is managed by the ENX Association, and all assessments are coordinated through their online platform. Registration includes selecting the assessment scope, which defines which sites or services will be evaluated, and confirming the assessment level required by the client. At this stage, the company also chooses a TISAX® accredited audit provider, known as a testing service provider.

Complete the self assessment
The company completes a self assessment using the VDA ISA catalogue, a set of controls aligned with ISO 27001 but tailored to the automotive sector. It covers information security, prototype protection if relevant, and data protection if applicable. The self assessment works as a gap analysis that shows what is already in place and where improvements are needed before the external audit.

Undergo the audit
Depending on the assessment level, the audit is either remote at Level 2 or on site at Level 3. The auditor reviews documentation, interviews staff, and evaluates how the company meets the VDA ISA requirements. The focus is on whether controls are effective and proportionate to risk, not on perfection.

Receive the report and label
If the audit is successful, the auditor submits the results to ENX. The company receives a TISAX® label, which can then be shared with authorised clients. The label is valid for three years, provided the scope or risk does not change.

Share results through the exchange platform
TISAX® labels are not public certificates. Instead, they are shared selectively via the TISAX® Exchange platform. This allows one assessment to satisfy many clients, avoiding repeated audits.

What reality looks like

While the official process sounds simple, suppliers often face a very different reality:

Scope inflation
Clients sometimes insist on including all sites in the assessment, even if only one location actually handles sensitive data. This significantly increases cost and complexity.

Example: A mid sized logistics provider was asked to certify every branch in Europe, even though only one facility stored prototype vehicles. After negotiation, the scope was reduced — saving them months of work.

Overwhelming self assessments
The VDA ISA catalogue is long and detailed. Smaller suppliers often struggle to interpret the requirements, leading to incomplete or inconsistent answers.

Example: A software start up tried to complete the catalogue in a week. Their responses lacked evidence, and the auditor flagged half the items as "not sufficient," causing delays and rework.

Audits that go deeper than expected
Even at Level 2, auditors may request detailed documentation such as logs, access records, or HR policies. Level 3 audits often resemble a full ISO 27001 certification in practice.

Example: An IT services company thought a Level 2 audit would be a "light check." Instead, they faced multiple interview sessions and had to provide system screenshots and policy updates on short notice.

One label is not always enough
In theory, clients should accept the TISAX® label via the ENX platform. In practice, some still send additional questionnaires or demand extra evidence.

Example: A supplier proudly shared their new TISAX® label, only to receive a 50 question security checklist from a client a week later. The client insisted it was "internal policy."

Pitfalls to avoid

  • Failing to clarify scope with the client at the start
  • Treating the self assessment as a box ticking exercise instead of a serious review
  • Assuming auditors will only check documentation without requesting evidence
  • Believing that once the label is earned, no further questions will come from clients

The bottom line

The official TISAX® process is structured and logical. But the reality is often more demanding and full of traps for the unprepared. Success depends on treating the self assessment seriously, negotiating scope carefully, and preparing for extra scrutiny even after the label is awarded.

Should You DIY or Hire Help?

 
TISAX® assessments can be managed internally, but that does not always mean they should be. The right choice depends on the team's experience, resources, and scope of the audit.

Do you need external help at all?

Start with three simple yes or no questions:

  1. Do you already have experience with ISO 27001 or similar security frameworks?
  2. Do you have someone who can dedicate significant time to managing the TISAX® process?
  3. Do you already have clear, up to date documentation for policies, access controls, and risk assessments?

If you answer "yes" to all three, you may be able to complete the assessment internally. If you answer "no" to one or more, outside support is likely to make the process smoother.

How much external help do you need?

If you do need support, the next step is to decide the scale of it. These questions can guide you:

  1. Do you only need someone to occasionally review your work and clarify requirements? If yes, some advice here and there may be enough.

  2. Do you need a partner to check your documentation regularly and keep the project moving on schedule? If yes, regular advice will likely be helpful.

  3. Do you lack the internal resources to manage documentation, preparation, and the audit process at all? If yes, full support is the best option.

The bottom line

Some companies can manage TISAX® on their own, others benefit from outside support. The key is to assess your capacity honestly and weigh whether external help will save more time and reduce more risk than it adds in cost.

Choosing the Right TISAX® Support

 
If you decide to seek external support, the next challenge is deciding what kind of help is actually needed. Not all providers offer the same services, and not every supplier needs the same level of guidance.

Light-touch advisory

This option provides occasional check-ins and feedback. It works best for suppliers who already have good internal resources but want reassurance that they are interpreting requirements correctly. Advisors may review documentation, answer specific questions, or run short workshops.

  • When it fits: Smaller assessments at Level 2, experienced teams, or companies with ISO 27001 already in place.
  • Risk: Progress depends on internal discipline. Without someone internally driving the process, gaps may remain unnoticed until late.

