TISAX® Assessment

Prove your information security standards with our TISAX® assessments

Demonstrate to your stakeholders with a TISAX® assessment that you meet the high security requirements of the German Association of the Automotive Industry (VDA) and the ENX Association. As a TISAX® audit provider approved by the ENX Association, we provide you with comprehensive support for your TISAX® assessment. You can rely on our many years of experience in the automotive industry.

Do you need a TISAX® assessment for your company? Please contact us!

TISAX® at a glance

The value chains in the automotive industry are characterized by their complexity and internationality. With increasing digitalization in the end product, but also during production, the demands on companies' information security are increasing at the same time.

With TISAX® (Trusted Information Security Assessment Exchange) a practice-oriented, robust assessment has been created that can be applied to all companies involved in the automotive supply chain and beyond. Our experts will guide you through your TISAX® assessment over the phone, remotely or on-site. In just a few steps, you can show your stakeholders that sensitive data and/or prototypes are in safe hands with you.

After initial registration, companies wishing to join the TISAX® platform commission a recognized assessment service provider such as DEKRA to assess their information security. The assessment begins with a basic information security assessment and offers further optional modules such as prototype protection and data protection. This eliminates the need for special requirements from the extensive individual catalogs of the major automotive manufacturers. After a successful assessment, a TISAX® label is issued in the ENX database, which is now recognized and required by all VDA members and vehicle manufacturers such as Volkswagen, BMW and Audi. A final report showing the protection class achieved can then also be conveniently passed on to selected companies that request your TISAX® status. The results of the TISAX® assessment are valid for a period of three years.

The TISAX® assessment and exchange mechanism set up at the beginning of 2017 is based on ISA (Information Security Assessment) cataglogue requirements of the German Association of the Automotive Industry (VDA). To a large extengly it was mapped with the international standard ISO/IEC 27001. The associated online portal offers members along the entire value chain a standardized assessment of their information security status as well as an exchange with partners from the entire automotive industry. Registration in the portal is mandatory for participation in a TISAX® procedure.

As the operator of the TISAX® program, the ENX Association has defined the levels and scope of the assessments. TISAX® distinguishes between four different protection classes and assessment levels according to which a company can be assessed. The levels are based on the protection requirements of the information.

Assessment Level 1
A suppliers completes the ISA questionnaire. In case the supplier site is not audited as part of a Simplifed Group Assessment thee, no third party audit provider will check self-assessment.

Assessment Level 2
For suppliers that process confidential information and/ or have availability relevance in terms of Information Technology or Production , a remote assessment is are carried out by an approved audit provider.In Phase 1 the plausibility of the self-assessment focusing on the described processes and the supporting documents checked, afterwards in phase 2 potentially, identified ambiguities are reviewed in a remote interview.

Assessment Level 2.5
Assessment Level 2.5 comes into effect if on-site audits (s.below AL3) are not possible due to external circumstances (e.g. contact restrictions due to the COVID-19 pandemic) or if a supplier prefers a more in-depth remote assessment covering the review of all controls..If desired the supplier can upgrade the labels by performing a shortened AL3 on-site assessment, which then only covers the sctricly confidential and/or very high availability control requierement in combination with a site inspection.

Assessment level 3
For Suppliers that process stricly confidential information and/or have very high availability relevance in terms of Information Technology or Production, and in-depth, on-site assessment covering the review of all controls is carried out by an approved audit service provider based on their self-assessment.
Please note: Suppliers can also contract on-site assessments for assessment objectives that do not require such (e.g. performing an assessment for confidential information on-site).

Your trusted partner for all your information security requirements

Thanks to our many years of experience in the automotive and information security sectors, we can provide you with expert support.
We have a global presence and support you wherever you are.
With our comprehensive portfolio of more than 40 accreditations, we offer you time and cost-saving combined certifications.
In co-operation with the ENX Association, DEKRA guarantees that assessments and test results meet the highest standards of objectivity and quality.

TISAX® is a registered trademark of the ENX Association.

Frequently Asked Questions

What is an assessment level?

TISAX® distinguishes between three assessment levels (protection requirements), depending on what protection is required: normal (level 1 = self-assessment), high (level 2 = remote) and very high (level 3 = on-site). Inspection methods and efforts are determined by the established security needs.

Assessment Level 2 and 3 always involve a Third-Party Auditor. Assessment Level 1 does not except in case of a Simplified Group Audit, where a simplified check is carried out.

Is a TISAX® assessment required for supply companies and service providers?

Is the content of TISAX® analogous to ISO 27001?

Which employees are relevant to TISAX® assessment?

How long does it take to complete TISAX® assessment?

How long does it take for a company to be considered labelled?

Is there a minimum number of process and procedure documents I need to create for the TISAX® assessment?

Can DEKRA help me prepare for TISAX® assessment?

Is TISAX® only relevant for companies in the automotive industry?

What role does the ENX Association play in TISAX®?

Update: VDA Information Security Assessment (ISA) catalog version 6 now available

On April 25th, 2024, the ENX Association published the latest version of the VDA Information Security Assessment (ISA) catalog, version 6.0.3. This catalog serves as the basis for assessing the information and cyber security of organizations within the framework of TISAX®.

The extensive revision of the ISA catalog brings numerous changes and improvements. These include:

Due to the subdivision into new controls, the topics of emergency management, business continuity management and backup and disaster recovery (BDR) are gaining more room for the ISMS in the company.
The data protection catalogue has been completely revised. The leading language is now English and several translations are planned.

Productsheet TISAX

Productsheet TISAX® Assessment (PDF, 800 KB)

Management System Certification is offered by DEKRA Certification GmbH and operates independently of all training and consultancy services offered by other DEKRA units.