Linkedin Facebook-square Instagram
Contacts
Team of managers and specialists implementing TISAX in an automotive supplier organisation

Implementing TISAX in Your Organisation: A practical guide for automotive suppliers

Implementing TISAX in your organisation: a practical guide for automotive suppliers

Pressure from car manufacturers and major integrators to strengthen information security has led TISAX (Trusted Information Security Assessment Exchange) to become practically a “ticket of entry” into the European automotive supply chain.

For many Portuguese companies, the question is no longer “if” they will have to implement TISAX, but “when” and “how” to do so efficiently and in line with their business.

In this article, I explain in practical terms what TISAX is, how it relates to ISO 27001, and what steps are essential to prepare your organisation for a successful assessment.

1. What is TISAX?

TISAX is a mechanism for assessing and sharing information security results, developed specifically for the automotive sector. It is managed by the ENX Association on behalf of the German automotive industry association (VDA – Verband der Automobilindustrie). Microsoft Learn+1

Instead of each manufacturer requiring its own audits of each supplier, TISAX creates a central platform where:

  • companies are assessed by recognised auditors,

  • obtain a “TISAX label” with a specific assessment level/objective,

  • and share this result with various business partners, avoiding duplicate audits. portal.enx.com+1

It is important to note that we are talking about a “TISAX label”, not a traditional ISO certification. The standard is based on the VDA ISA (Information Security Assessment) catalogue, which is built on ISO/IEC 27001 and 27002 but adapted to the automotive context (protection of prototypes, tests, events, etc.). Microsoft Learn+2

2. TISAX vs. ISO 27001: competitors or complementary?

For many organisations, the question is: “If I already have ISO 27001, do I need TISAX?”

The short answer is: probably yes, if you want to work or continue working with certain OEMs or major automotive suppliers.

  • ISO 27001 defines the requirements for an Information Security Management System (ISMS).

  • TISAX uses this foundation but translates it into sector-specific requirements and assessment objectives, including:

    • protection of prototypes and test vehicles;

    • safety of facilities and test tracks;

    • secure management of development and production data;

    • additional requirements associated with “high” and “very high” protection levels.

In practice:

  • if you already have ISO 27001, you have an excellent foundation and the TISAX project will be an “adjustment and extension”;

  • If you do not already have one, the implementation of TISAX can (and should) be considered as an ISMS aligned with ISO 27001, so as not to “build everything twice”.

3. Starting point: clarifying requirements and maturity

Before launching a “mega-project,” it is crucial to answer three simple questions:

  1. Which customers request TISAX – and with what requirements?
    Normally, the OEM or customer specifies:

    • TISAX assessment objectives (TISAX Assessment Objectives / Labels); VDA ISA Consultant+1

    • the assessment level (AL2 – remote document assessment; AL3 – assessment with on-site visits). dataguard.com+1

  2. What is the relevant scope?

    • country(ies), locations, engineering centres, critical partners;

    • processes (development, prototyping, testing, production, shared services);

    • critical information systems and applications.

  3. What is the current maturity of information security?

    • Are there already security policies, access management and incident management in place?

    • Are there records and evidence, or is everything ‘informal’?

An initial gap analysis against the VDA ISA (or against your current ISO 27001) is the logical starting point. dataguard.com+1

4. Seven steps to implement TISAX in practice

Step 1 – Define the TISAX scope

The scope is the ‘boundary’ of the assessment. It must be very well thought out, because it affects:

  • the implementation effort,

  • the cost of the assessment,

  • and the value for its customers.

It usually includes:

  • Legal entities involved (company A, subsidiary B, etc.)

  • Physical locations (headquarters, R&D centre, factory, testing laboratory)

  • Processes and services (development, prototyping, IT services, etc.)

  • Relevant information systems.

This definition is subsequently recorded on the ENX portal as the scope of the assessment. portal.enx.com+1

Step 2 – Establish the project and governance team

TISAX is not an “IT-only” project. It involves people, processes and technology.

Typically, there should be:

  • Top sponsor (General Management/Administration);

  • an information security officer (CISO, IT Manager, or equivalent);

  • representatives of:

    • IT/Infrastructure;

    • Engineering/Operations;

    • Human Resources;

    • Legal/Contracts;

    • Data Protection (DPO) – to align with GDPR;

    • Suppliers/Purchasing (when critical services are outsourced).

Define it right away:

  • security committee;

  • roles and responsibilities;

  • meeting schedule and reporting.

Step 3 – Map controls based on VDA ISA / ISO 27001

The next step is to ‘translate’ the VDA ISA into the reality of your company. In practical terms:

  1. Create a control matrix with:

    • relevant VDA ISA clauses / ISO 27001 controls;

    • internal processes affected;

    • responsible for each measure.

