The Original Equipment Manufacturer (OEM) collaborates with multiple companies across the value chain for the design, manufacturing, and distribution of their vehicles. To facilitate collaboration, the OEM frequently shares confidential information, such as a prototype design, with the supplier base.

If valuable data is not effectively protected, the exchanges along the supply chain may cause losses, manipulations or even theft of trade secrets. Consequently, OEMs will want to ensure that their suppliers and partners, including marketing and sales organizations, have a solid information security management system in place before they are contracted.


Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for information security in the automotive industry. The TISAX certification confirms that a company’s information security management system complies with defined security levels and allows sharing of assessment results across a designated platform.

There are Three Assessment Levels:

  • Level 1: Standard suppliers only need to complete the ISA questionnaire and publish this self-assessment in TISAX.
  • Level 2: In case of more complex suppliers, the self-assessment will be followed by random plausibility checks by telephone by an approved audit provider.
  • Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.


To meet the information security needs of the automotive industry, the German Association of the Automotive Industry (VDA) established a set of widely accepted security requirements and outlined these in a catalogue known as the VDA Information Security Assessment (ISA). The TISAX certification is based on the ISA requirements.

The TISAX label makes it easy for companies to share their information security status, which means:

  • Saving time and cost by avoiding duplication of assessments based on customer requirements
  • Gaining a competitive edge by fulfilling stringent requirements and creating customer trust
  • Protecting critical data and reducing liabilities


Companies often embark on the TISAX certification process upon request of a potential customer. Others initiate the process to be well-positioned for future prospects. Your individual TISAX journey will depend on your objectives, as well as the status of your current information security system. Irrespective of the path chosen, TÜV SÜD offers training and certification services to support you through the process, step-by-step.

The TISAX process consists of two phases: preparation and certification.

TISAX Journey to certification


As a first step, identify the requirements your company are facing and map them against your implemented information security management system (ISMS).

Steps to TISAX Certification

If your company does not yet have an effective information security management system (ISMS) in place, one option could be to implement an ISMS according to the leading management system standard for information security, ISO/IEC 27001. The implementation and certification according to ISO/IEC 27001 is not a requirement for TISAX but ensures effective information security management for your company overall. Furthermore, it’s regarded a solid foundation for a subsequent TISAX assessment. TÜV SÜD offers public training to support implementation of ISMS, as well as auditing and certification services for companies interested in ISMS according to ISO/IEC 27001.

The TISAX certification process starts with a thorough self-assessment. A good understanding of the TISAX requirements and criteria is vital for the internal analysis and can help you take necessary steps to close critical gaps before the external audit. TÜV SÜD provides comprehensive training for professionals who would like to learn more about the TISAX requirements and structure, including the certification process.


The initial and mandatory self-assessment is followed by a third-party assessment. The audit can either require a documentation-based plausibility check (Assessment Level 2), or a more comprehensive on-site-inspection (Assessment Level 3). Upon completion of the successful audit, the auditor uploads the final report to your TISAX platform, including your company’s TISAX-label. With your approval, OEMs and other partners can then access your TISAX status, thereby attaining a third-party confirmation of your security efforts.

TÜV SÜD is approved by ENX to perform TISAX assessments and to issue the respective report and label. Select TÜV SÜD as an auditor when you register as a participant on the TISAX platform.


TÜV SÜD is a leading provider of auditing and training services for management system standards. With an international network of auditors and a broad training portfolio, we help customers worldwide to achieve stable operations and improved performance.

Get familiar with the requirements of ISO/IEC 27001 and TISAX to prepare for a smooth assessment.

TÜV SÜD provides public training for professionals and companies of all sizes and industries. More than 300 experts at over 80 locations provide state-of-the-art technical and management qualification programs using a hands-on and practice-focused approach. Our qualifications and personnel certificates satisfy the highest quality standards and enjoy an excellent global reputation.


Comments are closed