TISAX Compliance

Assessed once.
Recognized everywhere.

TISAX is the automotive industry's standard for information security. If your OEM customers require it, you need it. We guide you from first gap analysis through successful assessment and label exchange — with IT infrastructure that stays compliant long after the auditor leaves.

Start Your TISAX Journey 604-239-2174
20,000+
Locations Certified
3 Year
Label Validity
VDA ISA
Based on ISO 27001
What Is TISAX?

The automotive industry's
trust standard

TISAX (Trusted Information Security Assessment Exchange) is governed by the ENX Association and built on the VDA Information Security Assessment (ISA) catalogue — itself based on ISO/IEC 27001. It provides a standardized way for automotive companies to prove their information security posture to OEM customers and supply chain partners.

Instead of every OEM running their own security audit of every supplier, TISAX lets you get assessed once by an accredited audit provider and share those results with any partner through the ENX Portal. Over 20,000 locations worldwide now hold valid TISAX labels.

Who Needs TISAX?

Tier 1, 2, and 3 automotive suppliers handling OEM data
Engineering service providers with access to design data
IT service providers managing automotive client infrastructure
Logistics providers with access to production schedules
Any company where an OEM customer has requested TISAX
Assessment Levels

Three levels of
assessment depth

Your required assessment level depends on the sensitivity of information you handle. We help you determine the right scope and prepare accordingly.

Level 1

Self-Assessment

Internal self-assessment based on VDA ISA. No external audit required. Suitable for companies handling normal information with lower sensitivity. Results are not shared on the ENX Portal.

Level 2

Normal Assessment

Remote or on-site assessment by an accredited audit provider. Required for handling confidential information — the most common level for automotive suppliers. Plausibility checks and evidence review.

Level 3

High Assessment

Comprehensive on-site assessment with in-depth verification. Required for strictly confidential information, prototype protection, or data from multiple OEMs. Full evidence audit with interviews and inspection.

VDA ISA Catalogue

What the assessment covers

The VDA Information Security Assessment is structured around key security domains. We help you implement controls across all of them.

Domain Key Controls What We Do
Information Security Policies ISMS framework, management commitment, policy documentation Draft and implement your full ISMS policy set
Human Resources Security awareness, training, onboarding/offboarding Build training programs and procedures
Access Control Identity management, MFA, privileged access, least privilege Configure and audit access controls across all systems
Physical Security Facility access, visitor management, clean desk, secure areas Assess and recommend physical control improvements
Cryptography Encryption at rest and in transit, key management Implement encryption across storage, email, and network
Operations Security Change management, malware protection, logging, monitoring Deploy endpoint security, SIEM, and patch management
Network Security Segmentation, firewalls, intrusion detection, remote access Design and implement compliant network architecture
Supplier Management Third-party risk, supplier agreements, monitoring Establish vendor security assessment processes
Incident Management Response plans, escalation, forensics, lessons learned Create and test incident response procedures
Business Continuity BCP, disaster recovery, backup testing Design and validate backup and DR strategies
Prototype Protection Physical and digital prototype controls (if applicable) Implement secure storage, access logging, and handling procedures
Our Process

How we get you
through the audit

From initial scoping to label exchange on the ENX Portal — we walk with you through every step. No surprises on audit day.

1

Scope & Gap Analysis

We assess your current state against every VDA ISA control. You get a clear report of what's compliant, what's close, and what needs work — with effort estimates for each gap.

2

Remediation Plan

We build a prioritized roadmap to close every gap. Quick wins first, then the structural changes. Policies, technical controls, training — all mapped to your timeline and budget.

3

Implementation

We do the work — deploy technical controls, write policies, configure systems, train staff, and build the evidence documentation the auditor will ask for. Not just consulting. Execution.

4

Pre-Audit Review

Internal mock assessment against the full VDA ISA catalogue. We simulate the audit experience, identify any remaining weaknesses, and ensure your evidence package is complete and organized.

5

Audit Support

We're on-site (or on-call) during your TISAX assessment. We help present evidence, answer technical questions, and coordinate with the audit provider so nothing falls through the cracks.

6

Label & Maintenance

Once you receive your TISAX label, we help you share results on the ENX Portal and maintain compliance through the 3-year validity period. Continuous monitoring, annual reviews, and re-assessment preparation.

What We Deliver

Not just consulting.
We do the work.

Most TISAX consultants hand you a gap report and wish you luck. We implement the fixes, build the infrastructure, and sit next to you during the audit.

