#244 What is TISAX?

The modern automotive industry faces many new challenges, as vehicles evolve with more complex data requirements and supply chains become increasingly interconnected, major Original Equipment Manufacturers (OEMs) require certain Standards as a mark of trust from potential suppliers.

Currently, this trust is codified in TISAX (Trusted Information Security Assessment Exchange). For businesses that have not previously dealt with Standards, TISAX can be seen as a daunting regulatory hurdle. However, a TISAX label is more than a compliance check, it's a recognised mark that your organisation has robust information security measures in place specific to the automotive industry, including considerations for protecting key intellectual property and prototype innovations.

In this episode, Ian Battersby is joined by Emma Coxhill, isologist at Blackmores, to explore what TISAX is, who it applies to, what it requires and how OEM's and automotive suppliers can take their first steps towards earning a TISAX label.

You'll learn

· What is TISAX?

· Who is TISAX applicable to?

· Why is TISAX important?

· What are the 3 assessment levels within TISAX?

· What are the 3 different subject areas within TISAX?

· How is TISAX implemented?

· Why does TISAX use labels instead of certificates – and how can people verify these?

· What is the ENX portal and how does this help with supplier onboarding?

· Where should companies start if they want to earn a TISAX label?

Resources

· Register for our TISAX webinar here

· ENX

· Isologyhub

In this episode, we talk about:

[02:05] Episode Summary – Emma Coxhill joins Ian to dive into the topic of TISAX, including who it's applicable to, why it's important and how businesses can make a start on earning a TISAX label.

[03:40] What is TISAX? TISAX was developed for the automotive industry by the German Association of the Automotive Industry, VDA, and it's managed by the ENX Association.

It's based on the ISO 27001 Annex A controls, and was created for the automotive industry because they were looking to standardise the framework for assessing and sharing information security results between manufacturers and their suppliers.

[04:40] Who is TISAX applicable to? While applicable to the automotive industry, it encompasses quite a lot of businesses within this. This is because is applies to any organisation that handles sensitive data relating to vehicle development, manufacture and marketing.

So, this can include any company providing car parts, vehicle software, cloud services, testing labs, engineering etc. Basically, any service providers to OEMs (original equipment manufacturers) will be applicable.

TISAX can also be applicable for those dealing with automotive related events, marketing and photography, as new models are protected IP and will require related business to prove that they have the correct security requirements to ensure any potential prototypes are protected.

[06:50] Why is TISAX important? Mainly, it gives the automotive industry a trusted, standardised way to ensure information security across the entire supply chain.

Without it, the OEMs and suppliers can conduct their own audits, but it'll be their own interpretations or what is considered an adequate level of security. The industry saw this as an open door to chaos, so TISAX was created to protect highly confidential automotive information and support compliance with relevant data protection laws.

However, now it's not so much a 'nice to have' Standard as it is a requirement to trade, especially within Europe. It's fast becoming a tender requirement, and many OEMs won't make it past the procurement process without a valid TISAX label.

The ENX portal, where labels are registered, can also help speed up the on-boarding process. So, the whole TISAX system has been built for ease of access to help manufacturers choose suppliers that prioritise information security.

[09:00] What's the consequence of not having a TISAX label? A loss of opportunities. Those within the automotive industry that don't have a valid label will be seen as a security risk, leaving them at a competitive disadvantage.

[10:30] What are the 3 levels within TISAX? Unlike ISO 27001, TISAX has levels that depend on the level of data sensitivity that you're dealing with.

Level 1: Self-assessment – Considered as 'normal risk' with general processing of data.

Level 2: Remote Audit – Applicable to those dealing with confidential information such as design documents or internal projects. This requires both a self-assessment and an audit.

Level 3: On-site Assessment – Highly confidential information, so this applies to those dealing with sensitive research, development information or prototype data etc. This requires a physical on-site assessment, as the qualified TISAX auditor will need to ensure that you have the appropriate physical security measures in place.

Most businesses will require level 2, but if you're looking to work with high-spec OEMs, then level 3 is more desirable.

[12:00] What are the 3 subject areas within TISAX? The 3 main areas are as follows:

Information Security: This covers general information security controls such as relevant policies, access controls, risk management, incident handling and secure operations.

Prototype Protection: This focuses on safeguarding physical and digital prototypes, design data, test vehicles and confidential development information.

Data Protection: This ensures proper handling of personal data in line with legal requirements such as GDPR.

If you're just doing a self-assessment, you can pick the areas which are most relevant to you. If you've been requested to earn a TISAX label, they will usually provide you with their preference on subject areas.

Many will opt to take information security, but data protection is also quite common. The prototype section is more specialist and not applicable to all businesses.

