Frequently Asked Questions

Question 1

What is TISAX and why is it important?

Accepted Answer

TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for information security in the automotive industry, developed by the ENX Association on behalf of the German Association of the Automotive Industry (VDA). It is based on the VDA ISA (Information Security Assessment) catalog, which builds on ISO 27001 requirements but adds automotive-specific criteria for prototype protection and supply chain security. TISAX is mandatory or strongly preferred by major German OEMs including Volkswagen, BMW, Mercedes-Benz, Porsche, and Audi. Without a valid TISAX label, suppliers may be excluded from bidding on contracts or removed from approved vendor lists.

Question 2

How does TISAX differ from ISO 27001?

Accepted Answer

While TISAX is built on ISO 27001 principles and the VDA ISA catalog maps closely to Annex A controls, TISAX includes automotive-specific requirements not covered by ISO 27001 alone. Key differences include: mandatory prototype protection controls for engineering and design data, specific requirements for connecting with third parties in the supply chain, stricter data protection requirements aligned with GDPR, an exchange mechanism that allows OEMs to directly verify your assessment results via the ENX portal, and standardized assessment levels (AL 1-3) that define the depth of audit required. Many organizations pursue both ISO 27001 and TISAX, using ISO 27001 as the foundation and TISAX as the automotive industry-specific overlay.

Question 3

What are the three TISAX assessment levels?

Accepted Answer

TISAX defines three assessment levels: Assessment Level 1 (Normal) involves a self-assessment using a standardized questionnaire and is suitable for lower-risk suppliers with limited data access. Assessment Level 2 (High) requires an on-site audit by an ENX-accredited audit provider evaluating control implementation against VDA ISA requirements — this is the most common level for Tier 1 and Tier 2 suppliers. Assessment Level 3 (Very High) involves an extensive on-site audit with additional evidence review and is required for environments handling highly sensitive data such as prototype designs, autonomous driving algorithms, or direct OEM engineering collaborations. The required level is determined by the OEM based on the sensitivity of data you handle.

Question 4

How long does TISAX compliance take?

Accepted Answer

The timeline for achieving TISAX compliance typically ranges from 4 to 8 months, depending on your starting security maturity, the required assessment level, and the complexity of your organization. Organizations with an existing ISO 27001 certification can often achieve TISAX in 4-5 months by addressing the automotive-specific gaps. Organizations starting from a lower maturity baseline should expect 6-8 months. The process includes scope definition (2-3 weeks), remediation and control implementation (8-12 weeks), internal readiness review (2-3 weeks), accredited audit scheduling and execution (3-6 weeks), and any post-audit remediation before label issuance (2-4 weeks). The resulting TISAX label is valid for 3 years, with annual self-confirmations required.

Question 5

Does TISAX apply to Canadian automotive suppliers?

Accepted Answer

Yes. Any Canadian company that is part of the global automotive supply chain and does business with German OEMs or their Tier 1 suppliers must obtain TISAX certification when contractually required. This applies to Canadian automotive parts manufacturers, engineering firms with German OEM contracts, software companies providing solutions to automotive clients, logistics providers in the North American automotive supply chain, and R&D organizations collaborating on vehicle development. Even if your facility is in Canada, the contractual requirements from German OEMs flow down through the supply chain. GuardsArm helps Canadian automotive suppliers navigate TISAX requirements while aligning them with existing Canadian privacy regulations like PIPEDA and Quebec Law 25.

Question 6

How much does TISAX compliance cost?

Accepted Answer

TISAX compliance costs vary significantly based on organization size, required assessment level, and current security maturity. Typical costs include: consulting and gap analysis ($15,000-$40,000), remediation and control implementation ($25,000-$100,000+ depending on gaps), ENX registration and audit fees ($8,000-$25,000 depending on level and auditor), internal resource time, and ongoing maintenance. For small to mid-sized suppliers, total first-year costs typically range from $50,000-$120,000. Larger organizations or those requiring Assessment Level 3 may invest $150,000-$300,000+. The cost is offset by retained contracts, reduced audit fatigue (one TISAX assessment replaces multiple OEM-specific audits), and improved security posture.

TISAX Compliance Services

What is TISAX?

VDA ISA Based

Global Recognition

Secure Exchange

3-Year Validity

Who Requires TISAX?

TISAX Assessment Levels

Assessment Level 1 — Normal

Assessment Level 2 — High

Assessment Level 3 — Very High

Assessment Scope & Objectives

VDA ISA Control Domains

Information Security Policy

Organization of Information Security

Human Resources Security

Asset Management

Access Control

Cryptography

Physical Security

Operations Security

Communications Security

System Development & Maintenance

Supplier Relationships

Incident Management

Business Continuity

Compliance

Our TISAX Implementation Process

Scope & Gap Analysis

Remediation & Implementation

Internal Audit & Readiness

TISAX Assessment & Exchange

Benefits of TISAX Certification

Industries We Serve

OEMs & Vehicle Manufacturers

Tier 1 Suppliers

Tier 2/3 Suppliers

Engineering & R&D Services

Logistics & Supply Chain

Software & IT Services

Ready to Achieve TISAX Certification?