Table of Contents Importance of Information Security in the Automotive Industry
Information security is becoming increasingly vital in the digital era to preserve competitiveness. This is especially true in the automotive industry, where companies often communicate large amounts of sensitive data that must be protected from theft, loss, or manipulation.
OEMs and their suppliers produce one of the world’s most complicated supply chains. In the past, several individual manufacturers conducted independent audits of their suppliers due to severe criteria customary in this business. As a result, suppliers were obliged to submit to several customer audits, which took a tremendous amount of time, effort, and money.
What is TISAX?
TISAX (Trusted Information Security Assessment Exchange) is a German automobile industry framework for data security certification. Founded in 2017, it has become the industry standard for ensuring that companies have adequate data security.
TISAX allows businesses to have their data security systems and processes audited by a third party and share the results with customers and partners. These assessments are based on the VDA ISA (Verband der Automobilindustrie Information Security Assessment), which itself is derived from ISO 27001 standards.
TISAX evaluations involve corporate governance, risk management, and technical controls such as data classification, encryption, and reporting. Companies that cannot demonstrate compliance will find competing in the German automotive market difficult or impossible.
TISAX Requirements and Criteria
The requirements are structured as a catalogue of questions based on ISO 27001 (VDA ISA version 5.0). It consists of three main catalogues:
- Data security
- Prototype protection
- Information security
The maturity of an Information Security Management System (ISMS) is evaluated on a 6-point scale:
- Unfinished
- Completed
- Managed
- Established
- Predictable
- Optimizing
Prototype Protection in TISAX
TISAX emphasizes prototype protection, which is not fully covered by ISO standards. These include:
- Vehicle, component, and part handling: transportation, parking, and storage
- Test vehicle requirements: camouflage, trial and test areas, and public road trials
TISAX Participation
TISAX participants include any automotive company that wants to demonstrate secure handling of data. They are divided into two groups:
- Active participants: Companies that undergo TISAX audits (e.g., suppliers) and share results.
- Passive participants: Companies (e.g., OEMs) that request suppliers or partners to share their TISAX evaluation results.
This system creates a common, transparent degree of information security across the industry and fosters stronger supplier relationships. The ENX platform also facilitates the creation of new business opportunities.
Protection Levels in VDA ISA
The VDA ISA catalogue defines three protection tiers based on potential damage:
- Normal: Low risk, short-term, and limited to a single company.
- High: Significant risk, medium-term, or not restricted to one event.
- Very High: Severe risk, potentially threatening a company’s existence, long-term, or industry-wide.
Assessment Levels in TISAX
TISAX distinguishes three assessment levels depending on the security requirements:
- Level 1: Auditor verifies the completeness of self-assessment. No evidence or in-depth checks. Low confidence level.
- Level 2: Auditor reviews self-assessment with evidence and remote interviews. No on-site inspections (except for prototypes).
- Level 3: Comprehensive audit with on-site inspections and face-to-face interviews. Required for prototypes and sensitive personal data.
Control Questions in TISAX
Organizations can perform a self-assessment based on the ISA questionnaire, covering:
- Information Policies and Organization
- Physical Security and Business Continuity
- Human Resources
- Identity and Access Management
- IT Security / Cyber Security
- Supplier Relationships
- Compliance
Additional criteria include prototype protection and GDPR-related data protection measures. Requirements are categorized as must, should, or optional for higher protection levels.
Documentation Requirements
Evidence is crucial for compliance. Organizations must prepare documents for auditors, such as:
- Management description of processes, systems, and controls
- Physical inventory of network devices and equipment
- System settings, backup, and patch logs
- Security policies (data retention, encryption, access, password policies, etc.)
- Risk management and compliance program documents
- Privacy policies, data use agreements, and opt-out policies
- Employee organizational charts, training logs, and HR compliance records
Why TISAX Matters
Although some organizations see information security as an added cost, more companies recognize its necessity. TISAX ensures:
- Improved trust across the automotive supply chain
- Reduced costs through mutual recognition of audits
- Compliance with ISO 27001 and GDPR
- Long-term supplier relationships and industry competitiveness
By adopting TISAX, companies demonstrate that their level of information security meets the expectations of global automotive manufacturers and partners.
