TISAX Certification: A Complete Guide for the Automotive Industry (2026)

If you’re in the car industry, you’ve probably heard about the TISAX certification, the information security standard for this sector. Major manufacturers like Volkswagen, BMW, Mercedes-Benz, Stellantis, and PACCAR increasingly require their suppliers to hold a valid TISAX label before doing business with them.

This standard is not a legal obligation in the automotive supply chain. But in practice, its absence can shut you out of contracts with the biggest Original Equipment Manufacturers (OEMs) in the industry. Therefore, the TISAX standard has become the way to prove that your organization handles sensitive automotive data securely.

In this article, we’ll explain what is TISAX, who needs it, what the TISAX requirements are, how the assessment process works, and how Mindsec can simplify and expedite TISAX compliance from beginning to end to save you a big deal of your security budget.

What Is The TISAX Certification?

TISAX stands for Trusted Information Security Assessment Exchange. It’s an information security standard created specifically for the automotive industry. It was established in 2017 by the German Association of the Automotive Industry (VDA) and is managed by the ENX Association.

Before TISAX, every automotive manufacturer had its own security assessment process. Suppliers were audited repeatedly by different OEMs, each with their own criteria. TISAX was created to unify this process into a single, standardized framework that all participants can trust.

The TISAX certification is built on the foundation of ISO/IEC 27001 but adds requirements specific to the automotive sector, such as prototype protection, secure handling of design specifications, and data protection during the manufacturing process.

Once you comply with the TISAX standard, your results are uploaded to a shared platform managed by ENX. You decide who can see your results. Other registered participants (typically OEMs and Tier 1 suppliers) can then verify your security status without requiring a separate audit.

Just like ISO 27001, the TISAX label is valid for three years. Unlike the former, TISAX auditors do not need to perform annual surveillance checkups for you to keep being compliant. Though it’s recommended to reassess your information security management system (ISMS) as your organization evolves.

Who Needs The TISAX Certification?

TISAX is primarily required for companies in the automotive supply chain that handle sensitive information from OEMs, including:

• Tier 1, Tier 2, and Tier 3 suppliers that receive confidential design data, production plans, or prototype information from manufacturers.
• Service providers that support automotive companies with IT services, engineering, logistics, or consulting and have access to sensitive data.
• Companies handling prototype data (physical or digital), including testing facilities, design studios, and press event organizers that manage pre-release vehicle information.

The requirement typically comes from the OEM or a higher-tier supplier as a contractual condition. In many cases, it’s included in the Request for Quotation (RFQ) process, meaning you can’t even bid on new business without a valid TISAX label.

While the TISAX certification originated in the German automotive market, it has expanded globally. Manufacturers in North America, Asia, and other regions are increasingly adopting it as part of their supplier qualification process.

TISAX Standard Assessment Levels

The TISAX standard defines three assessment levels based on the sensitivity of the information you handle. The level you need depends on what your OEM partner requires:

• Assessment Level 1 (AL1): Normal protection. You complete the VDA Information Security Assessment (ISA) questionnaire as a self-assessment and publish the results on the TISAX platform. No external audit is required. This level is rarely requested by OEMs.
• Assessment Level 2 (AL2): High protection. Your self-assessment is followed by a remote plausibility check conducted by approved TISAX auditors. The audit provider reviews your documentation and may conduct interviews by phone or video. This level is common for suppliers handling confidential (but non-prototype) data.
• Assessment Level 3 (AL3): Very high protection. A full on-site inspection is conducted by an approved TISAX audit provider. This is the most comprehensive level for the TISAX certification and is typically required for companies handling prototype data, critical systems information, or large volumes of personal data. Most major OEMs require AL3.

Each level also offers optional assessment modules for prototype protection, data protection, and third-party connections, depending on the scope of your engagement with the OEM.

TISAX Requirements

TISAX requirements are based on the VDA ISA catalogue, which builds on ISO 27001’s Annex A controls and adds automotive-specific elements. Here’s what you need to cover:

