BlogSecurity
October 30, 2025

What is TISAX certification? A 101 guide to compliance

Written by
Vanta
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

With the rapid adoption of AI and automation technologies, the automotive industry is experiencing a massive transformation. From autonomous driving tech to vehicles connected with cloud-based services, these innovations are reshaping how automakers and suppliers operate globally. However, these shifts have introduced new vulnerabilities, especially cyber risks, that need to be addressed.

Vanta’s Trust Maturity Report reveals that organizations of all security posture maturity levels are adopting frameworks like SOC 2 and ISO 27001 to mitigate the risks introduced by new technologies. However, the automotive industry has unique needs that require a different approach.

The answer is Trusted Information Security Assessment Exchange (TISAX): an industry-specific information security framework designed to keep automotive-sensitive data, such as design prototypes and testing information, safe and confidential.

In this article, we’ll explain:

  • Scope and applicability of TISAX
  • TISAX assessment levels
  • How to achieve TISAX compliance

What is TISAX?

TISAX is an information security framework introduced in 2017 by the German Association of the Automotive Industry (called the VDA—for Verband der Automobilindustrie in German). It has since become a globally recognized standard for assessing data protection and information security practices and strengthening collaboration in the automotive industry.

Before the introduction of TISAX, every manufacturer or partner would conduct a separate audit based on their own security standards. Vendors and suppliers would have to undergo multiple assessments for all third parties they wanted to partner with. It was a duplicative yet cumbersome cycle, resulting in inefficiency and inconsistent deal cycles.

TISAX bridged the gap by adapting leading international information security standards like ISO 27001 for the automotive sector. While ISO 27001 provides strong general cybersecurity protections, TISAX addresses the unique scope of the industry, such as protecting sensitive development data, production processes, supplier relationships, and intellectual property (IP).

The main enforcer for TISAX is the European Network Exchange (ENX) Association, which oversees several duties, including:

  • Accrediting auditors
  • Maintaining assessment requirements
  • Monitoring the quality of implementation and assessment results

A well-implemented TISAX framework signals a commitment to data security, which builds confidence and drives greater collaboration with original equipment manufacturers and suppliers. The trust reduces friction in contract negotiations and secures long-term business opportunities. Undoubtedly, compliance creates a competitive advantage, leading to faster deal cycles and stronger business relationships in the automotive sector.”

Marsel Fazilov
GRC Security Program Manager, Vanta
|
LinkedIn

Who needs to comply with TISAX?

Compliance with TISAX isn’t a legal requirement, but it has become an industry best practice. All organizations that operate within the automotive industry are expected to comply. Examples include:

  • Manufacturers
  • Suppliers
  • Research and development firms
  • Logistics companies

In practice, most original equipment manufacturers (OEMs) consider TISAX compliance a prerequisite for collaboration.

According to a 2025 report by ENX, companies that are already TISAX-compliant are in a strong position to adopt mandatory EU directives like NIS 2. Today, TISAX has 17,500+ assessed sites across 90+ countries, making it one of the most widely adopted security assessment frameworks worldwide. Its comprehensive scope also makes it useful for other industries that contribute to the automotive sector, such as:

  • Mechanical, equipment, and plant engineering
  • Information and communication technology
  • Marketing and creative services

{{cta_withimage22="/cta-blocks"}}

Understand the 3 TISAX assessment levels

TISAX recognizes three assessment levels, which outline its compliance and documentation requirements. The level applicable to your organization depends on the type of service or product you provide.

The three levels are:

  1. Assessment Level 1 (AL 1): A self-assessment using the Information Security Assessment (ISA), with results you can share with potential customers and partners
  2. Assessment Level 2 (AL 2): An ENX-approved independent auditor validates your self-assessment, reviews documentation remotely, and interviews relevant stakeholders, typically through a phone or video call
  3. Assessment Level 3 (AL 3): An ENX-approved auditor conducts a full on-site assessment of your organization’s security posture and controls, including in-person stakeholder interviews

TISAX doesn’t provide certification for passing assessments. Instead, organizations that meet compliance criteria for AL 2 and AL 3 receive a TISAX label, which is valid for three years and serves as demonstrable proof of TISAX compliance.

TISAX compliance requirements

TISAX compliance requirements largely resemble those of ISO 27001, particularly in how they emphasize the need for your organization to implement and maintain an information security management system. 

The framework has 79 controls divided into four categories:

  1. Must: Mandatory for all levels
  2. Should: Expected, but justified exceptions are possible
  3. High Protection Needs: Required for AL 2
  4. Very High Protection Needs: Required for AL 3

However, TISAX is far more prescriptive than ISO 27001 when it comes to vendor risk assessment. ISO 27001 only requires you to evaluate vendor risks—it does not specify the exact process. On the other hand, TISAX outlines clear criteria for managing suppliers in the automotive industry, requiring that your vendors meet comparable information security standards.

