Passed with flying colors


TISAX (short for Trusted Information Security Assessment Exchange) is an established model in the automotive industry for exchanging assessment results from companies on information security between participants, making them more comparable and mutually recognizable.

More and more OEMs are demanding the TISAX label from their suppliers. Anyone who wants to be considered in future tenders and award decisions, or who is contractually obligated to do so, should be able to present the label. The label confirms that the company has established an effective information security management system.

It was a great success for the organization that our Weinheim site in Germany obtained the label without any deviation the first time around.

Criteria catalogue as a basis

To enable comparability of assessment results and increase transparency, the German Association of the Automotive Industry (VDA) has developed a criteria catalogue for information security in close cooperation with OEMs and suppliers. This catalogue contains a set of control requirements to be assessed by the company or supplier: the VDA-ISA (Information Security Assessment). Based on the international standard ISO/IEC 27001, these requirements are now supplemented by further automotive-specific components, such as prototype protection. For the automotive industry, the VDA-ISA is now accepted and set as an industry standard worldwide.

The way to the label

Suppliers must go through a three-step process.

In step 1, a self-assessment is initially performed in accordance with the VDA-ISA.

In step 2, an accredited auditor validates the assessment results and establishes an audit report. Depending on conformity with the requirements, he either immediately issues the TISAX label or issues a temporary version until any corrective actions are fully remediated.

In step 3, the supplier shares the TISAX label with the OEM or other participants in the supply chain via an exchange platform.

Audit scope based on supplier status

"Additional requirements, ranging from high to very high protection needs, are derived according to the type of supplier relationship and define the required assessment level”, explained Susanne Jendreizik, Chief Information Security Officer. “As we are involved in the prototype phase and therefore have access to classified information, the highest level of accreditation in terms of information security and prototype protection was quickly established. This was supplemented by data protection.”

Label is site-specific

"We are pleased to have received objective confirmation that our Weinheim site has an effective information security management system in place”, commented Susanne Jendreizik. It is important to know that the TISAX label is only ever granted on a site-specific basis. “Because our headquarters are Weinheim, where prototypes are developed and global functions converge, this was our first priority for the label. We are now gradually registering other sites for the TISAX assessment model and are confident that they will also be successful.”

3-year review

Suppliers who have received their TISAX label can choose with which OEMs and to which level of detail they want to share their results via the ENX platform.

There is no obligation to share the results with all OEMs, but it is clearly in the interest of the successful companies to do so.

The label is considered proof that the information security management system is capable of protecting classified information. It can be used or shared multiple times. However, the label is only valid for three years by which time, at the latest, the next TISAX assessment process should have been triggered again and the TISAX label renewed.


As Thomas Stößer, Regional Director Europe Automotive at Freudenberg Filtration Technologies, commented:

“We look forward to working with the industry to keep this scheme up and running. It is clearly a valuable contribution to information security and for all partners and acts as best practice.”