Key Takeaways
- TISAX is mandatory for suppliers: If you want to win contracts from automotive OEMs, you need a TISAX label – in many cases, there is no way around it. The standard builds on ISO 27001 and adds industry-specific requirements such as prototype protection and data privacy.
- IT documentation is the foundation: Roughly 60% of a TISAX project falls on the IT department. Complete documentation of assets, permissions, network structures, and patch levels is not optional – it is a mandatory requirement that auditors examine in detail.
- Automation saves time and stress: Manual IT inventory management fails at staying current and complete. Automated tools like Docusnap drastically reduce documentation effort and deliver audit-ready reports at any time.

TISAX Certification: Costs, Process and Obligations
Over 60% of TISAX assessments fail not because of missing policies, but because of incomplete or outdated IT documentation. Auditors examine in detail — from patch levels and permission concepts to physical access controls — and this is precisely where the data foundation is missing that no GRC tool generates on its own. This article explains what the TISAX certification concretely requires, what it costs, who needs it, and why IT documentation is the decisive first step.
Who needs TISAX certification?
TISAX (Trusted Information Security Assessment Exchange) is the binding information security standard of the automotive industry. Developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association, it establishes uniform rules for the secure handling of confidential data across the entire supply chain.
The certification requirement applies to all companies that, on behalf of an OEM or Tier-1 supplier:
- process confidential information (engineering data, calculations, contracts),
- develop or photograph prototypes or test vehicles,
- handle personal data in an automotive context.
In practice, this means: software service providers, engineering firms, logistics companies, IT service providers and marketing agencies are just as affected as traditional parts suppliers. OEMs such as Volkswagen, BMW and Mercedes now contractually require the certification — without it, there is no access to the supply chain.
What does the TISAX assessment require?
The assessment is based on the VDA ISA Catalogue Version 6.0, which currently defines around 80 controls across three modules:
Information Security module (mandatory for all): Classic ISMS topics — security policies, risk management, access controls, network security, patch management, personnel management and supplier management. Companies already operating an ISMS in accordance with ISO 27001 will have covered around 60–70% of these TISAX requirements.
Data Protection module: Relevant when personal data is processed on behalf of an OEM. The module is aligned with the GDPR and audits processing records, data protection impact assessments and technical safeguards.
Prototype Protection module: Applies to companies managing development vehicles, design drawings or test data. The requirements go far beyond classic IT security — extending to physical access restrictions and encrypted transmission paths.
For every criterion assessed, companies must demonstrate at least maturity level 3 out of 5. This means: not just documented processes, but their proven application in day-to-day operations.
What do auditors examine in technical detail?
IT managers should know what auditors focus on most — because this is where most gaps arise:
- Complete IT asset inventory with classification by protection requirement
- Current patch levels for all operating systems and applications
- Permission concept based on the least-privilege principle — with verifiable regular review
- Network segmentation and documented firewall rules
- Evidence of on- and offboarding processes (who still has access after leaving?)
- Documented emergency and recovery plans for critical systems
Anyone who cannot produce this data on the spot has a problem. Auditors do not accept statements like "we know this, but it's not documented."
Why IT documentation is the true foundation
This is where the difference lies between companies that enter the assessment well prepared and those that have to catch up at short notice.
Many companies invest in GRC platforms, policy templates and training — and only realise during the auditor interview that they cannot answer basic questions: Which systems are running in the network? What patch level is server XY on? Who has access to the development share?
Manual IT documentation regularly fails for the same reasons:
- Currency: By the time an Excel inventory list is complete, the IT environment has already changed.
- Completeness: Forgotten switches, unknown access points, shadow IT — manual inventorying systematically misses devices.
- Effort: IT teams do not have the capacity to repopulate lists before every audit.
Automated IT inventorying solutions such as Docusnap scan the entire network agentlessly — from Windows and Linux servers to clients and network components — and deliver an up-to-date, complete data foundation at any time. For a TISAX assessment, this means: the auditors' questions are answered before they are asked.
Assessment level: which one applies to your company?
