Mastering TISAX Requirements: How to Achieve Certification

Key Takeaways

• TISAX is mandatory for suppliers: If you want to win contracts from automotive OEMs, you need a TISAX label – in many cases, there is no way around it. The standard builds on ISO 27001 and adds industry-specific requirements such as prototype protection and data privacy.
• IT documentation is the foundation: Roughly 60% of a TISAX project falls on the IT department. Complete documentation of assets, permissions, network structures, and patch levels is not optional – it is a mandatory requirement that auditors examine in detail.
• Automation saves time and stress: Manual IT inventory management fails at staying current and complete. Automated tools like Docusnap drastically reduce documentation effort and deliver audit-ready reports at any time.

Mastering TISAX Requirements: How to Achieve Certification

Picture this: An OEM announces a supplier audit. Your TISAX assessment is scheduled in six months. You take a look at your IT documentation – and find Excel spreadsheets from two years ago, a network diagram no one maintains anymore, and permission concepts that exist on paper but not in reality.

Many IT managers in the automotive industry know this situation all too well. And it is entirely preventable. In this guide, you will learn what TISAX requirements you are facing, how the certification process works, and how to set up your IT so the assessment becomes a confirmation of your work – not a stress test.

What Is TISAX? The Security Standard of the Automotive Industry

TISAX stands for Trusted Information Security Assessment Exchange and is the central standard for information security in the automotive industry. Developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association, TISAX establishes uniform rules for handling sensitive data securely across the entire supply chain.

The core idea: Instead of each automotive manufacturer auditing its suppliers individually, a single TISAX assessment is sufficient. The result is shared via the ENX platform – transparent, standardized, and efficient.

TISAX is based on the international standard ISO/IEC 27001 but goes significantly further in several areas. While ISO 27001 is used across industries, TISAX additionally addresses automotive-specific topics:

• Prototype protection: Safeguarding development data, design drawings, and test vehicles
• Specific data privacy: Requirements for personal data in the automotive context that go beyond GDPR
• Availability: Since ISA 6.0, this is a separate assessment objective – ensuring ransomware attacks don't paralyze the supply chain

Good to know: Technically, TISAX is not a certification but an assessment. Those who pass receive a TISAX label – valid for a maximum of three years. Unlike ISO 27001, there are no annual surveillance audits.

TISAX vs. ISO 27001: What's the Difference?

Both standards rely on an Information Security Management System (ISMS), but differ in key aspects:

• Scope: With ISO 27001, the organization defines which areas are audited. With TISAX, the scope covers the entire organization – no exceptions.
• Depth of review: TISAX auditors examine details down to patch levels, permission concepts, and physical access controls.
• Industry focus: ISO 27001 is generic. TISAX adds automotive-specific requirements such as prototype protection.
• Update cycle: The VDA ISA catalog is regularly revised. Through annual updates, TISAX responds faster to new threats than the lengthy ISO process.
• Validity period: Both are valid for three years – but TISAX waives annual interim audits.

Practical tip: Many organizations combine both standards. Those who already hold ISO 27001 have a solid foundation – but must still implement the TISAX-specific requirements on top.

VDA ISA 6.0: What Changed in April 2024

Since April 1, 2024, the ISA Catalog Version 6.0 has been in effect – bringing significant changes that IT managers need to be aware of:

New label structure: The previous "Information Security" label has been split into two separate assessment objectives:

• Confidentiality – high and strict
• Availability – high and very high

Stronger focus on cyber resilience: Six new control questions specifically address ransomware defense, security incident detection, and recovery after attacks.

Expanded references: ISA 6.0 now explicitly references ISO 27001:2022, BSI IT-Grundschutz, and the NIST Cyber Security Framework. Additionally, OT systems (Operational Technology) receive greater attention – relevant for suppliers with their own production environments.

English as the primary language: The leading language version is now English. German and other translations are being released progressively.

The Three Assessment Levels at a Glance

Depending on how sensitive the data you process for your OEM partner is, a specific assessment level is assigned:

Assessment Level 1 (AL1): A pure self-assessment without external review. Practically never used and does not lead to a TISAX label.

Assessment Level 2 (AL2): For data with a high protection requirement. You fill out the VDA ISA questionnaire, submit your ISMS documentation, and undergo a remote audit with an interview.

Assessment Level 3 (AL3): For data with a very high protection requirement – e.g., prototypes, crash test data, or AI systems. This involves a full on-site audit, including a facility walkthrough and in-person interviews.

Practical tip: Many consultants recommend aiming directly for AL3 – even if AL2 currently suffices. This way, you are prepared for future customer requirements without having to go through another assessment.

The Path to Your TISAX Label: Three Phases in Detail

Phase 1: Self-Assessment and Gap Analysis

Before the auditor arrives, you need to know where you stand. The self-assessment based on the VDA ISA questionnaire systematically reveals which requirements you already meet – and where gaps exist.

