TISAX Certification Process for Automotive Suppliers: A Practical Roadmap

The Trusted Information Security Assessment Exchange (TISAX) has become the de facto information security label for the European automotive sector. Established by the German Association of the Automotive Industry (VDA) and operated by ENX Association on behalf of the OEMs, the framework allows a supplier to undergo a single assessment whose results are mutually recognised across the participating OEMs. For Volkswagen Group, BMW, Mercedes-Benz, Audi, Porsche, Stellantis and several Tier-1 manufacturers, a valid TISAX label is a pre-contractual requirement when the supplier handles confidential information, prototype parts, personal data or production-relevant data flows.

This article describes the TISAX certification process in operational detail. It explains the three assessment levels, the structure of the VDA ISA catalogue version 6.0, the role of ENX and the accredited audit providers, the typical preparation timeline, and the most common findings observed in initial assessments. It is written for chief information security officers, suppliers preparing for a first label and Tier-1 buyers who want to understand what they require from their supply base. The recommendations align with the methodology used in the compliance platform and officer-as-a-service offered by CIVAC, including 490 ready-to-use audit templates and a 24/72 reporting workflow inspired by NIS-2.

TISAX is a recognition mechanism, not a certification scheme. The supplier undergoes an assessment by an ENX-accredited audit provider, the result is published on the ENX exchange portal, and any participating OEM or Tier-1 buyer with a legitimate interest can request access. The assessment is based on the VDA Information Security Assessment (VDA ISA) catalogue, a structured questionnaire that mirrors ISO/IEC 27001:2022 in spirit but adds automotive-specific assessment objectives. Version 6.0 of the catalogue, released by the VDA in 2024, contains 41 controls organised into the topics information security, prototype protection and personal data, plus optional modules for connection to OEM networks.

The relationship to ISO/IEC 27001:2022 is one of substantial overlap. A supplier that already operates a certified Information Security Management System covering the relevant scope can reuse most of the management system evidence. The differences lie in three areas. First, TISAX places stronger emphasis on prototype protection, including physical security of prototype storage rooms and handling of test drives. Second, it adds explicit objectives for handling personal data that reflect GDPR requirements without replacing them. Third, it requires evidence about the supplier's relationship with sub-suppliers and downstream parties, including a documented information security clause in supplier contracts. For a structured approach, the role of an internal or external information security officer is essential, because TISAX expects management commitment, a clear reporting line and a documented responsibility matrix. Without this governance layer, technical controls alone will not pass. ENX publishes the participant handbook and the assessment procedures openly, which makes it possible to align internal preparation directly with the audit methodology rather than relying on second-hand interpretation.

TISAX defines three assessment levels, abbreviated AL1, AL2 and AL3, each tied to a protection-need classification. AL1 corresponds to standard protection needs and consists of a self-assessment that the supplier submits via the ENX portal. AL1 is rarely used as a contractual requirement by OEMs and serves mainly as an internal preparation step. AL2 corresponds to high protection needs and combines the self-assessment with a remote audit, including evidence review and interviews. AL3 corresponds to very high protection needs, typically applied to prototype data, suppliers connected to OEM networks or processors of large personal data sets. AL3 requires an on-site audit at every assessed location plus an evidence review.

Most OEM contracts require AL2 for standard confidential information and AL3 for prototype-related work. A supplier that produces production parts and additionally hosts prototype data must usually obtain both labels, often in a combined assessment. The assessment scope is defined by a list of locations and a list of assessment objectives. The most common objectives are information with high protection need, information with very high protection need, prototype parts and components, prototype vehicles, test vehicles, and personal data. Each objective triggers a defined subset of controls in the VDA ISA catalogue. Selecting too broad a scope inflates audit effort, while selecting too narrow a scope risks rejection by the OEM. The compliance platform and officer-as-a-service from CIVAC includes a scoping template that maps OEM requirements to assessment objectives and helps suppliers avoid both extremes. The result is a defensible scope decision documented in writing and signed off by the management board. The same template can be reused at every renewal cycle to ensure that scope changes are tracked and that the OEM contractual requirements remain in sync with the assessment objectives on the ENX portal.

A realistic timeline for a first TISAX label runs between four and nine months. The clock starts with the registration on the ENX portal, where the supplier creates an account, selects the assessment objectives, defines the scope and identifies the locations. Registration costs are set by ENX and depend on the scope. After registration, the supplier engages one of the accredited audit providers. The pool of providers is published by ENX and currently includes around fifteen organisations. The choice of provider is the supplier's decision, but capacity constraints in the audit market often determine the actual schedule.