TISAX distinguishes three assessment levels, which depend on the requirements of your client:
Assessment Level 1 (AL1): Pure self-assessment without external review. No accredited auditor, no recognised result. Not accepted by OEMs — useful at best as an internal practice run.
Assessment Level 2 (AL2): For data with high protection requirements. Questionnaire submission plus remote audit with interview. Most service providers without direct prototype access fall into this category.
Assessment Level 3 (AL3): For highly sensitive data — prototypes, crash test data, AI systems. Full on-site audit including inspection of premises. Most direct OEM suppliers require AL3.
Many consultants recommend aiming directly for AL3 — even if AL2 is sufficient today. This keeps you prepared for future OEM requirements without having to go through a new assessment.
What does TISAX certification cost?
Costs vary considerably. A realistic guide for planning:
- ENX registration (per location): €400–500
- Audit provider fee (AL2/AL3): €3,500–10,500
- ISMS build-up and consulting: €8,000–40,000
- Tools and internal personnel costs: €3,000–20,000
Total costs for an SME with one location typically range between €15,000 and €80,000.
The biggest cost driver is not the TISAX audit itself — which often accounts for only 10–15% of total costs. The far larger portion falls on ISMS build-up, documentation and the implementation of missing security measures.
Companies already operating an ISMS in accordance with ISO 27001 have a significant advantage: around 60–70% of the TISAX requirements are identical. Such companies can complete the assessment as an add-on in 3–6 months rather than starting from scratch in 12–18 months. The remaining additional effort focuses on the TISAX-specific modules for prototype protection and automotive-specific supply chain requirements.
How does the certification process work?
The TISAX certification runs in five steps — from registration to completed assessment:
- Registration in the ENX portal: Mandatory before any other step. Here you select scope, assessment objectives and assessment level.
- Self-assessment using the VDA ISA Catalogue: Gap analysis identifies which requirements are met and where measures are missing.
- Implementation of measures and documentation: The most time-consuming block. Policies, technical measures and — particularly important — the documentation of the IT infrastructure.
- Assessment by an accredited audit provider: AL2 remotely, AL3 on-site. Important: a maximum of 9 months may pass between registration and completion of the assessment.
- Results release via the ENX platform: The assessment result is shared there and is visible to authorised partners.
A realistic timeline: without an existing ISMS, 12–18 months. With ISO 27001 as a foundation, 3–6 months.
What changed in 2024: ISA Catalogue Version 6.0
Since 1 April 2024, the VDA ISA Catalogue in Version 6.0 has been binding — and the changes are relevant for ongoing preparations:
The previous assessment objective "Information Security" has been split into two independent categories: Confidentiality (high and strict) and Availability (high and very high). The latter is new and was introduced because ransomware attacks on suppliers are increasingly crippling entire OEM supply chains.
Six new controls specifically address cyber resilience: ransomware defence, attack detection and recovery from security incidents. ISA 6.0 also now explicitly references ISO 27001:2022 and the NIST Cyber Security Framework. OT systems — i.e. production systems connected to the network — are given greater consideration, which creates new documentation requirements for many manufacturing suppliers.
How long is TISAX certification valid?
The TISAX certification is valid for three years — from the date the assessment is completed. The result is shared as a TISAX label via the ENX platform and is visible to authorised partners. Unlike ISO 27001, there are no annual surveillance audits. What sets ISO 27001 and TISAX apart beyond that — and where both standards share a common data foundation — is explained in the TISAX vs. ISO 27001 comparison article.
This does not mean, however, that nothing needs to happen for three years after passing. The VDA expects companies to continuously maintain their ISMS and carry out regular internal self-assessments — with documentation. Anyone who cannot present evidence of ongoing maintenance at the re-assessment after three years risks deductions in their maturity level.
For permission analysis and ongoing IT inventorying, this means: this data must not only be collected once for the assessment, but kept permanently up to date.
FAQs
Next steps
A TISAX certification begins with an honest assessment of your IT landscape – and ends with the confidence that your information security meets the highest standards. Docusnap supports you as a reliable companion throughout: from automated inventory management to permission analysis to audit-ready reports at the push of a button. Try Docusnap free for 30 days – including professional support.
Try now