Typical questions in this phase:

• Does an up-to-date IT security policy exist?
• Are all IT assets inventoried and documented?
• Are there defined processes for onboarding and offboarding?
• Are permissions reviewed regularly?
• Is a Business Continuity Management system in place?

The biggest hurdle in this phase: Data that simply doesn't exist. Without a complete and current overview of your IT landscape, you cannot credibly answer many of the ISA catalog's questions.

This is where automated IT inventory management pays off. Docusnap scans your entire network – from servers and clients to printers, switches, and Wi-Fi access points – and delivers a complete inventory. Automatically, without agents, without manual maintenance.

Phase 2: Implementation and Documentation

The gap analysis produces a concrete action plan. What matters now: defining processes, creating policies, implementing technical measures – and documenting everything.

In a TISAX assessment, the rule is: if it's not documented, it doesn't exist.

Areas that IT managers should pay particular attention to:

• Asset management: Complete inventory of all IT assets, classified by protection requirements
• Permission concept: Who has access to which data? Are access rights assigned according to the least-privilege principle?
• Network security: Segmentation, firewall rules, encryption
• Patch management: Current OS and software versions must be verifiable
• Incident management: Processes for detecting, reporting, and responding to security incidents
• Emergency planning: Documented recovery plans for business-critical systems

With an IT documentation solution like Docusnap, this information is not buried in scattered Excel files but available centrally, automatically updated, and exportable as reports at any time.

Phase 3: Assessment and Ongoing Reporting

During the actual assessment, an accredited audit provider verifies whether your ISMS works in practice. The auditor evaluates each area on a maturity scale from 0 to 5 – the average must reach at least maturity level 3.

What auditors scrutinize most closely:

• Does the ISMS function in daily operations – not just on paper?
• What security incidents occurred, and how were they handled?
• Have all employees been trained?
• Are measures regularly reviewed and improved?

After passing the assessment, the work isn't over. The VDA requires regular reporting to organizational leadership – including the current IT security posture, patch levels, and identified risks.

With Docusnap, you generate these reports automatically and on schedule – keeping your management up to date at all times, without manual effort.

Why Automated IT Documentation Is the Key

TISAX requirements share a common thread: You need current, complete, and traceable data about your IT landscape. And this is exactly where many organizations fail – not due to lack of willingness, but due to the wrong approach.

Manual IT documentation has three fundamental problems:

• Currency: By the time your Excel spreadsheet is finished, the IT environment has already changed.
• Completeness: Forgotten switches, unknown Wi-Fi access points, shadow IT – manual inventory management systematically overlooks devices.
• Effort: The IT department has better things to do than maintaining spreadsheets. And with the next change, the work starts all over again.

Docusnap solves these problems at their root:

• Agentless: No additional software on endpoints – no additional security risk, no rollout effort
• Automatic scans: Regular inventory via IP, SNMP, WMI, and other protocols – all devices on the network are captured
• Centralized data storage: All information in a single SQL database, including cross-site inventory management
• Ready-made reports: Network diagrams, permission analyses, patch overviews, IT emergency plans – at the push of a button
• Multi-tenant capable: External IT service providers can also document their clients in a TISAX-compliant manner

What Does TISAX Certification Cost?

Costs vary significantly depending on company size, existing security maturity, and the chosen assessment level. A rough guide:

• ENX registration: approx. EUR 3,000–5,000
• Preparation and gap analysis: approx. EUR 8,000–20,000
• Implementation of measures and documentation: approx. EUR 6,000–15,000
• Total costs: typically between EUR 10,000 (small company, solid baseline) and EUR 200,000 (complex IT, significant catch-up needed)

The biggest cost driver is not the audit itself, but implementing the missing security measures. Organizations with an existing ISO 27001 certification start with a significant advantage.

Practical tip: Invest early in automated IT documentation. This not only saves consulting costs during preparation but also significantly reduces the ongoing effort for the next re-certification in three years.

Practical Example: From Audit Stress to Structured Documentation

Imagine this: A mid-sized automotive supplier with 180 employees and three locations is facing its first TISAX certification. The IT department consists of four people – and the IT documentation is a mix of Excel spreadsheets, Word documents, and knowledge stored in the admin's head.

The gap analysis reveals: no complete asset register, no centralized permission overview, no documented emergency plan. The timeline until the assessment: nine months.

The solution path: After implementing Docusnap, all three locations are fully inventoried within a few days. The automated scans provide a current overview of all systems, software versions, and network connections. IT emergency planning is built on the basis of real data. Permission reports show at a glance who has access to which resources.

The result: During the assessment, the IT department can present current data for every question the auditor asks. The certification is passed on the first attempt – and the structures built serve as the foundation for ongoing compliance work.