TISAX Implementation
Practical guidance, from scope to audit-ready according to VDA ISA 6 and ENX guidelines.
We structure policies, processes, and measures so that your organization demonstrably complies and the result can be securely shared via the ENX portal.
TISAX in brief
TISAX (Trusted Information Security Assessment Exchange the standardized mechanism with which companies in the automotive sector align information security.
The implementation consists of translating the VDA ISA 6-iron to your daily work processes. We first map out which systems, locations, and vendors are in scope. Then, we set up policies, procedures, and controls based on that scope.
A full program includes three steps:
Registration in the ENX-platform;
Assessment by an accredited party;
Exchange of results met partners via ENX.
The label you achieve is valid for three years. During that period, it remains important to maintain the measures, implement internal controls, and keep evidence up-to-date. This ensures your organization remains demonstrably compliant at all times.
Be sure to stop by for a (virtual) cup of coffee!
Trusted by:
Curious how we can take the TISAX burden off your shoulders?
Why choose TISAX implementation?
For many suppliers, TISAX has now become a entry requirement within the chain. Large car manufacturers and suppliers require that sensitive information, designs, and prototypes be protected according to this standard.
A structured implementation offers more than just compliance:
Prevents duplicate audits by sharing results via the ENX portal.
Internal processes become more transparent and manageable.
Policy, training, and IT measures reinforce each other and form a cohesive whole.
With a careful approach, a workable system is created that not only meets TISAX but also contributes to a higher maturity of your information security.
Who is TISAX support relevant for?
TISAX is intended for organizations operating in or collaborating with the automotive sector. This includes developers, suppliers, IT service providers, and logistics partners who handle sensitive designs, data, or prototypes.
For them, it is important to demonstrate that information security is managed demonstrably and uniformly. With a TISAX implementation, your organization meets customer requirements and maintains control over its own security processes.
Organizations that already have a ISO 27001-based ISMS take advantage of that foundation: many controls align with TISAX. However, the automotive context requires extra attention to physical security, supplier management, and data classification.
How do we approach TISAX implementation?
An implementation project begins with clarity regarding scope and ambitions. Together, we map out which components, locations, and systems are included in the assessment. Next, we work in stages towards an audit-ready outcome.
Scope & Intake
We will start with a joint session to define the context and scope. Which locations, processes, and information systems are included in the assessment? Which customers or partners have requirements?
We translate these principles into concrete assessment objectives and determining the intended TISAX level (AL1, AL2, or AL3).
Result: a clear plan of action and a defined scope that aligns with the requirements of the chain.
Gap analysis based on VDA ISA 6
We compare your current situation with the requirements from the TISAX catalog. This includes looking at policies, technical measures, physical security, and supplier management.
Roadmap and governance
Based on the gap analysis, we will develop a practical roadmap. This will outline which measures are necessary, who is responsible, and within what timeframe actions will be carried out.
We'll ensure it's workable governance structure arises, with the involvement of management and security officials.
Implementation of measures
In this phase, policy documents and procedures are drafted or revised. Consider:
- access control and authorization models,
- classification of information and prototypes,
supplier and NDA management,
- awareness training and physical security of workspaces.
Where possible, we align with existing ISO 27001 processes, so that measures reinforce each other rather than overlap.
Pre-assessment and audit support
Before the official audit takes place, we internally review the file during a pre-assessment. We check if all requirements have been met and if the evidence meets the expectations of an ENX-accredited audit provider.
During the audit phase, we provide substantive support.
Corrective actions and label sharing
After the assessment, findings can be processed into a Corrective Action Plan (CAPA).
Once the measures are approved, the TISAX result will be registered and shared in the ENX portal. Your organization will then have a label that is valid for three years and can be exchanged within the supply chain.
Questions?
Contact Jurgen!
TISAX vs. ISO 27001
TISAX is intended for organizations operating in or collaborating with the automotive sector. This includes developers, suppliers, IT service providers, and logistics partners who handle sensitive designs, data, or prototypes.
For them, it is important to demonstrate that information security is managed demonstrably and uniformly. With a TISAX implementation, your organization meets customer requirements and maintains control over its own security processes.
Organizations that already have a ISO 27001-based ISMS take advantage of that foundation: many controls align with TISAX. However, the automotive context requires extra attention to physical security, supplier management, and data classification.
The three TISAX levels
The TISAX system has three so-called assessment levels. They determine the depth of the audit and the level of assurance required.
AL1 – Self-assessment
Suitable for organizations with a limited risk profile or internal application. The organization performs the assessment itself using the VDA ISA questionnaire. No external audit takes place.
AL2 – External assessment (remote, document-based)
An independent TISAX audit provider assesses policies and documentation. This level typically applies to partners working with confidential information but without physical access to prototypes or development environments. Interviews and document reviews can be conducted remotely.
AL3 – On-site assessment
The highest level of assurance. In addition to document review, the auditor conducts a physical inspection. This includes visiting server rooms, offices, and development areas. This level is required when there is sensitive or confidential designs, prototypes, or vehicle data.
The choice of a level depends on your client's requirements and the nature of the data you process. This level is established during the scoping phase so that the preparation and the file align precisely with the expected audit trail.
