Trusted Information Security Assessment Exchange (TISAX)
Trusted Information Security Assessment Exchange(TISAX) is a framework tailored for the automotive industry to ensure the confidentiality, integrity, and availability of sensitive information. It provides a standardized method for assessing and exchanging information security in the automotive supply chain.
Definition and purpose
TISAX was developed by the Association of the German Automotive Industry (VDA) in partnership with an association of European automotive manufacturers, called the European Network Exchange (ENX). It aims to enhance information security in the automotive industry by establishing a common framework for processing sensitive customer data and assessing and managing the security of information exchanged between organizations within the supply chain.
TISAX has multiple purposes, including:
- To facilitate the renewal of existing supplier relations
- To open completely new business connections through industry-wide recognition
- To create price transparency for assessments
- To create competition between audit providers
- To establish a common level of information security in the industry
- To allow common recognition of assessment results
- To save costs and effort with manufacturers and suppliers
TISAX is governed by ENX Association. The association maintains the framework of criteria (“TISAX ACAR”), approves audit providers, and monitors the quality of implementation of the assessment results.
In October 2023, the ENX Association published the latest version of the VDA Information Security Assessment (ISA) catalog. This defines the baseline and best practices for information and cyber security of organizations in the automotive industry and serves as the basis for TISAX assessments
TISAX primarily applies to the automotive industry, encompassing manufacturers, suppliers, and service providers involved in the automotive supply chain.
Controls and requirements
TISAX includes a set of controls and requirements outlined in the VDA Information Security Assessment (ISA) catalog. ISA is based on key aspects of the international standard ISO/IEC 27001 and covers areas like access control, data protection, incident response, and more.
Please refer to the official ISA documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
A TISAX assessment must be conducted by TISAX audit providers, which are accredited independent assessors. The frequency and duration of the assessment may vary based on factors such as the organization's risk profile and compliance history.