TISAX (Trusted Information Security Assessment Exchange) is an information security standard developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. Since its introduction in 2017, automotive manufacturers, parts manufacturers, and suppliers across Europe—and increasingly globally—have widely adopted TISAX to ensure a uniform level of information security across the industry. Today, more than 17,500 sites across 90+ countries have been assessed under the TISAX framework, making it one of the most widely used assessment mechanisms in any industry sector.
Because TISAX requires a comprehensive examination of information security controls, automotive manufacturers and parts suppliers should develop a risk assessment and ongoing monitoring strategy that aligns with its requirements to enhance cyber resilience across global automotive supply chains.
This post examines information security challenges in the automotive industry, TISAX information security controls and compliance requirements, and best practices to simplify TISAX compliance.
Automotive Industry Information Security Challenges
TISAX was developed to address specific information security challenges and needs in the automotive industry.
Varied Security Requirements
Typically, each automotive manufacturer develops its own information security standards and applies these requirements to its suppliers. This approach required suppliers to comply with multiple, sometimes conflicting, security criteria.
Audit Fatigue
Without a common standard, suppliers were subjected to multiple audits by different manufacturers, each assessing information security based on their unique criteria. This was not only repetitive but also resource-intensive for suppliers.
Global Supply Chains
The automotive industry features complex, global supply chains involving numerous partners and suppliers across different regions. Managing information security uniformly across such a vast network without a common standard was increasingly difficult and risky.
Increasing Cyber Threats
As the industry adopted more digital technologies and connected systems, the risk of cyber threats increased. There was a clear need for a standardized approach to protect systems, sensitive information, and intellectual property effectively. Automotive manufacturers such as Toyota have been impacted by significant cyberattacks against suppliers. In late 2024, a ransomware attack against Jaguar Land Rover halted global vehicle production for nearly 40 days, underscoring how a single breach can cascade across an entire manufacturing operation.
Regulatory Compliance
Automotive suppliers operating in the EU now face obligations under the EU NIS2 Directive, which introduces stricter cybersecurity requirements across supply chains and places direct and indirect obligations on every tier of the supplier ecosystem. Notably, an analysis by ENX’s expert working groups confirmed that organizations achieving TISAX compliance under the ISA 6.0 catalog are well-positioned to meet the core requirements of NIS2, including risk management, incident response, supply chain security, governance, and technical safeguards.
TISAX aims to harmonize information security assessments, reduce the audit burden on suppliers, and ensure that all participants in the automotive supply chain adhere to high security standards. Note that country-specific reporting obligations may require additional steps beyond TISAX.
TISAX Information Security Controls and Reporting
Currently on version 6.0.3, the TISAX Information Security Assessment (ISA) evaluates 80 information security, prototype protection, and data protection controls across the following nine (9) control families:
- Infosec Policies & Organization
- Human Resources
- Physical Security
- Identity and Access Management
- IT Security / Cyber Security
- Supplier Relationships
- Compliance
- Prototype Protection
- Data Protection
A completed ISA presents assessment results in a spider diagram, scoring each control sub-family’s maturity level from 0 (low) to 5 (high). Each control is also mapped to equivalent controls in industry standards such as ISO 27001, NIST 800-53, BSI, and others.
TISAX Compliance Requirements
Since it is voluntary, TISAX itself does not impose penalties for non-compliance in the traditional sense of regulatory fines. However, not being TISAX-compliant can have significant repercussions for businesses in the automotive industry, particularly regarding their business relationships and reputation.
For many in the automotive industry, TISAX compliance is equated with the bottom line. Companies achieving TISAX compliance demonstrate their commitment to protecting sensitive information, thereby enhancing trust among business partners, mitigating risks associated with cyber threats and regulatory non-compliance, and improving revenue, new client acquisition, and existing client retention. The automotive industry strongly incentivizes TISAX, making it nearly essential for companies that want to stay competitive and secure in the sector.
To become TISAX compliant, organizations in the automotive industry must meet several requirements, which are based on the VDA ISA (Information Security Assessment) catalog. This catalog adapts the ISO/IEC 27001 standard to the specific needs of the automotive industry.
Key requirements and steps involved in achieving TISAX compliance include the following.
- Define the scope of the assessment, identifying which parts of the organization and which processes need to be evaluated based on TISAX standards.
