diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon

TISAX

What is TISAX?

TISAX (Trusted Information Security Assessment Exchange) is a common assessment and exchange standard for information security in the automotive industry. It was initiated by the German Association of the Automotive Industry (VDA) and is operated by the ENX Association. The VDA-ISA assessment catalogue builds on the international ISO/IEC 27001 standard but adds industry-specific requirements such as prototype protection and enhanced data protection.

The key benefit of TISAX is mutual recognition: a TISAX label, once obtained, is shared across the TISAX network and recognised by all participants, such as Volkswagen, BMW or Mercedes-Benz. Suppliers and service providers therefore do not need to prove their information security separately for each customer. For many companies, a TISAX label is consequently a mandatory prerequisite for working with automotive manufacturers.

TISAX Assessment Levels: AL2 and AL3

TISAX assessments are carried out at different assessment levels (AL) based on the protection needs of the information processed:

  • AL2 (high protection needs): evaluated mainly via a self-assessment and an audit interview (typically a plausibility check, often remote).
  • AL3 (very high protection needs): the highest level requires a full on-site audit. AL3 is mandatory when particularly sensitive data, strictly confidential information or prototypes are processed.

SCHUTZWERK is itself assessedatAssessmentLevel3 , covering the Strictly Confidential, Proto Parts and Data labels at both the Ulm and Hamburg sites. We therefore know the process from first-hand experience.

How does a TISAX assessment work?

  1. Registration in the ENX Portal and definition of the scope, required labels and assessment level.
  2. Establishing or optimising an Information Security Management System (ISMS) and completing the VDA-ISA self-assessment.
  3. Audit by an accredited assessment provider (e.g. TÜV or DEKRA) that evaluates the company against the VDA-ISA catalogue.
  4. TISAX label, which documents the level achieved and is generally valid for three years before recertification is required.

Important: TISAX labels are issued exclusively by ENX-accredited assessment providers. SCHUTZWERK is not an accredited assessment provider and does not issue TISAX labels itself. We prepare your company for the assessment and test your technical security measures so that you pass the audit with confidence.

Objective

Support in preparing for a TISAX assessment through gap analysis against the VDA-ISA catalogue, ISMS development and technical security testing

Question

How do we effectively prepare for a TISAX assessment (AL2/AL3)?

Scope

Automotive suppliers, service providers and manufacturers with TISAX requirements

TISAX readiness with SCHUTZWERK

As a company assessed at AL3 ourselves, we support you with a hands-on path to your TISAX label. A typical readiness project comprises four building blocks that we offer together, or individually:

  1. Scope and label determination: defining the relevant assessment level (AL2/AL3) and the required labels (e.g. Strictly Confidential, Proto Parts, Data) and supporting the ENX registration.
  2. Gap analysis against the VDA-ISA catalogue: comparing your existing information security with the TISAX requirements, including prototype and data protection, and deriving a concrete action plan.
  3. Building and optimising your ISMS: establishing an InformationSecurityManagementSystem based on ISO/IEC 27001 as the foundation for the assessment.
  4. Technical hardening: validating the implemented measures through penetrationtesting as well as embedded and automotivesecurityassessments that substantiate the organisational measures, particularly where prototype protection and connected vehicle components are concerned.

This closes the gap between pure certification logic and the actual technical security of your products and infrastructure.

Frequently asked questions about TISAX

TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange standard for information security in the automotive industry, initiated by the VDA and operated by the ENX Association. Its VDA-ISA catalogue builds on ISO 27001 and adds industry-specific requirements such as prototype protection.
AL3 (Assessment Level 3) is the highest TISAX level, for information with very high protection needs. It requires a full on-site audit and is mandatory when strictly confidential information or prototypes are processed. SCHUTZWERK is assessed at Assessment Level 3.
AL2 (high protection needs) is assessed mainly through a self-assessment and an audit interview, often remote. AL3 (very high protection needs) additionally requires a full on-site audit and applies to particularly sensitive data and to prototype protection.
A TISAX label is generally a mandatory prerequisite for suppliers, service providers and software developers that work with automotive manufacturers and process sensitive information, prototypes or personal data in the process.
TISAX builds on ISO 27001 but is tailored to the automotive industry. The VDA-ISA catalogue extends ISO 27001 with requirements for prototype protection and data protection and adds, through the ENX network, mutual recognition of results between participants.
After a successful assessment, a TISAX label is generally valid for three years. Recertification is required afterwards.
No. TISAX labels are issued exclusively by ENX-accredited assessment providers (e.g. TÜV or DEKRA). SCHUTZWERK prepares your company for the assessment (with gap analysis, ISMS development and technical security testing) and is itself assessed at TISAX AL3.

Our services

AutomotiveSecurityAssessment

Security testing of connected vehicle components and systems, relevant wherever TISAX prototype protection and vehicle security meet.

EmbeddedSecurityAssessment

In-depth hardware and firmware security analysis in our specialised laboratory for IoT and embedded systems.

PenetrationTesting

Technical validation of the implemented security measures to harden TISAX-relevant systems and processes.

InformationSecurityManagementSystem(ISMS)

Building and running an ISMS to ISO/IEC 27001 as the organisational foundation for the TISAX assessment.

Why SCHUTZWERK?

  • First-hand AL3 experience since 2022: SCHUTZWERK has been TISAX-certified since 2022 (renewed in 2025) and has completed the AL3 process itself at two sites. We know the requirements and the associated practical challenges. ( SCHUTZWERKTISAXresults ).
  • Automotive and embedded specialisation: deep expertise exactly where TISAX and prototype protection apply.
  • Proven quality: SCHUTZWERK is certified to ISO 27001, ISO 9001 and TISAX AL3 and is an accredited CVE Numbering Authority (CNA).

Are you planning a TISAX certification or do you want to secure your information security for the automotive environment? In a freeinitialconsultation we clarify your scope and the next steps.

How can we help you?

Call us or schedule an appointment directly

+49 731 977 191 - 0 Schedule an appointment
Free Consultation