The preparation phase typically takes three to six months. It covers a gap analysis against VDA ISA 6.0, the implementation of missing controls, the production of evidence documents, the rollout of training and the establishment of a sustainable ISMS. The audit itself takes two to five days for AL2 and three to seven days for AL3, distributed across self-assessment review, on-site visits and follow-up. Findings are recorded in a corrective action plan with deadlines of typically three months for major non-conformities and nine months for minor ones. Once all major findings are closed, the audit provider issues the label, which is valid for three years. Surveillance audits are not formally required, but suppliers are expected to maintain the ISMS continuously and to refresh the self-assessment annually. Bestellurkunde, unterschrieben, abgelegt, belegbar. The German legal terminology applies here even in English-language contracts, because the underlying responsibility of the designated officer is governed by German law, including § 130 OWiG and the GDPR.

The VDA ISA catalogue version 6.0 organises 41 controls into three mandatory chapters and one optional chapter. Chapter 1 covers information security and includes 25 controls on policies, organisation, asset management, access control, cryptography, physical security, operations, communication, system acquisition, supplier relationships, incident management, business continuity and compliance. Chapter 2 covers prototype protection with 11 controls focused on physical security of prototype rooms, handling of test drives, prototype identification and disposal. Chapter 3 covers connection to OEM networks with 4 controls on network segmentation, authentication and monitoring. Chapter 4 covers personal data with 1 control summarising GDPR-aligned obligations.

Each control is structured into a description, the assessment objective it serves, the maturity levels from 0 to 5, and the expected evidence. The maturity model follows the SPICE methodology adapted for information security. Level 0 means no implementation, level 3 means the control is implemented and managed, level 5 means the control is continuously optimised. AL2 typically requires a target maturity of 3, while AL3 raises the bar to 4 for selected controls. A frequent misconception is that the audit measures controls against full maturity. In reality, the audit measures the controls against the target maturity defined for the assessment objective. A solid gap analysis identifies which controls fall below the target and prioritises the remediation effort accordingly. In the CIVAC workspace, the VDA ISA 6.0 controls are pre-mapped to ISO/IEC 27001:2022 Annex A controls, so suppliers with an existing ISMS can reuse evidence without redoing the documentation.

Initial assessments tend to surface a recurring set of findings. The first is a gap between the documented ISMS scope and the actual physical and digital footprint of the supplier. Production sites, R&D facilities, shared services and cloud platforms must be reflected consistently in the scope statement and the asset inventory. Mismatches result in non-conformities. The second is an incomplete risk assessment. A risk register that lists generic risks without traceable owners, mitigation measures and review dates does not satisfy the maturity level expected for AL2. Auditors expect to see a methodology, evidence of recent review, and decisions on risk treatment.

The third is weak supplier security management. TISAX requires a clear contractual basis with sub-suppliers, including security clauses, audit rights and breach notification obligations. A supplier that has hundreds of sub-suppliers but no consistent contract framework or risk classification will fail this control. The fourth is poor evidence of training and awareness. The auditor expects to see training records that link individual employees to the specific awareness module relevant to their role. Generic e-learning certificates without role mapping are rejected. The fifth is fragile incident management. The auditor expects a documented incident response plan, a tested escalation matrix and evidence of at least one drill in the preceding twelve months. The CIVAC compliance platform addresses all five gaps with structured templates and a 24/72 reporting workflow that mirrors the NIS-2 escalation discipline. The platform's design draws on the German concept of audit-fest, dokumentiert, § 130-fest, which translates into an evidence trail that survives external scrutiny.

Prototype protection is the area where TISAX clearly diverges from generic ISMS standards. The catalogue defines three categories of prototypes: vehicles, components and pre-production parts. Each category triggers specific physical and procedural requirements. Prototype rooms must be access-controlled, monitored by alarm systems and camera surveillance, separated from non-prototype areas and visible only to authorised personnel. The list of personnel with access must be kept short, with clear approval and revocation procedures. Visitor management must include escorting, identification checks and confidentiality agreements.

For test drives, the supplier must define routes that minimise exposure, prescribe camouflage, ensure that test vehicles do not park overnight in publicly visible locations, and document every drive. For prototype components, the supplier must implement marking schemes that identify each prototype, control the production of prototype parts through dedicated tooling, and ensure that disposal is verified, documented and witnessed. A picture of a camouflaged prototype on social media is enough to trigger a major finding, and OEMs treat such incidents as breach of contract. Suppliers that handle prototype work should consider bestowing the role of prototype security officer in addition to the ISMS responsibility. The CIVAC platform supports this with a dedicated role template that combines the general information security officer scope with prototype-specific obligations. License the workspace for your internal officers or have CIVAC officers appointed. Both models deliver the same documented chain of responsibility and a defined reporting line into the management board. The dedicated role template includes an incident response plan tailored to prototype leaks, with escalation paths to the OEM contact and a documented containment procedure that satisfies typical OEM contractual obligations.

