Years delivering GDPR & privacy compliance
Organisations certified globally
German supervisory authorities — all covered
Average GDPR programme delivery in Germany
TISAX (Trusted Information Security Assessment Exchange) was established by VDA in 2017 to replace fragmented, OEM-specific supplier audits with a single, mutually recognised assessment exchange. Rather than undergoing repeated individual audits from every OEM customer, suppliers complete one TISAX assessment — and share results across the ENX portal with any requesting OEM or Tier 1 partner.
Our teams across the US, UK, Singapore, and India support clients through every timezone and regulatory context.
The automotive industry runs on trust — and in Germany, trust is verified through TISAX. The Trusted Information Security Assessment Exchange (TISAX) is the automotive sector’s exclusive framework for assessing and sharing information security results across the supply chain. Developed by the German Association of the Automotive Industry (VDA) and operated by ENX Association, TISAX Audit & Certification has become the mandatory gateway for any supplier, technology partner, or service provider seeking to do business with OEMs including Volkswagen Group, BMW Group, Mercedes-Benz, Stellantis, and their Tier 1 networks.
VISTA InfoSec delivers structured TISAX consulting services across Germany — from initial VDA ISA gap assessment and assessment level scoping through to full audit preparation, ENX portal registration, and post-assessment label maintenance. Our consultants bring hands-on experience across automotive supplier environments in Stuttgart, Munich, Wolfsburg, Ingolstadt, and beyond, ensuring your organisation achieves the correct TISAX label for your OEM requirements — on schedule and without avoidable findings.
Unlike generic ISO 27001 consultants who occasionally advise on TISAX, our team specialises in the VDA Information Security Assessment (VDA ISA) catalogue, the ENX assessment process, and the practical security challenges facing automotive suppliers — from prototype data protection and connected vehicle data to shared development environments and cross-border data exchange with OEM procurement portals.
✔ Mandatory for all VW Group, BMW, Mercedes-Benz, and Stellantis suppliers handling sensitive information, prototype data, or personal data — without a valid TISAX label, supplier contracts are routinely withheld or terminated
✔ Based on the VDA ISA catalogue — a purpose-built information security assessment questionnaire covering over 60 control objectives across 6 domains, significantly more prescriptive than generic ISO 27001 self-declarations
✔ Three assessment levels (AL1, AL2, AL3) with increasing rigour — your required level is determined by the sensitivity of the information you handle, not your own preference
✔ Assessment results shared via ENX portal — one successful assessment serves multiple OEM customers simultaneously, eliminating repeated supplier audits across the German automotive industry
✔ Three-year validity with interim reviews — TISAX labels expire every three years and must be renewed through a fresh assessment, making ongoing ISMS maintenance essential to continuous supplier eligibility
✔ Prototype protection and connected vehicle data add specific scope extensions beyond standard information security — suppliers handling physical prototypes or connected vehicle telemetry face additional assessment modules
Your required TISAX assessment level is dictated by your OEM customer based on the sensitivity of the information assets you handle. Understanding the differences upfront prevents scope misalignment and wasted effort — two of the most common and costly mistakes in TISAX engagements.
AL1 applies to suppliers handling information classified as “high” protection need — typically confidential business information, standard supplier data, and non-prototype technical documents. Assessment is conducted via a plausibility check with self-assessment validation by an ENX-accredited provider.
AL2 requires a full on-site assessment by an ENX-accredited audit provider. It applies to suppliers handling information with “very high” protection requirements — including sensitive development data, CAD designs, engineering specifications, and confidential OEM strategic information. This is the most common level for Tier 1 suppliers.
AL3 combines the full on-site AL2 assessment with additional modules covering prototype vehicle protection and “secret” classified information. Suppliers physically handling pre-production vehicles, components under embargo, or OEM-classified research data are typically required to achieve AL3 — the most demanding TISAX level.
A structured, milestone-driven programme that takes your organisation from initial scoping through ENX registration, VDA ISA gap closure, assessment readiness, and label attainment — without costly surprises or timeline overruns.
We review your OEM customer requirements, identify the correct assessment level (AL1/AL2/AL3), and define your assessment scope — including any applicable scope extensions for prototype handling, connected vehicle data, or third-country data transfers.
Structured assessment of your current information security posture against the full VDA ISA catalogue. Every control objective is evaluated, gap-rated, and mapped to a prioritised remediation roadmap — in German and English, presented in ENX-aligned format.
We guide you through ENX portal registration, scope definition, and selection of an ENX-accredited TISAX assessment provider. Understanding the differences between assessment providers — and how to engage them effectively — materially affects your assessment outcome.
Close identified VDA ISA gaps with practical, auditable controls. Our consultants work alongside your IT, facilities, and operations teams to implement technical and organisational measures that satisfy assessment requirements — without over-engineering controls beyond what your assessment level demands.
We conduct a pre-assessment internal review simulating the ENX-accredited provider's assessment methodology. Evidence packages are prepared, staff are briefed, and residual gaps are closed before your formal TISAX assessment date — eliminating costly finding surprises.
TISAX labels are valid for three years. We provide ongoing ISMS maintenance, annual internal reviews, change management advisory, and full renewal support — ensuring your TISAX label remains valid and your OEM relationships remain protected throughout the label lifecycle.
TISAX is not a standard audit — it is an automotive-specific assessment that rewards deep domain knowledge. Here is why 400+ automotive suppliers across DACH and beyond trust VISTA InfoSec to guide their TISAX journey.
Our consultants are trained specifically on the VDA ISA catalogue and ENX assessment methodology — not generalist ISO 27001 auditors who treat TISAX as an add-on. This distinction is what separates a first-time pass from a findings-heavy audit report.