Regular coaching and project support

Here, an external partner works alongside the team throughout the project. They help plan tasks, review documents regularly, and keep momentum going. This strikes a balance between guidance and independence.

  • When it fits: Teams with some experience but limited time, or when the scope is larger and deadlines are fixed.
  • Risk: Costs more than light-touch advisory but still requires strong internal ownership.

Full-service support

In this model, a consultant or provider takes the lead role. They manage documentation, prepare evidence, and coordinate with auditors. Internal staff are still involved but the heavy lifting is outsourced.

  • When it fits: Level 3 audits, suppliers with no audit experience, or companies where internal resources are already stretched.
  • Risk: Can be expensive and may reduce internal learning if the supplier relies completely on outsiders.

The bottom line

External help is not one-size-fits-all. The right option depends on the scope of the assessment, the client deadline, and the maturity of the company's security processes. Some suppliers only need a second pair of eyes, others need a steady partner, and some need a hands-on lead to guide them through the entire process.

Key Considerations When Engaging External Help

 
Choosing the type of support is only the first step. The next challenge is deciding who to work with and how to structure that relationship. Not all external providers bring the same value, and selecting poorly can waste both time and money.

What to consider before committing

Industry experience
Has the provider worked with automotive suppliers before? TISAX® has industry-specific requirements that differ from generic ISO or SOC audits. Someone with direct automotive experience will understand the practical expectations of clients and auditors.

Familiarity with the VDA ISA catalogue
The catalogue is the backbone of TISAX®. Make sure the advisor knows it inside out. A consultant who only applies ISO 27001 principles without adapting them to the automotive context may overlook critical areas such as prototype protection.

Flexibility of approach
Does the provider adapt to your scope and level, or do they offer the same package to every client? A small software company should not be sold the same service as a multinational supplier.

Transparency of costs
Ask for clear estimates and understand how fees are calculated. Some providers charge by the day, others by project milestones, or offer a fixed TISAX® project price. Knowing this upfront prevents unpleasant surprises.

Balance between support and independence
The best advisors guide and coach, but they do not take away ownership. Full outsourcing may sound attractive, but it can leave you dependent on outsiders for future renewals or updates.

The bottom line

External support can be a valuable accelerator, but only if chosen wisely. Look for partners who understand TISAX® in practice, not just in theory, and who can tailor their approach to your needs. The right choice will provide clarity and momentum, while the wrong one can add confusion and cost.

Using Technology to Make TISAX® Easier

 
TISAX® is heavy on documentation, access controls, evidence collection, and task tracking. Managed manually, it can quickly spiral into a mess of spreadsheets, shared folders, and endless email threads. That is why many suppliers look to technology solutions to bring structure and efficiency to the process.

TISAX® does not prescribe any specific tools, but using the right ones can reduce friction, increase visibility, and prevent costly delays.

Where technology can help

1. Policy and document management
Centralising policies, approvals, and version history prevents confusion and helps demonstrate control during audits. Some platforms even include automated workflows to track updates.

2. Risk assessments and asset tracking
Spreadsheets may work at first, but they are prone to errors and become unwieldy as complexity grows. Tools with automated risk scoring, linked asset registers, and history tracking make the process far more reliable.

3. Audit readiness and evidence gathering
Auditors want proof that controls are not just written down but actually working. Solutions that collect logs, automate access reviews, or track changes can provide the necessary evidence with minimal manual effort.

4. Task management and accountability
Compliance is a team effort. Platforms that assign actions, track progress, and send reminders ensure nothing slips through the cracks. Even simple project management tools can make a big difference.

Examples of technology in practice

  • ISEGRIM X (IX) provides an AI-driven platform designed specifically for TISAX®. It is fully aligned with the VDA ISA catalogue and guides companies step by step through preparation. It also integrates with other compliance automation platforms such as Drata, Vanta, Secureframe, and Strike Graph.

  • Strike Graph provides a broader compliance automation platform that supports multiple frameworks, including ISO 27001 and SOC 2. For suppliers handling multiple client requirements, a tool like this can streamline overlapping controls while also supporting the TISAX® journey.

What to avoid

  • Overengineering the solution. Implementing a large scale GRC platform for a single site Level 2 assessment is like renting a crane to hang a picture frame.

  • Relying entirely on tools to "do" compliance. Software supports the process but cannot replace people following it.

  • Introducing new systems mid assessment. Changing platforms halfway through often results in lost evidence and delays. Whatever system is chosen, stick with it until the process is complete.

Understanding the TISAX® Timeline

 
One of the first questions suppliers ask when faced with TISAX® is: How long will this take? The answer is that it depends — not only on the official process, but also on how prepared the company is and how clients or auditors handle requests.