Several OEMs require suppliers to connect to their corporate networks via dedicated VPNs, MPLS lines or shared development environments. The TISAX assessment objective for connection to OEM networks introduces additional controls covering network segmentation, multi-factor authentication, identity lifecycle management and continuous monitoring. Suppliers must demonstrate that the connection is logically separated from their general internal network, that only authorised personnel can access the OEM environment, and that all access is logged and reviewable. Many findings here arise from legacy site-to-site VPN configurations that lack proper segmentation and monitoring.

The personal data assessment objective adds a layer that translates GDPR obligations into TISAX-readable controls. Suppliers must document their processing activities under Art. 30 GDPR, demonstrate a process for handling data subject requests, implement a documented data protection impact assessment procedure under Art. 35 GDPR, and define a 72-hour breach notification path under Art. 33 GDPR. These controls overlap with ISO/IEC 27701 and with national privacy frameworks. For German suppliers, the additional requirements of the BDSG and the works council co-determination rights under § 87 Abs. 1 Nr. 6 BetrVG must be reflected. The CIVAC platform integrates the records of processing activities, the data protection impact assessment template, and the breach notification workflow into a single environment, so the TISAX evidence and the GDPR documentation are not maintained in parallel silos. This integration is what separates a sustainable ISMS from a paper-only label. Auditors increasingly probe for end-to-end consistency between TISAX evidence and GDPR documentation, and a fragmented setup is a frequent source of follow-up questions that prolong the audit cycle.

A TISAX label is valid for three years. During that period, the supplier is expected to maintain the ISMS, run internal audits, refresh the risk assessment, conduct awareness training and document any changes to the scope. Scope changes that affect the assessment objectives, the locations or the protection needs require a re-assessment, which can be performed as a delta audit by the original audit provider. A common mistake is to acquire a new business unit or open a new site without updating the TISAX scope, which then leads to questions at the next contractual review with the OEM. Suppliers should monitor scope-relevant events as part of their change management process.

Re-assessment at the end of the three-year period is a full assessment, although audit providers usually grant credit for unchanged evidence. The auditor expects to see continuous improvement, closure of previous findings and evidence of operational discipline, including incident reviews, supplier reviews and management reviews. In the CIVAC workspace, the three-year horizon is mapped to a sequence of recurring tasks: quarterly internal reviews, annual self-assessment refresh, biennial mock audit, and a re-assessment preparation phase in the final six months. Audit-fest, dokumentiert, § 130-fest. The discipline is the same whether you license the workspace for your internal officers or have CIVAC officers appointed. The result is a sustainable label that is renewed without surprises, rather than a panic project six weeks before the OEM deadline. The platform also stores the audit reports, the corrective action plans and the management review minutes in an immutable archive, which simplifies subsequent OEM supplier audits.

Preparing for a TISAX assessment is not a one-off project. It is the establishment of an ISMS that meets automotive expectations and continues to evolve. Suppliers that approach TISAX as a tick-box exercise typically pass the first audit at high effort and then lose momentum, only to scramble before the re-assessment. Suppliers that approach TISAX as the operational backbone of their security organisation get a label, a culture and a defensible position with their OEM customers in one move. CIVAC supports both paths through its compliance platform and officer-as-a-service offering. The platform includes 25 officer roles, all live, with appointment letters, reporting lines and EU data residency, which matters for suppliers handling sensitive customer data.

The onboarding takes two working days, instead of the classical two to six weeks. The role overview shows which officers can be appointed in parallel, including the information security officer, the data protection officer and the compliance officer. License the workspace for your internal officers, or have our officers appointed. Suppliers that want to check whether their current ISMS holds up against VDA ISA 6.0 can request a TISAX readiness diagnosis. The diagnosis maps the current state to the 41 controls, identifies gaps, and proposes a remediation plan with effort estimates. Turning reading into a mandate: info@civac.de or through the contact form on civac.de. A response arrives within two working days, including a draft appointment letter for an external information security officer if needed. For Tier-1 buyers who need to enforce TISAX on their supply base, the platform also supports the operational supplier audit cycle through a dedicated supplier auditor role.