  2. Prioritise controls in typical areas such as:

    • Governance and policies (security policy, information classification);

    • Asset and access management;

    • Physical and environmental safety;

    • Security in development and testing;

    • Backup, continuity, and recovery;

    • Security incident management;

    • Supplier and contract security;

    • Specific prototype and testing requirements (where applicable).

Step 4 – Implement priority technical and organisational measures

With the gap matrix defined, it is time to execute.

Some examples of measures that recur frequently in TISAX projects:

  • reinforcement of physical access controls (turnstiles, visitor registration, segregated areas);

  • improvement of logical access controls (MFA, privilege management, periodic access review);

  • encryption of data at rest and in transit;

  • formal vulnerability management and patching procedures;

  • clear policies and procedures for:

    • information classification;

    • trabalho remoto e uso de dispositivos móveis;

    • management of information media (USB, external drives, etc.);

  • contracts and NDAs tailored to prototypes and confidential information.

The goal is not to achieve “perfection,” but rather consistent and demonstrable maturity (with evidence) in the relevant domains.

Step 5 – Document processes and evidence

In a TISAX project, anything that is not documented “does not exist” in the eyes of the auditor.

It is essential to produce and maintain:

  • policies approved by management;

  • operational procedures (e.g., incident management, access management, onboarding/offboarding);

  • records:

    • access logs;

    • vulnerability reports;

    • training records;

    • atas de comités de segurança;

    • continuity test records.

The TISAX handbook itself emphasises the need for process documentation and evidence of implementation to demonstrate the maturity level of the ISMS. enx.com

Step 6 – Registration on the ENX portal and selection of the auditor

With the ISMS reasonably structured, it is time to:

  1. Register the organisation on the ENX portal and define:

    • company data;

    • scope of the assessment;

    • TISAX objectives and desired level.

  2. Select an ENX-approved audit provider
    There are several bodies (TÜV, SGS, etc.) authorised to conduct TISAX assessments and issue the respective label. SGSCorp+2TÜV SÜD+2

  3. Agree with the auditor:

    • scheduling;

    • type of assessment (AL2 – remote; AL3 – with on-site visits);

    • working languages;

    • locations included.

Step 7 – Prepare and conduct the TISAX assessment

In terms of auditing, the TISAX process has two main phases: preparation and assessment. TÜV SÜD+1

Preparation:

  • conduct a detailed self-assessment using the VDA ISA questionnaire;

  • validate responses and associated evidence internally;

  • ensure that all documentation is consolidated and easily accessible;

  • prepare the teams that will interact with the auditor (briefings, mock interviews).

Assessment:

  • interviews with managers and operational teams;

  • detailed document analysis;

  • on-site verification (AL3): facilities, physical controls, procedures in place;

  • identification of non-conformities and recommendations.

After the assessment is completed, the TISAX report is issued, and – if the result is positive – the TISAX label is registered on the ENX portal to be shared with your partners. portal.enx.com+2

5. Best practices and mistakes to avoid

Best practices:

  • Treat TISAX as a business project, not just an IT project.

  • Leverage synergies with ISO 27001, GDPR, and other compliance requirements.

  • Maintain an internal communication plan so that employees understand the “why” behind the changes.

  • Invest in ongoing training in information security and awareness.

Common mistakes:

  • Starting with the checklist without an overall view of risks and priorities.

  • Setting an overly ambitious scope (everything and anything) and making the project unaffordable.

  • Leave documentation and evidence until the day before the audit.

  • Viewing TISAX as a one-off event rather than a cycle of continuous improvement.

6. How iCompliance can support your TISAX implementation

The implementation of TISAX requires coordination, experience, and method. iCompliance can provide support on several fronts, namely:

  • TISAX/ISO 27001 gap assessment vs current situation;

  • definition of scope and evaluation objectives;

  • design and implementation of policies, procedures and records;

  • integration with GDPR requirements and data protection (in conjunction with iPrivacy.eu);

  • preparation of the organisation for the audit (simulation of interviews, review of evidence);

  • use of platforms such as iComply.pt to manage tasks, risks, corrective actions, and evidence in a centralised manner.

If you are assessing the need to obtain a TISAX label or already have specific customer requirements, we can help you structure a phased implementation plan that is realistic and aligned with your business.

7. Next steps

If your company:

  • works in the automotive sector (or wants to enter it);

  • receives requests for the “TISAX label” from OEMs or major suppliers;

  • or you want to strengthen the credibility of your information security,

so it makes sense to start now:

  1. Identify customer requirements and likely scope;

  2. Perform an initial diagnosis in accordance with VDA ISA/ISO 27001;

  3. Define a TISAX plan for the next 6–12 months.

To help you get started, download a summary checklist for TISAX implementation in a format you can use as a PDF. To do so, request it below in the comments section of this article.

Leave a Reply

Your email address will not be published. Required fields are marked *


Começar