TISAX (Trusted Information Security Assessment Exchange) is a standard developed by the automotive industry to ensure that companies operating within this sector maintain a uniform level of IT security across the supply chain and implement measures to protect information assets.
TISAX is based on the international IT security standard ISO/IEC 27001. Affected companies must meet specific requirements regarding information security, data protection, and, in some cases, prototype protection.
TISAX was developed and is managed through collaboration between the VDA (German Association of the Automotive Industry) and the ENX Association. The VDA represents automotive manufacturers, suppliers, and service providers, and it develops the VDA-ISA catalog, which defines the information security requirements for the automotive industry.
The ENX organization, also composed of automotive industry members, oversees the TISAX platform where certification results can be accessed and supervises the assessments' execution. The strict division of roles between these two entities ensures the objectivity and neutrality of certification results and guarantees that the defined standards are adhered to across the industry.
For companies, the central question is whether they are affected by TISAX. Generally, TISAX is relevant for all companies in the automotive industry that process sensitive information. This includes not only automotive manufacturers but also their suppliers, service providers, or partner companies that handle sensitive and confidential information. Consequently, even companies not directly involved in the automotive industry may be affected if they are integrated into the supply chain.
Protected data and sensitive information include, for example, production data, development data, prototypes, manufacturing data, drawings, contractual information, and project documentation.
Most companies in the automotive industry are obligated by their partners to comply with TISAX, especially if the products or services they provide are directly linked to automotive manufacturing or development.
What Can Companies Do to Comply with TISAX? To meet TISAX requirements, companies must implement specific technical measures into their IT security strategy, addressing the confidentiality, availability, and integrity of information. These measures include: Patch Management, to close zero-day vulnerabilities and known weaknesses. Collecting and analyzing logfiles with a log analysis tool is a central element of the security strategy.
This helps detect attacks early and analyze unauthorized access or unusual activities quickly and forensically.
Protecting user accounts with strong, complex passwords and, ideally, two-factor authentication. Firewalls should include intrusion detection and prevention systems, and networks should be segmented.
It’s important to note that, in addition to technical measures, organizational measures must also be followed. These include clearly defined processes for handling information and security incidents, the implementation of access control concepts, and employee training in security awareness. Proper documentation of all measures and procedures is just as important as their flawless technical implementation.