TISAX · Automotive Information Security

Building Trust Through Information Security in Automotive

TISAX is the automotive industry's shared language for information security. Perseus prepares suppliers and service providers for TISAX — from scoping and gap analysis to pre-assessment and training — so you reach a successful result and can exchange labels with your partners. The formal assessment is conducted by an accredited TISAX audit provider.

Request a ConsultationHow TISAX Works
0

Assessment Levels

0

TISAX Labels

0

Security Modules

0-yr

Label Validity

The trust standard of the automotive supply chain

Why TISAX

One assessment, many partners

A single TISAX assessment produces labels you can share with every OEM and supplier — no repeating the same audit for each customer.

Built for automotive

Based on the VDA ISA catalogue, TISAX extends ISO 27001 with the prototype-protection and data-protection requirements unique to the industry.

A condition of doing business

OEMs and tier-1s increasingly require valid TISAX labels before sharing confidential data or awarding contracts. No labels can mean no tender.

How TISAX Works

Register · Assess · Exchange

01

Register

Define your scope and locations on the ENX portal, then select the applicable TISAX labels and assessment level for the data you handle.

02

Assess

Complete the VDA ISA self-assessment, then undergo the formal assessment by an accredited audit provider — remote or on-site, depending on the level.

03

Exchange

On a conformant result your labels are published on the ENX portal and shared with the partners you choose. Labels are valid for three years.

Assessment Levels — Matched to Your Protection Needs

Assessment Levels

AL1

Self-Assessment

Self-assessment only

The organisation completes the VDA ISA self-assessment with no third-party verification. Rarely accepted by OEMs on its own.

AL2Most common

Plausibility Check

Remote · evidence + interviews

The audit provider checks the plausibility of your self-assessment through evidence review and an interview. Required for Confidential, High Availability, Test Vehicles, Proto Events and Data labels.

AL2.5

Remote Assessment

Full remote verification

An optional variant of AL2 in which the audit provider fully verifies your ISMS remotely, without on-site activities. Methodically compatible with AL3, so it can be upgraded later with limited extra effort.

AL3

On-Site Audit

Full on-site verification

A comprehensive on-site assessment with physical inspection and process observation. Required for Strictly Confidential, Very High Availability, Proto Parts, Proto Vehicles and Special Data labels.

Ten Assessment Objectives Across Three Modules

Labels

Each label maps to an assessment level. Your customer tells you which labels they require; we help you scope and achieve exactly those.

Information Security

  • ConfidentialAL2
  • Strictly ConfidentialAL3
  • High AvailabilityAL2
  • Very High AvailabilityAL3

Prototype Protection

  • Proto PartsAL3
  • Proto VehiclesAL3
  • Test VehiclesAL2
  • Proto EventsAL2

Data Protection

  • DataAL2
  • Special DataAL3

Which Requirements Apply to Each Objective

Applicable Requirements

Every objective maps to an assessment level and one of the three ISA criteria catalogues. This is the scope your self-assessment and the formal assessment are based on.

Information SecurityPrototype ProtectionData Protection
Assessment Objective
Level
Info Sec
Proto
Data
Information Security criteria
Confidential
AL2
Strictly Confidential
AL3
High Availability
AL2
Very High Availability
AL3
Prototype Protection criteria
Proto Parts
AL3
Proto Vehicles
AL3
Test Vehicles
AL2
Proto Events
AL2
Data Protection criteria
Data
AL2
Special Data
AL3

Each objective draws on a specific ISA criteria catalogue and is assessed at the level shown. Most participants combine an Information Security objective with Prototype Protection and/or Data Protection — the applicable requirements are then the union of those catalogues. Within Prototype Protection, physical-security and surrounding-area requirements are not necessarily in scope for Test Vehicles and Proto Events. Source: TISAX Participant Handbook (ISA criteria catalogues; assessment-objective mapping).

What Gets Assessed

VDA ISA Catalogue

TISAX is built on the VDA ISA catalogue — seven core information-security chapters, plus two additional modules for prototype protection and data protection.

1

IS Policies & Organisation

2

Human Resources

3

Physical Security

4

Identity & Access Management

5

IT & Cyber Security

6

Supplier Relationships

7

Compliance

8

Prototype Protection

Additional module
9

Data Protection

Additional module

Scored on a 0–5 Maturity Scale

Maturity

0
Incomplete
1
Performed
2
Managed
3
Established
Target
4
Predictable
5
Optimizing

A maturity level of 3 — Established is the usual target: a standardised process, deployed organisation-wide and consistently applied.

Assessment Outcomes

Results

Conform

Requirements are met. TISAX labels are issued and published on the ENX portal.

Minor non-conformity

Gaps remain. A corrective action plan is agreed, with up to nine months to remediate before a follow-up.

Major non-conformity

Critical requirements are unmet. Remediation and re-assessment are required before labels can be issued.

Exchange on the ENX portal

Your results live on the ENX exchange platform, where you decide who sees what. Sharing ranges from keeping a result private, to confirming your labels, to granting partners full visibility of your assessment information — so you meet customer requirements without over-disclosing. Labels remain valid for three years.

Your Partner Across the Whole TISAX Journey

How We Help

Perseus is your TISAX preparation and advisory partner — we get you assessment-ready and support you end to end. The formal TISAX assessment itself is conducted by an accredited TISAX audit provider.

Gap Analysis

A structured review of your current posture against the VDA ISA catalogue to pinpoint exactly where you stand and what to fix first.

Pre-Assessment

A dry run of the assessment that surfaces findings early — so there are no surprises when the formal assessment begins.

Consulting & Readiness

Hands-on guidance through scoping, control implementation, evidence preparation, and the ENX registration and exchange process.

Training

Practical courses across TISAX fundamentals, information security, data protection and prototype protection to build lasting in-house capability.

Trusted across the automotive supply chain — from tier-1 and tier-2 suppliers to engineering, IT and logistics providers preparing for OEM requirements.

Frequently Asked Questions

FAQ

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's standardised information-security assessment and exchange mechanism, based on the VDA ISA catalogue and governed by the ENX Association. Any organisation that handles confidential information from automotive OEMs typically needs TISAX labels — tier-1 and tier-2 suppliers, engineering and IT service providers, and logistics companies. Without valid labels, organisations risk exclusion from tenders and existing contracts.

Ready to Start Your TISAX Journey?

Tell us which labels your customers require and where you operate. We'll scope your TISAX project, run a gap analysis, and prepare you for a successful, shareable result.

Request a ConsultationExplore All Services