- Perform a self-assessment using the VDA ISA questionnaire. This step involves evaluating current practices and policies against TISAX standards to identify gaps.
- Implement necessary controls to address gaps and meet the required standards. This may include enhancing IT security measures, updating policies, and ensuring proper data handling practices.
- Engage an ENX-accredited auditor to perform the official audit and an onsite visit to verify that all TISAX requirements are being met. This includes reviewing documentation, interviewing staff, and inspecting physical and IT security measures.
- Conduct remediation if the audit identifies any areas of non-compliance. After remediation, a follow-up audit might be required to confirm compliance.
- Receive a TISAX label upon a successful assessment. The label is valid for three years and is registered in the ENX TISAX portal and can be shared with clients and partners to prove compliance.
- Regularly review and update security practices and undergo re-assessment every three years or sooner if significant changes occur in their business or IT environment.
These steps ensure that a company meets TISAX standards during the audit and continuously commits to maintaining these standards.
Five Best Practices to Simplify TISAX Compliance
It can be a complex and time-consuming process to identify compliance requirements, collect and analyze the required data, and act on it to avoid a negative compliance finding. Follow these five best practices to simplify the process.
1. Define organizational risk management processes
Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management, and compliance programs. Seek out experts who can collaborate with your organization on:
- Defining TPRM and C-SCRM processes and solutions
- Selecting risk assessment questionnaires and frameworks to benchmark results against (e.g., a TISAX-specific assessment or a more general ISO 27001 assessment)
- Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite
- Establishing clear roles and responsibilities (e.g., RACI) across the organization
- Implementing risk scoring and thresholds based on your organization’s risk tolerance
2. Profile and tier all suppliers
Build a centralized supplier inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement or supply chain solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized intake form and associated workflow tasks. This should be available to everyone via email invitation, without requiring any training or solution expertise.
As all suppliers are reviewed, teams should create comprehensive supplier profiles that contain all documentary evidence related to the TISAX assessment, plus insights into a supplier’s demographics, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This will add needed context for audit processes.
Part of the profiling process is identifying fourth-party and Nth-party suppliers in your supplier ecosystem as critical dependencies can impact tiering decisions. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map should depict extended dependencies that could expose your organization to risk.
Finally, quantify inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments. Criteria used to calculate inherent risk for supplier tiering can include:
- Criticality to business performance and operations
- Location(s) and related legal or regulatory considerations (e.g., GDPR)
- Interaction with protected data
3. Evaluate suppliers against TISAX requirements
Leverage a supplier’s TISAX risk assessment, ISO 27001, NIST 800-53, or other industry standard assessment that can be easily mapped to TISAX requirements. Incorporate the assessment into a central supplier risk management platform, and use workflow automations, task management, and automated evidence review capabilities to evaluate supplier maturity scores. As well, assessment results should be presented in a central risk register that enables you to quickly visualize, sort, and pinpoint the most important risks.
4. Remediate findings
Importantly, suggest remediations for low maturity supplier controls that exceed the risk appetite for the organization. TPRM solutions should include built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
5. Continuously monitor suppliers for threats
Continuously track and analyze external threats to suppliers. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources typically include:
- Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
- Databases containing several years of data breach history for thousands of companies worldwide
All monitoring data should be correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives.
Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks in a matrix, so you can easily see the highest-impact risks and prioritize remediation efforts accordingly. Assign owners and track risks and remediations to a level acceptable to the business.
Next Steps for TISAX Compliance
The Mitratech’s Third-Party Risk Management Platform offers a central, automated solution for scaling third-party risk management and cybersecurity supply chain risk management in concert with your broader cybersecurity and enterprise risk management program. With Mitratech, your team can:
- Build a centralized supplier inventory with comprehensive risk profiles that can be accessed by multiple teams throughout the enterprise
- Gauge inherent risk to inform supplier profiling, tiering, and categorization – and determine the appropriate scope and frequency of ongoing due diligence activities
- Automate risk assessments and remediation across every stage of the third-party lifecycle
- Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities
Contact our team to determine how your TPRM policies stack up to TISAX requirements. Book your tailored demo today.
Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated to include information aligned with our product offerings, regulatory changes, and compliance.
