TISAX Automotive Security Framework and Assessment Process

Introduction to TISAX and ParkinsonHowe: TISAX certification ensures strong data security for auto companies. Partner with ParkinsonHowe for TISAX. Benefit from our experience for an efficient certification journey.

Initial Consultation and Scope of Assessment: Begin by contacting ParkinsonHowe. Talk about your operations and security. Define what the assessment will cover. Adapt the process to your needs.

Documentation and Gap Analysis: Collect policies, procedures, and technical details. ParkinsonHowe will undertake a gap analysis, finding deviations from TISAX. Make a plan to fill gaps and boost security.

TISAX Services Brochure

Remediation and Action Plan: Work on an action plan using gap analysis. Make changes guided by ParkinsonHowe for TISAX compliance. Our experts help you throughout.

Assessment and Certification: ParkinsonHowe carefully reviews docs and practices. If all's good, get TISAX certified with our guidance. Be ready through teamwork and sticking to rules.

Ongoing Compliance and Continuous Improvement: Stay up-to-date with TISAX rules after certification. ParkinsonHowe aids with updates, top practices, and regular checks. Stay secure and competitive in autos.

TISAX Automotive Security Solutions

Scoping or merging your security system

Scoping or merging your Tisax security system

One of the areas we work with businesses on is correctly scoping your Tisax security management system, as, over time, it can change.

Tisax Gap analysis and Report

Tisax Gap analysis and Report

Our Tisax security gap analysis will look to the security standard you request and determine if your current performance meets your desired and expected performance.

Implementing TISAX Requirements

Implementing TISAX Requirements

We have the ability and knowledge to deliver the most cost-effective and certifiable Tisax implementation to meet your needs.

Tisax Internal Audit

Tisax Internal Audits

We work and audit for a number of certification bodies and therefore are best placed and competent to conduct a Tisax internal audit.

Information Security Policy Development

Tisax Information Security Policy Development

Our seasoned consultants will collaborate with your organisation to design and implement comprehensive policies tailored to your TISAX business needs

Continuous Compliance Monitoring

Tisax Continuous Compliance Monitoring

For Tisax, we will conduct monitoring audits annually to ensure that your security system is operational and maintained

Trusted Automotive Security Case Studies

Samuelson Wylie Associates Case Study

Samuelson Wylie Associates

Samuelson Wylie Associates (SWA) is a UK-based marketing agency that specializes in creating engaging content, events, and experiences for clients in the automotive industry.

SWA Case Study
Gestamp Case Study


Gestamp Tallent Limited is a UK-based engineering company that provides design, manufacturing, and assembly services for automotive chassis and body-in-white components to various automotive original Equipment Manufacturers (OEM)).

Gestamp Tallent Case Study
NIDEC  Case Study


Nidec is a Japanese multinational company that produces electric motors, components, and solutions for various industries, including automotive, home appliances, and industrial automation.

NIDEC Case Study

TISAX Automotive Security Questions and Answers

What is TISAX®?

The purpose and scope of TISAX are to have a common assessment and exchange mechanism across the supply chain—from component manufacturers to media relations.

TISAX was developed by VDA (German Association of the Automotive Industry).

TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on critical aspects of information security, such as data protection and connection to third parties.

TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie e. V. (abbreviated: VDA) with the Appendix A (Technical Controls) of the ISO/IEC 27001 and some Privacy requirements.

This VDA-ISA catalogue has existed for more than ten years now and has been used by many global automotive companies.

What or who are ENX?

The ENX network collaborates with companies representing the European automotive industry to address and develop secure exchange methods for critical development, purchasing, and production control data used by more than 1,000 companies in over 40 countries.

Since 2000, the ENX network has served as a private Internet service for the automotive industry

The current version of the ISA standard was released in 2020.

TISAX Assessment Levels?

AL1 Self-assessment to verify that the controls have been installed and that the VDA ISA catalogue has been followed will validate evidence, and a completeness check may also be performed.

AL2 Typically a remote audit and a detailed self-assessment review, including the sampling of evidence that the VDA ISA catalogue has been followed. One of the purposes of this review is to verify and substantiate your self-assessment based on the documents and provided evidence

AL3 On-site audit and a complete check of the VDA ISA catalogue and self-assessment, including evidence and interviews with control owners.

How does the TISAX process begin?

The TISAX process usually starts with one of your partners requesting you prove a defined level of information security management according to the "VDA Information Security Assessment" (VDA ISA). To comply with that request, you must complete the 3-step TISAX process.

Step 1 - Registration - After contacting one of your partners, your business will register to become a TISAX participant

Step 2 - Assessment - We will ensure that your information security management system (ISMS) is at its best before the TISAX certification auditor assessment takes place.

Step 3 - Exchange - You share your assessment result with your partner.

