TISAX Requirements in the Automotive Industry: Your Path to Successful Certification

What is TISAX and Why Is It Relevant for Your Company?

TISAX (Trusted Information Security Assessment Exchange) is the standard for information security and data protection in the supply chain, developed by the German automotive industry. The system is managed by the ENX Association on behalf of the German Association of the Automotive Industry (VDA).

The goal is to establish unified and transparent security standards for all companies working with sensitive information – including prototypes, development documentation, or personal data.

Relevance for Mid-Sized Companies

TISAX is mandatory for all companies acting as suppliers, service providers, or partners to Original Equipment Manufacturers (OEMs) and Tier 1 suppliers – regardless of company size. Without a valid TISAX label, access to the automotive market is effectively blocked. Moreover, the standard is gaining importance in other sectors such as aerospace, energy, and rail.

Key TISAX Requirements

The TISAX requirements are outlined in detail in the VDA ISA catalog and are divided into three core areas:

1. Information Security Management System (ISMS): A key element of TISAX is the implementation and maintenance of an ISMS. This includes systematic risk assessment, technical and organizational safeguards, and regular effectiveness reviews.

2. Physical Security and Access Control: This area focuses on controlling access to highly sensitive company zones, such as R&D departments. The aim is to ensure protection against theft, sabotage, and espionage.

3. Training, Awareness and Governance: TISAX places strong emphasis on the human factor in information security. Companies must conduct regular awareness training, define roles and responsibilities clearly, and fully document all access rights and their assignments.

Extra Considerations for SMEs

The TISAX assessment process is scalable and can be adapted to your company’s size and risk profile. The goal is not perfection, but the appropriate and continuously improving implementation of security measures. TISAX for mid-sized companies means focusing on practicality, cost-efficiency, and clarity.

TISAX Audit: Process and Assessment Levels Explained

The certification process follows a clear structure:

• Registration on the ENX portal and definition of the scope

• Self-assessment using the VDA ISA questionnaire

• Audit by an accredited testing provider (remote or on-site, depending on level)

• Result validation and issuance of the TISAX label (valid for three years)

Assessment Levels at a Glance

For most mid-sized suppliers, Assessment Level 2 (AL2) is the standard. During the TISAX audit, the auditor conducts a remote interview and reviews your documentation to verify whether your ISMS and access control structures meet the TISAX requirements.

Use Case: Access Control and Prototype Protection in R&D

One of the most sensitive areas covered by TISAX is the protection of development environments where prototypes, vehicle components, or other confidential data are handled. TISAX mandates that only authorized personnel have access, and that all access permissions must be fully documented. Traditional access management systems often fail here – due to unclear role models, missing recertifications, or manual processes.

The Solution: A modern Identity Governance & Administration (IGA) software solution like the Garancy Suite automates permission assignment, control, and documentation. It enables:

• Centralized management of all identities and permissions

• Automated recertifications and audit trails

• Transparent documentation for TISAX audits

• Efficient enforcement of separation-of-duties and dual-control principles

TISAX vs. ISO 27001: What Are the Differences?

While both TISAX and ISO 27001 are recognized standards for information security, they differ in their objectives, scope, and audit depth. TISAX was specifically developed for the automotive industry and its supply chain, whereas ISO 27001 is applied across various industries.

The following comparison outlines the key differences – and explains why many companies choose to implement both standards.

Many organizations implement both standards, as their requirements significantly overlap. However, TISAX addresses industry-specific risks like prototype protection in greater depth.

Challenges and Success Factors for Mid-Sized Companies

For SMEs, the following aspects are critical to success:

• Documentation Effort: Full documentation of all processes and permissions is required. Digital tools greatly reduce the administrative burden.

• Skills Shortage: Automation and standardization help alleviate pressure on lean IT teams and make TISAX manageable with limited resources.

• Efficiency Gains: Standardized auditing and centralized access control simplify internal workflows and help lower long-term certification costs.

With the Right Strategy and Software to TISAX Success

For small and medium-sized companies in the automotive industry and adjacent sectors, TISAX has long been more than just “nice to have.” It’s a critical factor for accessing new markets, ensuring secure data handling, and building a resilient and efficient organization.

With a modern IGA solution like Garancy, you can lay the foundation for an audit-ready access management framework, fulfill all regulatory requirements, and position your company as a trusted digital supply chain partner.

Get in Touch with Our Experts

Would you like to learn how our IAM software can support your company on its path to TISAX certification? Contact us for a free consultation with our experts – and gain actionable insights for your TISAX strategy!