Some examples of TISAX compliance requirements include:

  • Implementing a robust ISMS that covers risk assessment and mitigation
  • Adhering to industry-standard security best practices
  • Complying with data privacy regulations such as the GDPR
  • Establishing incident response and disaster recovery plans

5 steps for TISAX compliance

Follow these steps to achieve TISAX compliance efficiently:

  1. Determine the scope and your required assessment level
  2. Conduct a gap assessment against compliance requirements
  3. Apply for an audit via the ENX portal
  4. Undergo the third-party assessment
  5. Maintain TISAX compliance

Step 1: Determine the scope and your required assessment level

The first step to achieving TISAX compliance is determining your scope and the targeted assessment level. This includes identifying the areas, processes, and systems that should fall under evaluation, as well as customer and partner expectations. For example, if a prospective OEM requires AL 3, you will need to realign your compliance benchmarks accordingly.

Expert tip: Be particularly thorough in this step—a common mistake organizations make is being too broad and vague in their approach. Failing to address specific areas can leave gaps that auditors might flag later in the process, leading to a delay in getting the desired TISAX label.

Additionally, ensure leadership buy-in early in the process so that core update decisions are approved quickly, minimizing bottlenecks during the audit.

Step 2: Conduct a gap assessment against compliance requirements

Once you have a clear outline of the scope, you can test your existing controls and ISMS against TISAX requirements. Conduct detailed gap assessments using the criteria established in Step 1, and document your findings in a self-audit report.

Next, remediate any uncovered gaps using the self-audit report as a roadmap, and prioritize those with the highest potential impact on your security and operations. 

If your organization is pursuing AL1, the self-audit report is the only documentation you need to demonstrate TISAX compliance.

{{cta_withimage22="/cta-blocks"}}

Step 3: Apply for an audit via the ENX portal

If your organization is pursuing AL2 or 3, you will need to find an authorized third party to perform a compliance audit. To do this, make an account on the ENX portal, register your company as a TISAX participant, and submit an audit application. The application must include these details:

  • Name and scope of the assessment
  • Type of assessment
  • Primary contact
  • Assessment objectives
  • Assessment locations

This assessment must be within the scope of your ISMS. Unlike ISO 27001, TISAX allows users to select either their entire ISMS or just specific parts of it as the audit scope. Still, you can’t select processes outside of the ISMS.

Once you complete the application, you will receive a confirmation email that contains:

  • A list of TISAX audit providers
  • Your participant ID
  • Your scope ID

Step 4: Undergo the third-party assessment

After you receive your confirmation email and select an auditor to work with, choose a date for your assessment. Whether you’re pursuing AL 2 or AL 3, the first part of your assessment is the kick-off meeting, where you align with your audit provider to confirm details about the evaluation, such as:

  • What is the assessment scope?
  • When does the assessment take place?
  • Who needs to participate in the assessment?

From here, you can move on to the evaluation. If you’re pursuing AL 2, this involves a remote plausibility check of your self-attestation and an interview with the designated security stakeholder.

AL 3 requires a deeper assessment—after reviewing your self-assessment, the auditor visits the in-scope location to observe processes, review documentation, and conduct both planned and unplanned interviews with stakeholders.

  • If the auditor discovers any areas of non-compliance, you must prepare a corrective action plan that details how you’ll address the gaps with an expected timeline of up to nine months. You can then request a follow-up assessment.
  • If the auditor finds only minor non-conformities, you can receive a temporary TISAX label that lasts for nine months or until you remediate the gaps.

Once you successfully pass the audit, you’ll receive a TISAX label.

Step 5: Maintain TISAX compliance

After you get your TISAX label, you need to ensure that your controls stay aligned with requirements for continuous compliance. The label is valid for three years, and once it expires, you’ll need to go to the ENX portal and apply for a renewal.

During the three years, you need to continuously monitor your ISMS and controls to ensure they meet TISAX requirements. This includes regular internal audits, risk assessments, and updates to your policies and procedures to address new threats and regulatory updates.

TISAX assessments also evolve in response to the changing information security landscape, so keep an eye on potential updates. As of writing, the latest ISA version available is 6.0.3, which was updated in April 2024.