[14:00] How is TISAX implemented? There are a few stages to gaining a TISAX label:

Awareness – Learn the requirements for TISAX and planning for the project ahead. This may include asking your clients about what they expect of your from an information security perspective and working out costs for assessments and any additional support. The ENX website has a lot of really useful info, including a handbook and a copy of the self-assessment.

Preparation – This is where you need to complete your TISAX scope and register yourself on the ENX portal. Your scope needs to specify your selected level (1,2 or 3) and the subject areas you'll be focusing on. You also need to include the locations within scope, which have to be listed one by one (not simply 'all offices in the UK' for example).

Self-Assessment – The template for this can be downloaded from the ENX website. This is essentially a Gap Analysis that grades your current level of compliance with the TISAX requirements. It includes a scoring mechanism, where you'll be aiming to get a 2.71, as that's the pass rate. This self-assessment will highlight what gaps you need to fill before going ahead with an external assessment.

Implementation – This is where you will bridge those gaps highlighted in the Self-assessment. This will involve creating the required documentation requested by TISAX and updating existing systems to align with requirements. Before going ahead with external assessments, we highly recommend you conduct some internal audits to ensure you're ready.

External Assessment – Whether this is remote or on-site, you need an official TISAX auditor to perform the assessment. A list of approved TISAX auditors is available on the ENX portal, we recommend getting a few quotes to get the best price. We also recommend requesting a kick-off meeting so you can have a chat with your auditor about the requirements and how they'd like to review the required evidence of compliance.

The Assessments are similar to that of an ISO certification, it's broken down into 2 segments. One is a document/evidence review and the other is done with both parties present to go through their findings, review further evidence and to question any gaps found.

Again, similar to ISO, you may receive either minor non-conformities, non-conformities, opportunities for improvement or observations in their final report. If you get any non-conformities, you'll need to provide an action plan within 2 weeks following from your assessment to address them. You will then be allowed a few months to implement the corrections, which will be reviewed and approved by the auditor before receiving your label. If you only received opportunities for improvement then you'll get a label straight away.

[20:40] Why does TISAX use labels instead of certificates – and how can people verify these? Taking ISO 27001 as a comparison, that certification has a blanket framework that can apply to every business. While you can exclude small bits, the vast majority applies to everyone.

TISAX is more scaled based on the level of security you're dealing with. Businesses can pick both different levels and different subject areas for their Label.

Another key difference is that Labels can only be verified through the ENX portal, this is where other TISAX clients can see who has what Label, including the details of level and selected subject areas.

Business can still chose to state TISAX compliance on their website, but the details regarding the level of compliance only need to be seen be relevant individuals.

[22:05] What is the ENX portal and how does this help with supplier onboarding? The ENX portal is accessible through the ENX website. It does require a fee to make an account, but this is where everything related to TISAX is managed.

This is where you will upload your scope and findings and it's where Labels are assigned and documented for suppliers to search for. There are options for how much information you want to disclose within those public searches, allowing you to select the need for contacting for further information.

The ENX portal can help massively in reducing the amount of supplier questionnaires you need to fill in, as those looking for automotive suppliers will simply look up your TISAX Label to verify if you have the required level of security to continue with the procurement process.

[24:50] Where should companies start if they want to earn a TISAX label? If you're just diving in, we recommend you do some research first to fully understand what you're expected to do to earn a Label and how much the process will cost.

Next you'll need to define your scope, so look at what sites need to be included and identify relevant client requirements in relation to TISAX. This is to ensure you're going for the right Level and subject areas.

Next evaluate your internal resource for the project and related budget. As mentioned, you will need to pay to register on the ENX portal and you need to consider Assessment costs and any additional support costs should you need consultancy services.

You'll also need to assign individuals to manage the project, which will include completing the self-assessment, updating your policies, procedures and documentation to align with the requirements and possibly conduct training if required.

This isn't a 2 week project, realistic timescales will vary, but generally if you're starting from scratch you're looking at 9-12 months. If you have ISO 27001 in place already this could be reduced to 6-8 months.

As with anything Standard related, leadership commitment is a big factor as you'll need their help and support to ensure the projects success. If you need additional help, reach out to consultants such as Blackmores to help guide you through the process.

[28:05] Upcoming TISAX Webinar – Join us on the 18th March 2026 at 2pm for a webinar where we'll dive into TISAX further and provide practical guidance on how to complete the VDA Self-Assessment.

Attendees will also get access to some freebies. So don't delay, register your place here today.

We'd love to hear your views and comments about the ISO Show, here's how:

● Share the ISO Show on Twitter or Linkedin

● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List