• Information Security Management System (ISMS). You must implement and maintain an ISMS that can identify and manage risks, establish security policies and procedures, and support regular internal audits. This is the foundation of the TISAX standard.
• Risk management. Regular risk assessments are required to identify vulnerabilities across your IT systems, processes, and physical infrastructure. You must demonstrate that risks are managed proportionally based on their impact.
• Access management. Only authorized personnel should have access to sensitive information. This requires identity management, role-based access controls, and regular reviews of access rights.
• Physical security. Facilities where sensitive data is handled or stored must be physically secured. This includes access controls to buildings, secure areas for prototype handling, and monitoring systems.
• Incident response. The TISAX certification demands documented procedures for detecting, responding to, and recovering from security incidents. This includes notification processes and post-incident analysis.
• Business continuity. Plans must be in place to maintain or restore operations in case of disruption. This covers backup management, disaster recovery, and crisis response procedures.
• Prototype protection. If your scope includes prototypes, you must implement specific controls for secure storage, restricted access, camouflage during transport, and enhanced monitoring of areas where prototype data is handled.
• Data protection. You must demonstrate compliance with applicable data protection regulations, including secure handling of personal data, employee records, and customer information.
• Supply chain security. You’re expected to assess and manage risks from your own suppliers and subcontractors. This includes passing contractual security obligations down the chain.
• Employee training. All staff with access to sensitive information must receive security awareness training. This is not a one-time event but an ongoing requirement.

The TISAX Certification Process

The TISAX standard’s certification process follows a structured path. Here’s how it works step by step:

1. Registration. Register as a participant on the ENX’s TISAX certification portal and accept the participation terms. You’ll also need to define the scope of your assessment locations, data types, and assessment level).
2. Self-assessment. Complete the VDA ISA questionnaire, evaluating your organization’s maturity across all required security domains. This is a critical step because it reveals your gaps before the external audit.
3. Select a TISAX audit provider. Choose an ENX-approved TISAX audit provider (also called an assessment body). These are independent, accredited organizations authorized to conduct TISAX assessments. Examples include TÜV SÜD, DEKRA, and DNV.
4. External assessment. Depending on your assessment level, TISAX auditors will conduct either a remote plausibility check (AL2) or a full on-site inspection (AL3). The audit includes document reviews, interviews with key personnel, and verification of implemented controls.
5. Corrective action plan. If the TISAX auditors identify gaps (called “findings”), you’ll need to prepare a corrective action plan (CAP) to address them. The plan is submitted to your audit provider, and a follow-up assessment verifies that the gaps have been closed.
6. TISAX label issuance. Once all findings are resolved, the audit provider uploads the final report to the TISAX platform. ENX issues the TISAX standard label, and you decide which participants can view your results.

The entire TISAX certification process typically takes between 3 and 12 months, depending on the maturity of your existing ISMS and the scope of your assessment. With Mindsec, you may be able to achieve this in 3-4 months only.

TISAX Auditors: How the Assessment Works

TISAX auditors are professionals employed by ENX-approved audit providers. They are specifically trained to assess information security in the automotive context and follow the VDA ISA methodology.

During the assessment, auditors evaluate your organization’s maturity across each control area in the ISA catalogue. They look for evidence that your policies are not only documented but actually implemented and effective.

A typical AL3 on-site audit includes:

• Document review. The auditors examine your ISMS documentation, policies, risk assessments, incident logs, training records, and access management procedures.
• Interviews. Key personnel across departments (IT, security, HR, operations, management) are interviewed to verify that security practices are understood and followed at all levels in compliance with the TISAX standard.
• Physical inspection. The auditors inspect facilities, server rooms, prototype storage areas, and other physical locations to verify that physical security controls are in place and functioning.
• Evidence verification. The auditors check that controls are not just on paper. They may request screenshots, system configurations, access logs, and other tangible evidence of implementation.

After the assessment, you receive a detailed report with findings categorized by severity. Major findings must be resolved before the TISAX certification label can be issued. Minor findings may allow you to receive the label with a commitment to resolve them within a defined timeframe.

Mindsec Helps You Complete Your TISAX Certification

While Mindsec does not manage the TISAX assessment directly, our platform supports ISO 27001, which forms the foundation of TISAX and has over 90% of controls overlapping. So getting your ISMS in shape through ISO 27001 puts you most of the way there.

Mindsec is a compliance automation platform that helps organizations simplify and centralize their information security processes for frameworks like the TISAX standard. Instead of managing everything through spreadsheets, emails, and manual reminders, you can handle it all from one place.

With Mindsec, you can:

• Build and manage your ISMS aligned with ISO 27001, creating the foundation you need for your TISAX.
• Centralize your documentation so that all policies, risk assessments, and evidence are organized and ready for TISAX auditors.
• Automate workflows and reminders to stay on top of internal audits, risk reviews, and training deadlines.
• Track your compliance progress across ISO 27001 controls and identify gaps before your TISAX certification audit.
• Generate audit-ready reports that demonstrate your security posture to OEMs and assessment bodies.

Mindsec also supports compliance with other major frameworks, including ISO 9001, PCI DSS, and the NIS2 directive, so you can manage multiple certifications in one go, from a single platform.

Want to see it in action? Book a free, 15-min demo to see the Mindsec platform today.