{{cta_withimage22="/cta-blocks"}}

Challenges of TISAX compliance

TISAX is a comprehensive framework, and implementing all of its requirements can be overwhelming, especially for organizations that are still maturing their security posture. Some of the most notable challenges include:

  • Risk of duplicative workflows: Although TISAX is specialized for the automotive industry, the framework significantly overlaps with other standards such as ISO 27001 and GDPR. Without cross-mapping existing controls between frameworks, you risk creating redundant workflows that consume extra time and resources. 
  • High evidence collection effort: Maintaining detailed documentation, especially for AL 2 and 3, requires compliance teams to sift through disparate technologies, emails, and chat logs, which can be stressful before audits.
  • Ongoing internal monitoring: TISAX labels must be renewed every three years, which means you need to frequently validate the effectiveness of your controls between assessments.

When performed manually, these workflows can put significant strain on your security teams, as well as increase the risk of gaps and inefficiencies. You can mitigate some of the challenges by implementing a dedicated compliance solution that automates most of the repetitive workflows and aligns with broader ISO 27001 and GDPR programs.

Streamline TISAX compliance with Vanta

Vanta is a leading trust management platform that helps organizations achieve compliance with top security frameworks and regulations, such as TISAX, ISO 27001, NIS 2, and the GDPR. The solution provides clear guidance and resources on compliance and automates the busywork in many admin workflows. You not only reduce manual effort but also save significant resources in the process.

Vanta’s compliance automation product offers features to fast-track your processes, such as:

  • Continuous monitoring through a unified dashboard
  • Automated evidence collection powered by 375+ integrations
  • Pre-built policy and document templates with a built-in editor
  • Out-of-the-box support for 35+ industry-relevant frameworks
  • 1,200+ automated, hourly tests
  • Faster remediation with AI-generated code snippets tailored to your environment

If your organization has already achieved compliance or is currently pursuing other relevant frameworks, such as ISO 27001 or the GDPR, you can cross-map to existing controls and speed up compliance. Vanta also helps you build custom frameworks that address your unique compliance needs.

Schedule a custom demo for a more in-depth discussion with Vanta experts.

{{cta_simple27"/cta-blocks"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Compliance
Events

Convos with Customers: ResoluteAI

Eléonore Dixon-Roche, Senior Product Manager at ResoluteAI, explains how Vanta helped her step outside of her role and take on managing security and compliance for her company.

ISO 27001
Blog

The evolution of information security audits

Vanta’s Matt Cooper recently spoke at Cobalt's SecTalks 2021 and discussed how audit irritation spurred the idea for compliance automation and how information security audits are evolving.

Compliance
Blog

Do companies that use Shopify need to be PCI compliant?

Every business that accepts payments needs to adhere to PCI DSS. But, do you still need to be PCI compliant on your own if you use Shopify? The answer is complicated, but we make PCI make sense.

A laptop with the word webauthn on it.
Security
Blog

Lessons from Vanta’s WebAuthn migration

Rob Picard and Jess Chang from Vanta's Security team explain why and how we migrated to WebAuthn as the mandatory way to log into Okta.

Related Resources

Folder and survey result icons on a green background
Security
Blog
New data: Security’s communication gap with leadership (cost vs. value)

Discover insights from Vanta’s survey on security communication gaps between C-suite executives and security teams, plus tips to align strategy with growth.

Security
Blog
30+ due diligence questions to ask AI vendors in a security review

Discover all key categories of questions you should ask your AI vendors or partners while conducting a security review.

Security
Blog
How to demonstrate your AI security posture: A step-by-step guide

Are you looking to demonstrate your AI security posture to vendors and partners? Understand these six steps and learn about relevant tools.

Security
Blog
What is shadow AI and what can you do about it?

Find out what shadow AI is in today’s context and whether it presents a huge threat to your organization.

Security
Blog
How agentic AI in security changes the game: Benefits and challenges

Discover agentic AI and see how it differs from AI agents. Explore the benefits it brings to your organization and its implications on your security posture.

Security
Blog
9 AI risks that could impact your organization—and how to mitigate them

Discover the nine most relevant AI risks that can threaten your network and systems, and explore some practical strategies to proactively mitigate them.

Security
Blog
A step-by-step guide to AI security assessments [With a template]

Find out how to conduct an AI security assessment to stay ahead of potential threats and regulatory updates.

Security
Blog
8 fundamental AI security best practices for teams in 2025

Discover the eight baseline security best practices to minimize risks and vulnerabilities within AI systems. We’ll also discuss the tools that can support you.

Security
Blog
AI security posture management (AI-SPM): All information in one place

Learn about AI security posture management (AI-SPM) in our guide.

Security
Blog
AI security: A comprehensive guide for evolving teams

Learn why it matters and how to safeguard your systems to reinforce your organization’s defenses.

Security
Blog
Lessons for founders from Frameworks for Growth season 1

Executives from YC, Anthropic, Replit, Sierra, and Synthesia share advice for founders.

Security
Blog
Laying the groundwork: Building security foundations at the partial stage

Learn how partial-stage companies build security foundations to advance toward risk-informed maturity.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products