What Is TISAX?
TISAX (Trusted Information Security Assessment Exchange) is the automotive industry’s information security certification program, managed by the ENX Association. It’s based on the VDA Information Security Assessment (VDA ISA), which builds on ISO 27001 with automotive-specific requirements including prototype protection and data privacy. Major OEMs, including VW Group, BMW Group, and Daimler, now require TISAX certification from suppliers before sharing sensitive project data.
If your company is in the automotive supply chain and handles confidential OEM data, development documentation, or prototype information, TISAX isn’t a nice-to-have. It’s a condition of doing business. The TISAX mechanism works through the ENX portal: suppliers complete an assessment with an ENX-accredited auditor, and results are shared exclusively with the OEM partners who need them. The confidential exchange model means your assessment results aren’t public — they’re shared only with the specific OEM partners you authorize.
Southern California’s automotive technology cluster — EV component manufacturers in the Inland Empire, software suppliers in Orange County and Los Angeles, and aerospace-adjacent tier-1 integrators — is increasingly engaged with OEM relationships that require TISAX. As supply chains grow more software-intensive, the information security requirements flow down further into the supplier base.
Why Choose AdVran for TISAX?
TISAX certification is required by major automotive OEMs (VW, BMW, Mercedes-Benz) for supply chain partners handling confidential project data. Based on the VDA ISA, it extends ISO 27001 with automotive-specific requirements that general IT security programs don’t address.
The VDA ISA questionnaire covers over 70 controls across multiple categories, rated for maturity from 0 (not implemented) to 3 (fully implemented and measurable). Most OEM contracts require a minimum maturity of 2 or 3 across relevant control domains. Getting to maturity 2 requires documented processes and evidence that controls are actually operating — not just policies on paper.
1. VDA ISA Assessment Preparation
We prepare your IT environment for the VDA Information Security Assessment, setting up controls across all assessment modules: information security management, prototype protection, and data privacy. We run a pre-assessment against the VDA ISA criteria to identify gaps before the formal auditor engagement, so you don’t discover deficiencies during the assessment.
2. ISO 27001-Aligned Security Foundation
TISAX builds on ISO 27001. We configure the Information Security Management System (ISMS) foundation that satisfies both standards at once, so you’re not running duplicate compliance programs. Organizations already holding ISO 27001 certification typically find TISAX gap closure achievable with focused work on automotive-specific modules rather than rebuilding the entire program.
3. Prototype Protection Controls
For organizations handling physical or digital prototype data, TISAX requires enhanced security controls beyond standard information security management:
- Physical security for prototype storage areas, including access controls, monitoring, and visitor management
- Digital controls for prototype CAD files, vehicle specifications, and development data — including DRM, access logging, and transmission controls
- Employee handling procedures for prototype photography, data transmission, and third-party disclosure
- Contracts with sub-suppliers who have access to prototype information
The “Proto” label requirements are among the most operationally demanding in TISAX. Our network infrastructure services and physical security recommendations address both the technical and procedural controls.
4. Data Privacy Module
TISAX’s data privacy module covers GDPR-aligned requirements for personal data handling: employee data, customer data, and test subject data collected during development programs. For California suppliers, GDPR privacy controls align with California’s own privacy requirements, reducing duplicated effort. Our compliance and risk management services address both GDPR and California privacy requirements together.
5. ENX Portal Registration and Exchange
We support your TISAX registration through the ENX portal and results sharing with OEM partners. The portal manages which OEM partners can access your assessment results — you control the sharing, not the auditor. We coordinate the registration process, assessment scheduling, and results publication to keep your TISAX status current and accessible to the partners who need it.
TISAX Assessment Labels
TISAX assessments produce results for specific labels based on what your OEM customer requires:
| Label | Scope | Typical OEM Requirement |
|---|
| Info Normal | Standard information security for business confidential data | Tier-2 suppliers with limited OEM data access |
| Info High | Enhanced controls for highly confidential vehicle development data | Tier-1 suppliers with direct project data access |
| Info Very High | Maximum controls for highly sensitive strategic data | Suppliers handling platform or M&A data |
| Proto | Prototype protection in addition to information security | Physical prototype data, CAD models, test data |
| Data | Data privacy for personal data processing | Suppliers processing employee or customer personal data |
| DSGVO/GDPR | Full GDPR compliance evidence | European OEM programs with GDPR requirements |
Most California automotive technology suppliers need at minimum “Info High” and frequently “Proto” labels when working with vehicle program data.
Frequently Asked Questions About TISAX Compliance
Who must comply with this regulation?
TISAX applies to automotive supply chain partners that handle confidential OEM information: development data, vehicle specifications, personal data from customers or employees, and prototype documentation. Southern California’s automotive technology sector — EV component manufacturers, software suppliers, and tier-1 system integrators — increasingly faces TISAX requirements as OEM relationships deepen. TISAX requirements typically flow down when a supplier gains access to confidential project data, not just commodity component orders.
What are the key security requirements?
TISAX assessments cover information security management (based on VDA ISA, aligned to ISO 27001), prototype protection controls for organizations handling physical or digital prototype data, and data protection requirements under GDPR. The specific assessment scope depends on the label your OEM customers require: Info, Proto, or Data. We configure and manage the controls for each label type, with continuous monitoring to maintain maturity levels between reassessments.
What are the consequences of non-compliance?
Without a valid TISAX assessment result, automotive suppliers typically can’t receive confidential OEM project data or participate in new program development. OEM procurement teams verify TISAX status before awarding supplier contracts. The business consequence is direct: no current TISAX result, no access to confidential project data, no new program awards.
How does AdVran help businesses achieve and maintain compliance?
We start with a gap assessment against the VDA ISA requirements, then configure controls through managed services, coordinate with your chosen TISAX auditor, and maintain compliance documentation between reassessments. TISAX results are valid for three years, but OEM relationships require demonstrated continuous compliance, not just a current certificate. Our team has experience working with manufacturing and automotive clients through TISAX assessments and OEM due diligence processes.
How does this framework interact with other compliance requirements?
TISAX’s ISO 27001 foundation means organizations holding ISO 27001 certification have significant overlap already addressed. GDPR requirements embedded in TISAX assessments align with California privacy obligations. UNECE WP.29 adds cybersecurity requirements for connected vehicle systems that complement TISAX’s supply chain information security requirements. Our multi-framework approach maps controls across all applicable frameworks at once.
Automotive technology suppliers commonly operate under multiple overlapping requirements. UNECE WP.29 (UN R155) requires vehicle manufacturers to operate a Cybersecurity Management System and extends security requirements to their supply chains — TISAX and WP.29 controls overlap significantly for vehicle software and connected component suppliers. ISO 27001 is the ISMS foundation that TISAX builds on; dual certification is common and achievable with a unified compliance program. IEC 62443 applies to industrial control systems and operational technology in manufacturing environments. GDPR/CCPA privacy requirements intersect with TISAX’s data privacy module for organizations processing personal data from employees or customers.