TISAX Accredited Audit Provider


Automotive industry organizations rely on us to verify and provide assurance needed to build secure applications and services.


Why Should Your Company Participate in TISAX?

As the automotive industry rapidly evolves to incorporate new technologies like the Internet of Things (IoT), connections to the cloud and autonomous vehicles, specialized compliance offerings such as TISAX (Trusted Information Security Assessment Exchange) are critical to winning customer trust.

Who Needs TISAX?

  • All suppliers of automotive manufacturing systems who want to avoid repeating the same test to prove results to different customers.
  • All suppliers of automotive manufacturing systems who process sensitive information and need to verify effective Infosec practices and meet the requirements of customers.

Why TUV Rheinland OpenSky?

  • As an accredited audit provider (TÜV Rheinland i-sec GmbH), we can perform TISAX assessments globally.
  • With over 140 years of testing, inspection and certification services to companies, we are one of the few firms in the world who is accredited to test and audit organizations in the automotive industry in accordance to TISAX.

Advantages of TISAX

    • The renewal of existing supplier relationships is made easier.
    • Double and multiple tests are a thing of the past.
    • Standardization saves time and money.
    • TISAX inspections are recognized beyond the individual customer, throughout the industry.

Our Approach to TISAX

1. Definition

Definition of the assessment levels by the OEM, also with prototype protection, etc.

2. Registration

Registration of the organization at the ENX; there the organization gets the scope ID (creation of self-assessment).

3. Initial Assessment

Review of documents, followed by telephone interview at Assessment Level 2 or onsite assessment at Level 3, followed by prototype protection or connection of third parties.

4. Exposition of the Findings

Discussion of the findings, presentation and review of Corrective Action Plan by the company being audited, plus completion of Initial Assessment through the preparation of the report.

5. Removal of the Findings

Customer removes findings according to the Corrective Action Plan – with due regard to the applicable recommendations.

6. Follow-Up Assessment

Check an assessment of documents and processes with findings. Preparation of Follow-Up Assessment Reports. Issuance of TISAX Label, if all non-conformities, are removed.


What is New with VDA ISA and TISAX?

The foundation of the testing continues to be the VDA ISA inspection catalog approved by the Information Security working group of the VDA, which demands essential aspects of the international standard ISO/IEC 27001 (Information Security Management System). Regular testing is conducted according to international standards recognized throughout the industry and by accredited testing service providers. This process is intended to help service providers or suppliers avoid having to subject themselves to identical testing by customers at fairly frequent intervals

Overview of VDA Information Security Assessment

The VDA Information Security Committee of the VDA (German Association of the Automotive Industry), which was established over 10 years ago, has developed a catalogue of assessment criteria on information security based on key aspects of the international ISO/IEC 27001 and 27002 standards: VDA ISA (VDA Information Security Assessment).

This instrument is used by VDA member companies for

    1. internal purposes
    2. external assessments at suppliers and service providers who process sensitive information of their respective partners

So far, assessments according to VDA ISA, particularly at service providers and suppliers, are handled individually by each requiring company. Therefore, it is possible that a partner is assessed several times at short intervals.

Common Assessment Mechanism: TISAX

The VDA Information Security Committee established TISAX (Trusted Information Security Assessment Exchange), a common assessment and exchange mechanism, for the automotive industry and beyond, to avoid such multiple assessments in the future.  The TISAX system is operated by ENX Association, which has been entrusted with the implementation as a neutral instance by the VDA.  TISAX creates competition among the accredited audit providers and allows for common acceptance of assessment results within the circle of TISAX participants. The audit providers perform the assessments based on this set of information security management controls.

Governance by the ENX Association

The ENX Association acts as a governance organization of TISAX. The ENX Association accredits the Audit Providers and monitors the quality of implementation and assessment results.

This control function is ensured through the “ENX Triangle of Governance,” a contractual framework that consists of

    • a contract between ENX Association and each accredited audit provider and
    • a contract between ENX Association and each participant

The participant agrees to the General Terms and Conditions of TISAX participation through their registration.  This acceptance ensures that the results will correspond to a required quality and objectivity, as well as preserve the rights and obligations of the participants.

Because of TISAX, double and multiple assessments of the same sites, locations or scopes will be a thing of the past.

Participation in TISAX helps each participant save time and costs.  For more about the TISAX ENX Association, read more

Do you want to have your organization tested? Speak to an expert today.

Before you leave…
want to sign up for our newsletter?