Gap Assessment

Full VDA ISA-aligned assessment of your current security posture. Every control reviewed, every gap documented, every finding rated by severity and effort. You get a clear picture of exactly where you stand.

Policy & Documentation

Complete ISMS documentation suite — information security policy, acceptable use, access control, incident response, business continuity, data classification, and every supporting procedure the auditor expects to see.

Technical Controls

We deploy the infrastructure: MFA, endpoint detection, network segmentation, encryption, logging, SIEM, patch management, backup systems, and secure remote access. Every control implemented, tested, and documented.

Staff Training

Security awareness programs designed for your team — from shop floor operators to engineering leads to executives. Phishing simulations, role-specific training, and the documented evidence auditors require.

Evidence Package

Organized, audit-ready documentation that maps every VDA ISA control to your implemented solution, supporting evidence, and responsible owner. When the auditor asks "show me," you're ready in seconds.

Ongoing Compliance

TISAX labels are valid for 3 years, but compliance is continuous. We provide ongoing monitoring, annual internal reviews, policy updates, and re-assessment preparation so you never scramble before renewal.

Common Gaps

Where most companies
get caught

These are the findings we see most often when companies first approach us for TISAX readiness. If any of these sound familiar, you're not alone — and we know how to fix them.

No formal ISMS

Security policies exist informally or not at all. No documented management system, no risk register, no formal review cycle.

Flat networks with no segmentation

OT and IT on the same VLAN. Guest WiFi bridged to production. A single firewall between everything and the internet.

No MFA on critical systems

VPN, email, ERP, and admin accounts accessible with passwords only. Single factor authentication is a guaranteed finding.

Backups exist but are never tested

Backups run nightly, but nobody has ever tested a restore. No documented RTO/RPO. No off-site or immutable copies.

No incident response plan

No documented procedure for what happens when a breach occurs. No roles defined, no communication plan, no lessons-learned process.

Security awareness training is a checkbox

Annual compliance slide deck that nobody reads. No phishing simulations, no role-specific content, no evidence of effectiveness.

FAQ

TISAX questions answered

How long does it take to get TISAX certified?
Typically 4 to 9 months from initial gap analysis to successful assessment, depending on your starting point and required level. Companies with some existing security controls (ISO 27001, SOC 2) can move faster. Companies starting from scratch should plan for the longer end. We'll give you a realistic timeline after the gap assessment.
What's the difference between TISAX and ISO 27001?
TISAX is built on the VDA ISA catalogue, which extends ISO 27001 with automotive-specific requirements — prototype protection, data protection (GDPR), and third-party connectivity controls. Having ISO 27001 gives you a head start, but TISAX requires additional controls and a different assessment process through ENX-accredited audit providers. They're complementary, not interchangeable.
Do we choose our own auditor?
Yes. After registering on the ENX Portal, you select from accredited TISAX audit providers. We can recommend providers we've worked with and help you understand the differences in approach, pricing, and timeline. The results are standardized regardless of which provider you choose.
What if we fail the assessment?
If major non-conformities are found, you'll have a defined period (typically 9 months) to remediate and undergo a follow-up assessment. This is why we conduct thorough pre-audit reviews — we want zero surprises on assessment day. In our experience, proper preparation makes the difference between a clean pass and a costly remediation cycle.
How much does TISAX compliance cost?
Costs vary significantly based on your company size, current security maturity, required assessment level, and number of locations. ENX registration and audit provider fees are separate from implementation costs. We provide transparent estimates after the gap assessment — no hidden fees, no scope creep. The biggest cost driver is usually the gap between where you are today and where you need to be.
Can you help with prototype protection (AL 3)?
Yes. Level 3 assessments with prototype protection require additional physical and digital controls — secure rooms, camera monitoring, access logging, device restrictions, and strict handling procedures. We design and implement the full control set, including the technical infrastructure and documented procedures auditors review.
What happens after we get the label?
Your TISAX label is valid for 3 years. During that time, you need to maintain your ISMS, conduct internal reviews, and keep controls effective. We provide ongoing managed IT services that keep your infrastructure compliant continuously — so when re-assessment comes around, you're already ready.

Ready to start your TISAX journey?

Book a discovery call and we'll walk through your current state, the assessment level you'll need, and a realistic timeline to get your TISAX label. No pressure, no jargon — just a clear path forward.

Book a TISAX Consultation 604-239-2174