We do not conduct formal TISAX assessments — that is reserved for ENX-accredited providers. This independence means our readiness assessment identifies every real gap without conflict of interest, giving you an honest view of your preparation before the formal assessment.
Our AuditFusion360 programme maps TISAX VDA ISA controls to ISO 27001, GDPR, and NIS2 simultaneously — one structured engagement, multiple compliance outcomes, with proven cost savings of 25–40% compared to running each programme independently.
Offices in the US, UK, Singapore, and Mumbai. Our TISAX methodology is built around German OEM supplier requirements, ENX portal workflows, and the specific information security challenges facing automotive supply chains operating across multiple countries.
We work alongside your IT, HR, facilities, and legal teams to implement controls that are achievable, auditable, and sustainable within your operational reality. Every recommendation is grounded in the actual demands of your automotive environment — in German and English.
AL3 prototype protection and connected vehicle data requirements demand specialist knowledge beyond standard information security. Our consultants have supported suppliers through the physical security, media handling, and data governance challenges unique to automotive prototype environments.
Every service your automotive supplier organisation needs to achieve, demonstrate, and sustain a valid TISAX label in Germany — delivered by VDA ISA specialists across Munich, Stuttgart, Wolfsburg, Frankfurt, and beyond.
Structured evaluation of your information security posture against all applicable VDA ISA control objectives. Risk-rated gap report issued before remediation begins — giving you a realistic picture of effort, cost, and timeline for TISAX label attainment at your required assessment level.
Full internal readiness assessment simulating ENX-accredited provider methodology. We review your evidence packages, stress-test your controls, brief your audit-facing teams, and close residual gaps — ensuring your formal TISAX assessment is a confirmation of readiness, not a discovery of weaknesses.
Many automotive SME suppliers lack in-house information security expertise. VISTA InfoSec serves as your embedded ISMS Manager — designing, implementing, and maintaining your information security management system to VDA ISA standards, with ongoing label maintenance included as standard.
Comprehensive information security policy and procedure development aligned with VDA ISA requirements. All documentation is drafted in German and English to meet ENX submission standards — including information security policies, asset inventories, risk treatment plans, and scope statements.
ENX portal registration, assessment scope definition, assessment provider selection, and scheduling — managed on your behalf. First-time TISAX participants frequently underestimate the administrative complexity of the ENX process. We eliminate that risk with an experienced hand guiding every step.
For suppliers subject to overlapping compliance requirements, AuditFusion360 maps VDA ISA controls to ISO 27001 Annex A, GDPR Art. 32, and NIS2 risk management simultaneously. Evidence is collected once and applied across all frameworks — reducing compliance costs by up to 40%.
Speak with a certified TISAX consulting specialist who has guided 400+ automotive suppliers through successful TISAX audit and certification. We offer a commitment-free initial scoping call — no generic sales pitch, no obligation.
Our automotive information security consultants answer the questions German suppliers ask most often before beginning their TISAX journey — from assessment level selection to ENX portal navigation and OEM label sharing.
No — TISAX and ISO 27001 are related but distinct. While both address information security management, TISAX is purpose-built for the automotive supply chain, uses the VDA ISA assessment catalogue, and produces a shared label on the ENX portal rather than a publicly held certificate. ISO 27001 certification demonstrates general ISMS maturity but does not satisfy TISAX requirements. Many OEMs explicitly require a TISAX label — not an ISO 27001 certificate — as a contractual condition. Our AuditFusion360 programme can deliver both simultaneously, maximising investment efficiency.
Your required assessment level is determined by your OEM customer, based on the sensitivity of the information you access, process, or store on their behalf. AL1 applies to "high" protection need information, AL2 to "very high", and AL3 adds prototype vehicle and "secret" data coverage. If you have received a TISAX request from an OEM without a specified level, our consultants can review your information handling activities and provide a clear level recommendation before any ENX registration takes place.
Formal TISAX assessments may only be conducted by ENX-accredited assessment providers. VISTA InfoSec is not an ENX-accredited provider — and by design, we maintain that independence to serve as your unbiased preparation partner. We conduct comprehensive gap assessments, mock audits, and readiness preparation, then support you through the formal assessment process with your chosen ENX-accredited provider. This approach eliminates the conflict of interest that exists when a consultant both prepares and assesses the same organisation.
TISAX labels are valid for three years from the date of successful assessment. Before expiry, organisations must complete a fresh TISAX assessment to maintain an active label on the ENX portal. Without a current label, OEMs typically suspend information sharing and may trigger contract reviews. Our ongoing ISMS management service ensures your information security programme remains assessment-ready throughout the three-year cycle, making renewal assessments predictable rather than reactive.
Yes. TISAX requirements apply based on the OEM relationship and the information handled — not the supplier's country of registration. Suppliers based in the UK, France, Japan, South Korea, the US, India, and elsewhere regularly undergo TISAX audit and certification to satisfy German OEM contractual requirements. VISTA InfoSec's global presence across the US, UK, Singapore, and India enables us to support international suppliers through TISAX preparation regardless of their home jurisdiction.
TISAX and GDPR overlap significantly for suppliers handling personal data on behalf of OEM customers. TISAX VDA ISA controls addressing data protection, access management, and incident response align well with GDPR Art. 32 technical and organisational measures. German DPAs recognise mature TISAX programmes as evidence of appropriate data protection controls. Our AuditFusion360 programme maps VDA ISA evidence to GDPR requirements simultaneously — avoiding duplicated effort and ensuring both compliance obligations are satisfied through a single structured engagement.
Expert Auditors. Faster Certification.
VISTA InfoSec LLC,347 Fifth Ave,
Suite 1402-526, New York, NY 10016
© Copyright 2026. VISTA InfoSec. All Rights Reserved. | Disclosure Policy | Privacy Policy | Sitemap
Enquire Now