TISAX® and VDA ISA explained clearly: implementing information security correctly in the automotive industry
In the automotive industry, information security is no longer a nice-to-have, but a key prerequisite for collaboration with OEMs and major suppliers. Development data, prototypes, production processes and personal data must be reliably protected. This is exactly where TISAX® comes in – the industry standard for information security in the automotive industry.
What is TISAX®
TISAX® (Trusted Information Security Assessment Exchange) is an assessment and exchange procedure for information security operated by the ENX Association. It was developed specifically for the requirements of the automotive industry and has established itself as the de facto standard in Europe. Many OEMs now require their suppliers to have a valid TISAX® label in order to be able to share sensitive information.
TISAX® is largely based on the international ISO 27001 standard for information security management systems (ISMS), but goes beyond this in some areas. The focus is on typical scenarios in the automotive industry, such as the handling of development data, prototype protection, physical security requirements at sites or collaboration with external service providers.
A central feature of TISAX® is the exchange concept. Companies have themselves assessed once by an accredited assessment service provider and can then share the TISAX® label obtained with several business partners via the ENX platform. This avoids the need for each company to carry out its own individual security assessments of its suppliers.
What is the VDA ISA
The content of TISAX® is based on the VDA ISA questionnaire. VDA ISA stands for Information Security Assessment of the German Association of the Automotive Industry. This questionnaire defines the requirements that a company must fulfill in order to demonstrate an appropriate level of information security in accordance with TISAX®.
The VDA ISA essentially covers two areas. Firstly, the requirements for an information security management system, i.e. the structures, processes, guidelines and controls with which information security is systematically managed. Secondly, it contains specific data protection requirements for suppliers in the automotive industry, particularly when personal data of customers, employees or test persons is processed.
The questionnaire is divided into different subject areas, for example organization of information security, physical security, access control, operational security, supplier management or incident management. Specific requirements are formulated for each topic, which are evaluated as part of the assessment. Companies can download the current version of the VDA ISA questionnaire directly from the ENX Association and use it for self-assessment.
TISAX®, ISO 27001 and ISMS – how are they connected?
Many companies ask themselves whether they need an ISMS in accordance with ISO 27001 in order to achieve TISAX®. Basically, TISAX® is strongly oriented towards ISO 27001, but is not a classic certification procedure according to this standard. Instead of an ISO certificate, companies receive a TISAX® label, which is provided via the ENX platform.
Nevertheless, a structured ISMS is a key success factor. Anyone who has already set up an ISMS in accordance with ISO 27001 has a very good foundation. The requirements of the VDA ISA can then often be covered with manageable additional effort. Companies without an existing ISMS should establish the key elements of a management system as part of TISAX® preparation, such as roles and responsibilities, policy landscape, risk management, catalog of measures and continuous improvement.
How Syngenity® GmbH supports companies on the TISAX® path
The path to a TISAX® label is complex for many organizations. In addition to technical requirements, time pressure, internal resources and customer expectations also play a role. Syngenity® GmbH helps companies not only to pass TISAX® but also to integrate it into the organization in a sustainable way.
The first step is a gap analysis and readiness check. This involves systematically comparing the current security status with the requirements of the VDA ISA and the desired TISAX® assessment level. The result is a clearly prioritized action plan that shows which gaps need to be closed in order to achieve the desired label.
Building on this, Syngenity® GmbH provides support in setting up or optimizing the information security management system. This includes the structured introduction or further development of guidelines, processes and controls that are closely aligned with the VDA ISA requirements. The goal is an ISMS that not only exists on paper, but works in everyday life and is understood and practiced by employees.
Another key component is documentation and evidence. Numerous documents must be provided for the TISAX® assessment, such as guidelines, process descriptions, risk analyses, protocols, training certificates or technical configurations. Syngenity® GmbH provides support in the creation, structuring and targeted preparation of these documents so that they can be presented in the assessment in a coherent and comprehensible manner.
As part of the audit support, Syngenity® GmbH accompanies companies through the entire assessment process. This includes preparing for interviews with the audit service provider, simulating typical questions, coordinating the line of argumentation and providing support during spot checks and on-site audits. This gives companies a sparring partner who knows both the requirements of the auditors and the internal challenges.
The work does not end after a successful assessment. TISAX® labels are valid for a limited period and re-assessments must be planned. Syngenity® GmbH therefore attaches great importance to sustainable implementation. This includes training and awareness-raising measures for employees, the establishment of a continuous improvement process and early preparation for follow-up assessments. In this way, TISAX® becomes an integral part of the company’s safety and compliance culture.
Advantages of working with Syngenity® GmbH
The combination of a deep understanding of the automotive industry, sound information security expertise and a pragmatic approach enables Syngenity® GmbH to efficiently lead companies to a TISAX® label. The focus is on keeping the effort for the organization as low as possible and at the same time achieving a high level of security with noticeable added value.
Companies benefit from clear structures, comprehensible recommendations for action and support that covers both strategic and operational aspects. This means that TISAX® is not a one-off project, but a building block for long-term information security.