The Official Timeline

In theory, the TISAX® journey looks straightforward:

  • Registration with the ENX platform can be done in a few days
  • Self assessment using the VDA ISA catalogue typically takes several weeks
  • Audit is scheduled, completed, and reported within two to three months
  • Label issuance follows within a few weeks after the audit report is finalised

Altogether, the official process can be completed in three to six months if everything goes smoothly... in theory.

What Reality Looks Like

The reality is that everything never goes smoothly. For many suppliers, the real timeline is longer. Delays often occur at key points:

Preparation before the self assessment
Companies without clear documentation often need months to put policies, controls, and evidence in place.

Processes need to be implemented and followed
Writing processes is straightforward, but ensuring that people consistently follow them in daily work requires cultural change, training, and accountability. Sometimes companies think they can outsmart auditors by providing perfect documentation without following the processes. Please don't fall into that trap. Auditors are very clever and will find out if companies only provide "lip service". Always.

Audit scheduling
Accredited auditors are in high demand, and some are booked out for months. Waiting for an available slot can significantly extend the process.

Corrective actions
If gaps are found during the audit, suppliers may be asked to fix them before the label is issued. This can add weeks or even months, depending on the changes required.

Client-driven pressure
Sometimes clients set deadlines that are shorter than what is realistically achievable. This creates stress and can lead to rushed or incomplete preparation.

As a result, many suppliers find the actual timeline stretches to nine to 12 months, and in larger or more complex organisations it can take over a year.

How to Shorten the Timeline

  • Start preparation early, ideally before a client makes a formal request
  • Assign a dedicated internal lead to manage the process
  • Clarify the scope with the client upfront to avoid rework later
  • Use technology or external advisors to accelerate documentation and evidence collection

The Bottom Line

Officially, TISAX® can be achieved in a few months. In practice, the typical TISAX® project takes at least 9 months once preparation, scheduling, and corrective actions are factored in.

Understanding the Costs of TISAX®

 
A common question from suppliers is: How much will TISAX® cost us? While the total depends on scope, assessment level, and preparation, two costs are unavoidable. Every company must pay the ENX registration fee and the audit costs. Everything else — from preparation to consulting or technology platforms — will vary.

The Unavoidable Costs

ENX Portal Registration

  • Cost: Between €405 and €475 (about $500 to $600)
  • Structure: One-time fee per site, per scope, or per company depending on the model
  • Note: Always required, and usually the smallest line item in the budget

Audit Costs

  • Single site: Expect between €5,000 and €10,000 (about $6,000 to $11,000)
  • Additional factors: Costs increase with additional sites, broader scope, or higher assessment levels
  • Note: These are the minimal costs that no supplier can avoid

Further Costs That Vary

  • Internal preparation: Staff time for writing policies, creating evidence, and implementing missing processes
  • External support: From light advisory to full consulting, ranging from a few thousand euros upwards depending on scope and deadlines
  • Technology platforms: Optional but useful for structuring documentation, evidence, and task management

The Hidden Costs

Beyond the visible fees, there are costs that are harder to plan for but can add up quickly:

  • Staff time: Key employees spend weeks or months preparing documentation, often on top of their regular work
  • Productivity loss: Day-to-day operations may slow down while teams focus on the assessment
  • Process implementation: New security controls, tools, or processes may need to be introduced to meet TISAX® requirements
  • Corrective actions: If the auditor finds gaps, fixing them can involve additional investment and delay label issuance
  • Maintenance: The TISAX® label is valid for three years, but controls must be maintained continuously. This requires ongoing time and sometimes recurring costs

The Bottom Line

The minimum budget for TISAX® starts with around €5,500 to €11,000 (about $6,000 to $12,000) for ENX registration and for a single-site audit. From there, costs rise depending on scope, assessment level, and preparation. The real expense often lies not in the registration or audit, but in the hidden internal work and the ongoing effort needed to stay compliant once the label is earned.

Making TISAX® Work for You

 
TISAX® often starts as a box to tick. A requirement buried in a contract. A hurdle between today and a new client. But when done right, it becomes more than just compliance — it becomes a way to build trust, reduce friction, and compete in a highly selective supply chain.

Yes, the process can feel bureaucratic at times. Yes, the documentation can be tedious. But underneath it all is a simple idea: clients want to know their sensitive information is safe in your hands. TISAX® gives them confidence and gives you credibility.

TISAX® is not just about passing once

Once a label is issued, it lasts for three years. But security maturity continues. Many companies use their TISAX® preparation as a starting point to build better habits, formalise processes, and create clarity across teams.

Those benefits stick around long after the audit is done.

And when the next client comes knocking, asking about data protection or prototype security, having a TISAX® label on hand changes the conversation. It moves things forward. It removes uncertainty. It shows you're serious.

Ready to tackle TISAX® with confidence? The journey may seem daunting, but with the right approach and preparation, it becomes a valuable investment in your company's security posture and competitive advantage in the automotive supply chain.

Read more