Regulatory compliance
If you work or want to work for the automotive industry, your customers will ask you for the TISAX label. We prepare you to obtain it: the VDA ISA questionnaire, the protection of prototypes and data, and the assessment with the accredited provider, at the level your customer requires.
Lead auditors for ISO 27001 (CISA, CISSP, CISM), the standard on which TISAX is built.
What it is
TISAX is the mechanism the automotive industry uses to verify the information security of its suppliers. It builds on the VDA ISA questionnaire, published by the ENX association, and grew out of ISO 27001, but adds what the sector needs: prototype protection, secure handling of partner data and privacy controls.
When you pass the assessment you obtain a label that is published on the ENX platform. You decide which manufacturers can see it, and it is valid for three years before a new full assessment.
TISAX and the ISO standard share much of their controls, but they are not equivalent. No major manufacturer accepts ISO 27001 as a substitute for TISAX, although having it gets you very close.
It is not a legal obligation, it is a business requirement: if you want to be a supplier to a manufacturer or a Tier 1, they will require the label by contract in order to work with them.
The levels
The assessment level is set by the sensitivity of the information you handle for the manufacturer, and your customer almost always fixes it in the contract. These are the three, although in practice most suppliers sit between the two highest ones.
AL 1
You fill in the questionnaire on your own, with no external review. It does not produce a visible label and almost no manufacturer accepts it as sufficient.
AL 2
An accredited provider reviews your self-assessment for plausibility, with an interview and document review, without an on-site visit. Common for high-protection information.
AL 3
A full audit at your premises: documentation, processes and technical implementation reviewed in depth. The level required by most manufacturers, especially for highly sensitive information or prototypes.
The most requestedIf you do not know which level applies to you, we clarify it with you and, if needed, confirm it with your customer before we start. Choosing the wrong level costs time and money.
The modules
Depending on what you do for the manufacturer, your assessment covers one or more of these three modules. The VDA ISA questionnaire defines the controls of each one and the maturity level you must demonstrate.
The mandatory module, always. It is the foundation of the assessment and covers the security controls on which everything else rests.
It applies if you handle the manufacturer's pre-series parts or vehicles. It covers secure areas, physical access control and traceability.
It applies if you process personal data on the manufacturer's behalf, with privacy controls aligned with regulations.
Prototype protection is one of the most demanding points and where findings concentrate the most: physical access control, secure areas and traceability of who touches what.
Service
Scope and level definition: which locations are in, which modules and whether you need AL2 or AL3, according to what your customer requires.
Gap analysis against the VDA ISA questionnaire, measuring the maturity of each control and what is missing to reach the required level.
Control implementation: policies, processes and technical measures to reach the maturity that TISAX requires for each applicable control.
Prototype protection: secure areas, physical access control and traceability, if your assessment includes this module.
Completion of the VDA ISA and preparation of the evidence that the accredited provider will review in the assessment.
Support during the assessment: we prepare you for the interview and the review, and support you in closing findings.
Method
We define locations, modules and level, and measure the distance against the VDA ISA in your case.
A prioritized roadmap to reach the maturity your level requires, with the lead times of the ENX registration.
Controls, prototype protection if applicable, documentation and completion of the questionnaire.
We support you before the accredited provider and in closing findings until you obtain the label.
Synergies
TISAX grew out of ISO 27001, so if you already have an ISMS much of the work is done: the Annex A controls are the foundation of the VDA ISA questionnaire. We work with that mapping to make the most of what you already have and focus on what TISAX adds: prototype protection, the handling of partner data and the maturity level each control requires.
And what sets us apart: we are lead auditors for ISO 27001, the standard on which TISAX is built. We know what evidence the accredited provider will ask for because we work with that same audit logic every day. We also prepare TISAX as part of your internal audit, so you reach the assessment without surprises.
Questions
TISAX is the mechanism the automotive industry uses to verify and share the information security of its suppliers. It is based on the VDA ISA questionnaire, published by the ENX association, and builds on ISO 27001 while adding sector-specific requirements: prototype protection, handling of partner data and privacy controls. When you pass the assessment you obtain a label that you share with your customers through the ENX platform.
No. They share much of their controls, because TISAX grew out of the ISO standard, but they are not equivalent. No major manufacturer accepts ISO 27001 as a substitute for TISAX. The good news is that if you already hold the ISO standard you are well on your way: the groundwork is done and you only need to cover what TISAX adds.
It depends on the sensitivity of the information you handle for the manufacturer, and your customer almost always sets it. AL2 is a remote review of your self-assessment and AL3 a full audit at your premises. Most suppliers sit between those two. If you are not sure, we clarify it with you and, if needed, confirm it with your customer before we start.
The TISAX label is valid for three years. After that time there is no surveillance audit as with the ISO standard; instead a full reassessment is due. That is why it pays to keep the system alive during those three years, not just prepare it to pass the assessment and then forget it.
It is one of the TISAX modules, mandatory if you handle the manufacturer's pre-series parts or vehicles. It covers secure areas, physical access control and traceability of who accesses what. It is one of the most demanding points and where findings concentrate the most, which is why we work on it carefully from the start.
It depends on the level, the starting point and the modules, but it is best not to leave it until the last minute: you have to register on the ENX platform, prepare the documentation, close the gaps and schedule the assessment with the accredited provider, which has its own lead times. If your customer has set you a date, the sooner we start the diagnosis, the better: the gaps that appear halfway through are the ones that stretch the timelines.
Across all of Spain. Much of the preparation is document-based and remote, so we work with you wherever you are. We know the country's automotive hubs well, from the Ebro axis, with Navarre and Aragon, to Catalonia, the Valencian Community, Castile and Leon or the Basque Country, where manufacturers and suppliers need TISAX to work together. And if you prefer to have us nearby, we are in Tudela, right in the industrial corridor.
Shall we talk?
Tell us which manufacturer you need TISAX for and where you stand. In a first conversation we tell you which level you need and what stands between you and the label.
Get in touch