VDA ISA / TISAX
The German automotive industry's information security assessment catalogue, audited through the TISAX scheme managed by the ENX Association.
VDA ISA (Information Security Assessment) is the information security questionnaire developed by the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA). It defines the security requirements that automotive OEMs and their suppliers are expected to meet when handling sensitive information, including prototype data, personal data, and technical development secrets.
TISAX (Trusted Information Security Assessment Exchange) is the audit and exchange mechanism operated by the ENX Association that makes VDA ISA assessments shareable across the automotive supply chain. Instead of completing separate security audits for each customer, a supplier undergoes a single TISAX assessment by an accredited audit provider. The resulting label is then shared through the TISAX exchange platform with authorized participants.
TISAX assessments cover three maturity levels and additional scope options, including prototype protection and data protection (GDPR). For any organization supplying to major automotive OEMs such as BMW, Volkswagen, Mercedes-Benz, or their tier-1 suppliers, a valid TISAX label is increasingly a mandatory contractual prerequisite.
Legal Basis
VDA ISA (current version); ENX TISAX Participant Handbook; GDPR (for TISAX data protection label)
Practical Example
An engineering consultancy that supports automotive development projects is asked by a new OEM customer to provide proof of TISAX compliance before receiving access to prototype CAD data. The consultancy registers on the ENX portal, selects the appropriate assessment scope (including prototype protection), and books an audit with an accredited TISAX audit provider. After successfully completing the assessment, the TISAX label is shared with the OEM through the exchange platform, enabling the project to proceed.