How much does TISAX consultancy cost?

The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.

The question whether to have just one scope or several scopes is one that only you can answer. But we can help you decide on the options available.

Provided the TISAX certification assessment has not completed allows your business to re-evaluate the scope and make changes.

TISAX® Assessment Order Process?

The TISAX (Trusted Information Security Assessment Exchange) Assessment Order Process is a step-by-step way that companies follow to ask for and go through security assessments according to the TISAX framework. TISAX is important in the car industry and helps make sure that sensitive information is kept safe when shared among companies.

The Process in Simple Steps

  • Getting Started:

    • Companies realize they need a TISAX assessment, often because a car industry partner or customer asks for it.
    • They decide what parts of their systems and places need to be looked at.
  • Choosing Who Checks:

    • Companies pick a recognized TISAX assessment provider from the approved list.
    • These providers can do TISAX assessments.
  • Making the Request:

    • Companies formally ask the assessment provider to do the assessment.
    • They say when they want it done and what they want checked.
  • Getting Ready:

    • Before the assessment, companies make sure they follow TISAX rules.
    • They organize documents and evidence to show how they keep things secure.
  • Checking Things On-Site:

    • The assessment provider visits the company's places.
    • They look at how the company keeps things secure and follows TISAX rules.
  • The Report:

    • After checking, the assessment provider makes a report.
    • This report talks about what they found, risks they see, and what follows TISAX rules and what doesn't.
  • Fixing Problems:

    • The company reads the report and works with the provider to understand what needs fixing.
    • If there are problems, the company makes plans to fix them.
  • Double-Checking:

    • Sometimes, the company needs a second check to make sure they fixed things.
  • Sharing Results:

    • When the company finishes fixing things, the assessment provider sends the results to ENX Association.
    • The company's TISAX status changes, and important partners know they're doing things securely.
  • Keeping Safe:

  • Companies should always work to keep things safe by following TISAX rules.
  • They might need to do more checks to keep their TISAX certification.

The TISAX Assessment Order Process helps companies work together and stay secure in the car industry. It makes sure that important information is always safe, helping with cybersecurity and data protection.

TISAX® Assessment Process?

Stage 1 - Certification body Assigns TISAX Assessment ID to Company

Stage 2 - Company: Conducts self-assessment (conduct self-assessment on VDA-ISA (see TISAX handbook and VDA-ISA). The Certification Body doesn’t conduct the self assessment)

Stage 3 - Certification Body: Conducts Assessment Remote or On-Site dependent on 'AL' rating required (checking the reliability of the Self Assessment done by the active participant)

Stage 4 - Certification Body: Produces Assessment report

Stage 5 - Company: Approves report

Stage 6 - Company: Gets TISAX labels from ENX

What is the standard schedule of a TISAX audit?

Kick-off Meeting: Usually Two hours in length and remote to provide information on the certification methodology and process.

Document Review: Three weeks after the Kick-off meeting, the documentation and evidence provided to the auditor; a Four-hour remote meeting with the auditor to discuss the evidence provided is typical. With all the required documents and proof for four hours and remote. The auditor will then begin to check the evidence pack, giving feedback on whether further evidence requirements before the next phase; the auditor communicates with the client - clarification, sending other evidence, adding descriptions.

Assessment:Six weeks after the Document review, the auditor evaluates the evidence for compliance to AL2 (remote) or AL3 (on-site) before they submit. The auditor has a final opportunity to ask the company for adjustments to the evidence pack up to the last deadline for the report.

Assessment report: Two weeks after the Assessment, the finalised report will be submitted to ENX by the auditor.

How do we complete the Tisax VDA ISA for AL2?

Completing the VDA spreadsheet for a remote audit is essential, so what information is required?

Column 'E' - (Maturity Level) - Make sure you state a minimum of 'Maturity Level 3'

Column 'F' - (Beschreibung der Umsetzung or Description of the implementation) Provide Clear and Justified information on how you have implemented the controls outlined in the objectives and requirements; both 'must' and 'should'.

Stating how you operate will provide the necessary information for the remote auditor to understand your ways of working; as a result, it will not delay the audit. Include justifying why you do not implement a requirement (i.e. We do not undertake development.

Column 'G' - (Referenz Dokumentation). Provide references to all the documents in the evidence pack, ensuring that a unique identifier for each piece of evidence is easy to understand.

  • VDA-L5-5_1_1 - L5 = Line 5 | 5_1_1 = Control A.5.1.1 reference ISO 27001
  • VDA-L7-4_1 - L7 = Line 7 | 4_1 = Clause 4.1 reference ISO 27001

Column 'H' - (Feststellungen/Prüfergebnis or According to previous findings/Test Result). Complete each line with OK

Differences between ISO 27001 and TISAX in security terms?

