TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's mechanism for assessing and sharing information security maturity. It is governed by the ENX Association and based on the VDA ISA (Information Security Assessment) catalogue developed by the German automotive industry. Suppliers are assessed by accredited audit providers and exchange results with partners on the ENX portal.

Is TISAX a certification?

Strictly speaking, TISAX produces an assessment result and a label rather than a certificate. A successful assessment yields labels (for information security, prototype protection, and/or data protection) that are shared with customers through the ENX portal and are typically valid for three years.

What are the assessment levels?

TISAX defines assessment levels AL1, AL2, and AL3 reflecting increasing rigor — from self-assessment-based to in-depth audits with evidence review and on-site or remote validation. The level and labels required are set by the OEM or customer requesting the assessment.

How does TISAX relate to ISO 27001?

The VDA ISA catalogue is closely aligned with ISO/IEC 27001, so organizations with an existing ISMS already satisfy much of TISAX. episki maps your ISO 27001 controls to the ISA catalogue so the overlap is reused rather than rebuilt.

TISAX, without the spreadsheet

Prepare for your TISAX assessment

The VDA ISA catalogue implemented as living controls, scoped to the right assessment level and labels, with evidence ready for your audit provider and the ENX portal.

Start free trial Book a demo

What is TISAX?

TISAX — the Trusted Information Security Assessment Exchange — is how the automotive industry assesses and shares information security maturity across its supply chain. It is governed by the ENX Association and built on the VDA ISA (Information Security Assessment) catalogue created by the German automotive industry association. Rather than each OEM auditing each supplier, suppliers undergo a single assessment by an accredited audit provider and exchange the results with partners on the ENX portal.

Labels and assessment levels

A TISAX assessment is scoped by labels — information security, prototype protection (for organizations handling pre-series parts and vehicles), and data protection (aligned with GDPR) — and by assessment level (AL1, AL2, or AL3), which determines how rigorous the audit is. The OEM or customer requesting the assessment specifies the labels and level required. A successful assessment yields labels that are typically valid for three years.

How TISAX relates to ISO 27001

The VDA ISA catalogue is closely aligned with ISO/IEC 27001, so an organization with a mature ISMS already meets a large share of TISAX requirements. The main differences are the automotive-specific prototype-protection controls and the maturity-based scoring model.

How episki helps

episki implements the VDA ISA catalogue as living controls with maturity scoring, helps you scope the right level and labels, and cross-maps the catalogue to your ISO 27001 program — so preparing for a TISAX assessment reuses the security work you already do and produces a clean evidence package for your audit provider.

TISAX outcomes with episki

Quantify the impact security and compliance brings to your business.

VDA ISA

The automotive industry's Information Security Assessment catalogue, as controls.

AL1 / AL2 / AL3

Scope to the assessment level your customer requires.

ENX shared

Results exchanged with partners on the ENX portal, valid for three years.

Why teams choose episki for TISAX

Framework-specific automation, collaboration, and reporting in one workspace.

VDA ISA as controls

The TISAX questionnaire implemented as a living control library.

Information security control catalogue
Prototype protection where in scope
Data protection module aligned to GDPR

Scoped to the right level

Match the assessment level and labels your OEM or supplier requires.

Assessment levels AL1, AL2, and AL3
Information security, prototype, and data protection labels
Maturity-based scoring per control

Reuse your security program

TISAX overlaps heavily with ISO 27001 controls you may already hold.

Crosswalk to ISO 27001 Annex A
Evidence shared with SOC 2 and NIST CSF
One control set, multiple audiences

TISAX readiness inside episki

What an automotive supplier needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Scope and assessment-level determination
✓ VDA ISA information-security controls implemented
✓ Prototype protection controls (if in scope)
✓ Data protection module (if in scope)
✓ Maturity-level evidence per control
✓ Audit-provider evidence package and ENX exchange

TISAX accelerators

TISAX readiness accelerators

Get assessment-ready and share results with partners faster.

ISA control library

The VDA ISA catalogue as living controls with maturity scoring.

Scope and label selector

Pick the assessment level and labels your customer requires.

ISO 27001 crosswalk

Reuse your ISMS evidence against the ISA catalogue.

TISAX frequently asked questions

Get TISAX-ready in episki

Implement the VDA ISA catalogue once and reuse your ISO 27001 evidence to get there.

Start free trial Book a walkthrough