787 974 136
For years, the automotive industry has been one of the most demanding sectors when it comes to quality and safety standards. ISO standards, supply chain requirements, audits — companies operating in the automotive sector are used to all of this. In recent years, TISAX has joined this list – an information security standard developed specifically for the automotive supply chain. And unlike many other certifications – here, no certificate means no business.
TISAX, or Trusted Information Security Assessment Exchange, is an information security assessment standard created by the ENX Association in collaboration with the German automotive industry. Its main purpose is to ensure that companies operating within the supply chain — from component designers and engineering firms to IT and marketing service providers — protect their business partners’ sensitive data in a structured and verifiable manner.
Why is this specific to the automotive sector? Today, a car consists of tens of thousands of parts, hundreds of electronic systems and vast amounts of data — technical, design and production data. OEMs such as the Volkswagen Group, BMW, Stellantis and Mercedes-Benz share data with their suppliers, the leakage of which could result in losses amounting to hundreds of millions of euros. TISAX is the answer to this risk — a common language for information security across the entire industry.
This question comes up very often — and contrary to appearances, the answer is broader than one might think. TISAX does not apply exclusively to manufacturers of parts or components. It covers any company that processes confidential data as part of its collaboration with a partner in the automotive industry.
In practice, this includes, amongst others: engineering and design firms serving OEMs, advertising and marketing agencies working with materials relating to new models, software and IT system suppliers, logistics companies managing production data, as well as subcontractors operating several tiers down the supply chain.
If your automotive client has asked for confirmation of TISAX certification — or you know they intend to do so — this is a sign that it is time to take action. This requirement is now standard in B2B relationships with most major players in the automotive market.
TISAX is based on the VDA ISA (Information Security Assessment) questionnaire, which covers three main areas: general information security, personal data protection and prototype security. The specific scope of the audit depends on what data the company processes and what requirements the business partner has set.
The audit is not conducted by an ISO certification body, but by external auditors accredited by ENX. The results are not made public — they are shared exclusively with designated business partners via the ENX platform. This is a significant difference compared to ISO certificates: TISAX is a system for exchanging assessment results, not a traditional certification.
For a company applying for assessment, this offers one important practical benefit: a single audit can serve multiple partners simultaneously, without the need to repeat the process for each one individually.
Companies that have undergone the TISAX assessment process often mention a similar side effect: the audit revealed gaps in information management that no one had previously discussed openly. Security policies that exist only on paper, a lack of access controls for key data, and out-of-date documentation — these are things that do not stand out in day-to-day operations, but in the event of an incident can prove very costly.
TISAX brings order to these areas. A company that has undergone the assessment not only meets the contractor’s requirements — it also has a genuinely better-structured approach to information protection. In an industry where design and technological data are key assets, this is a value in itself.
DJB DORADZTWO
Marcin Chorąży