ISO/IEC 27001 and TISAX (Trusted Information Security Assessment Exchange) are frameworks that address information security management. While they share similarities, their purposes and target industries differ.

ISO/IEC 27001:

ISO/IEC 27001 is an internationally recognized information security management system (ISMS) standard. It provides requirements and best practices for establishing, implementing, and maintaining an ISMS within any organization. Applicable to all types of organizations, regardless of size or industry, it focuses on protecting information assets' confidentiality, integrity, and availability, and managing risks effectively.

Key features of ISO/IEC 27001:

  • Systematic approach to managing information security risks.
  • Emphasis on policies, procedures, and controls for information asset protection.
  • Consideration of legal, regulatory, and contractual requirements.
  • Focus on continual improvement through monitoring and analysis.
  • Certification via independent audit by a certification body.


TISAX is an assessment and exchange mechanism for the automotive industry. Established to ensure uniform assessment of information security among suppliers, it's not a standalone standard but a framework based on existing regulations.

Key features of TISAX:

  • Customized assessment criteria for automotive industry.
  • Focus on sector-specific information security requirements.
  • Standardized assessment process.
  • Assessment results shared securely among organizations.
  • Accredited assessment providers perform TISAX assessments.

In summary, ISO/IEC 27001 is an international standard for information security management across industries. TISAX is specific to the automotive sector. ISO/IEC 27001 offers broader security management, while TISAX targets automotive industry needs. Automotive organizations seek TISAX to show compliance, while ISO/IEC 27001 is adaptable for various sectors.

Is your evolving supply chain: embracing the future?

As the automotive industry undergoes a transformative shift towards greater climate efficiency and digitalisation, new businesses must understand the changing dynamics of the supply chain.

Companies specialising in new energies, mobile internet, and autonomous driving in this evolving landscape have become essential and rapidly growing contributors. Additionally, service providers from the media industry play a vital role.

In this comprehensive supply chain, ensuring information security in line with TISAX® standards is imperative, especially when demanded by customers.

Take, for instance, the protection of prototypes. It is essential to safeguard them against unauthorised media documentation at the testing site and the premises of contracted photographers to prevent undesirable premature releases. Data leaks can lead to unexpected regression claims, harming your business.

TISAX® has already gained significant traction within the supply chain. To protect your interests, it is crucial to prioritise compliance with TISAX® standards as soon as possible.

Doing so will safeguard your business and align with industry best practices, ensuring a secure and prosperous future.

Is TISAX trusted?

TISAX, the Trusted Information Security Assessment Exchange, is a framework that ensures the security and protection of sensitive information in the automotive industry through the implementation of a trusted Information Security Management System (ISMS).

The ISMS comprises standardised controls, processes, and measures to:

  • Identify risks
  • Maintain the confidentiality, integrity, and availability of data
  • Ensure compliance with legal and regulatory requirements

TISAX certification signifies that an organisation has:

  • Established and adheres to a robust and trusted information security management system (ISMS)
  • Aligned with industry standards

This certification promotes:

  • Trust
  • Transparency
  • Collaboration among automotive stakeholders

It establishes a secure environment for data exchange and enhances overall cybersecurity resilience.

Why are OEM's looking to TISAX for a service provider?

Original Equipment Manufacturers (OEMs) are increasingly turning to TISAX when selecting service providers for several reasons.

Firstly, TISAX certification ensures that a service provider has implemented and maintains a robust Information Security Management System (ISMS) tailored to meet the security requirements of the automotive industry.

By engaging TISAX-certified service providers, OEMs can have confidence in their ability to securely handle sensitive information. They safeguard customer data, protect intellectual property, and maintain the confidentiality, integrity, and availability of crucial systems and processes.

TISAX certification serves as a recognized industry standard, fostering trust and transparency between OEMs and service providers. It simplifies the evaluation process for OEMs. They can rely on the TISAX framework to assess the security readiness of potential service providers and verify their adherence to industry standards.

Overall, by choosing TISAX-certified service providers, OEMs can mitigate risks, ensure compliance, and enhance the overall security of their operations.

Which manufacturers seek suppliers for TISAX certification?

The following is a list of Manufacturer's seeking TISAX labelling from their suppliers.

Manufacturer Country
Bertrandt AG Germany
BMW AG Germany
Continental AG Germany
Daimler Truck AG Germany
Dr. Ing. h.c. F. Porsche AG Germany
IAV GmbH Germany
Magna International Germany
Mercedes-Benz Group AG Germany
Renault s.a.s. France
Vitesco Technologies GmbH Germany
Volkswagen AG Germany
ZF Friedrichshafen AG Germany

This list is not exhaustive

Tisax Automotive Security Clients

optical3d Website samuelson wylie Website Gestamp Website Scoutbee Website Nidec Website