TISAX Requirements - TISAX - solution

TISAX® Implementation guide with TX® solution
ISO 22301 Beratung
Advantage through knowledge
TISAX® Implementation guide
Advantage - through knowledge
Beratung zu TISAX VDA ISA
Go to content

What has to be implemented for TISAX - which requirements have to be met?

TISAX® requirements

TISAX requirements according to VDA ISA audit catalog
The question of what needs to be implemented for TISAX - in simplified terms - is to achieve maturity level 3 of the VDA ISA audit catalog for the processes and measures to implement the two required protection goals (high and very high).

The basis for the TISAX assessment is the VDA Information Security Assessment (VDA ISA). It is provided by the VDA in the form of a VDA ISA question catalog/test catalog with the parts information security (ISMS), data protection and prototype protection.

In the area of ISMS, this examination catalog is based on ISO standards 27001, ISO 27002 and ISO 27017 for cloud security. In the area of data protection, it is based on the requirements of the DS-GVO and BDSG-neu in Germany.  The maturity level is determined on the basis of ISO 15504 in levels from 0-5. Maturity level 3 must be implemented.

Some of the requirements of ISO 27001/27002 have been combined into requirement points in the VDA ISA audit catalog, and some have not been adopted. The VDA ISA audit catalog has protection requirement classes "high and very high" and is supplemented with automotive own measure requirements compared to ISO 27001.
The VDA ISA question catalog can be viewed and downloaded here:
DOWNLOAD VDA ISA Questionnare en:            VDA ISA Qustionaire

For the English version you have to change the language in the window to "EN" at VDA.

VDA ISA audit catalog - what needs to be implemented?

Implementation of an ISMS

In the area of information security, a complete information security management system (ISMS) must be established. This is usually done on the basis of ISO 27001 chapters 4 to 10.
In the second area of requirements, the requirements of security areas 1 to 7 must be implemented. To this end, the risks must be assessed and appropriate risk countermeasures defined. The implementation must meet at least maturity level 3. This means that processes and regulations must be created and the operational implementation and execution must be documented by means of evidence.

A results table of the VDA ISA provides the requirements for the ISMS in a compact form:

TISAX VDA ISA spin diagram
The audit area of information security with the ISMS is very extensive. It comprises more than 400 individual requirements. In addition to ISO 27001, measure requirements for "high and very high protection needs" and cloud requirements have been included.

In addition to the information security module, data protection (order processors) and prototype protection must also be fulfilled, depending on customer requirements. For data protection, it is always the case that the company must fulfill this for its own company - this is checked in the information security module Compliance. The implementations must meet the requirements of VDA ISA maturity level 3 in order to pass the assessment positively. In most cases, a single missing implementation leads to the assessment being aborted.

It is astonishing what is published on the Internet. Even an employee of an auditing organization states that TISAX would cause less effort than ISO 27001. This is justified by the fact that ISO 27001 has 119 requirements and TISAX only 52. This is not correct because TISAX has 52 main requirements with a total of over 400 individual requirements. These are created by high and very high protection requirements and the + requirements.

TISAX implementation with tools (forms and SW)

TISAX has a complex requirements structure and should not be underestimated. The VDA ISA uses many terms which companies often cannot interpret correctly and also interpret incorrectly - how should they know? The maturity levels refer to processes - but companies often do not define any. Even if a process is explicitly mentioned in the requirement or a procedure of the VDA ISA, we see in assessments that the company has not defined one - thus main deviation - no label. A classic is also "established". This term has its own meaning in the assessment and cannot be fulfilled with a set of forms or most software solutions.
TISAX process maturity
As the process definition PA3.1 of VDA ISA 5 specifies, the sequence and interaction of the standard process with other processes must be determined for maturity level 3. This means that the interdependency between processes must be shown.

As can be seen from these examples, specific knowledge is needed to implement TISAX. This includes a knowledge and experience in the field:

  • Management systems according to ISO standards,
  • Process modeling knowledge,
  • Organizational knowledge,
  • Deep technical knowledge of IT,
  • Data protection knowledge
  • Comliance knowledge
  • Training knowledge, etc.

Already from these points of requirement it is obvious that here a high requirement results in the conversion of TISAX in the organization conversion and the coworker integration.
The requirements of TISAX and VDA ISA are about processes, responsibilities, risk assessments, risks and risk countermeasures, regulations such as guidelines, procedural instructions, instruction of employees, legal obligations, training, and so on.

It is therefore surprising what solutions are advertised on the Internet for these TISAX requirements. The simplest category of solutions are form sets. We know almost all of them from many projects - because failed projects had started with these or customers who did not come to a solution with them - asked us for help. These templates were too superficial to meet the requirements of a TISAX assessment. They were mostly based on ISO 27001 and did not fully cover the TISAX specific documents. Often they were just "document shells" and the customers still did not know what they really had to document for TISAX. They also only support the documentation - but not the other requirements. On the Internet you can even find statements about form sets, that with this form solution the customer would be ready for TISAX in 14 days. This makes it clear that this provider has no idea about TISAX, because VDA ISA 5 describes the following requirement under maturity level 3: "A standard process is followed that is integrated into the overall system. Dependencies on other processes are documented and suitable interfaces have been created. Evidence exists that the process has been used sustainably and actively over a longer period of time."

This already gives the answer - a longer period of active use is required - this should be estimated at 2 - 3 months, and processes, interfaces and interactions cannot be fulfilled with sets of forms - it needs more. Important are above all the proofs for the active conversion of the processes and these can not be mapped in form sets also.

The second category of solutions are the offered software solutions. But in most cases, these also do not meet the full TISAX requirements, as they are usually "upgraded solutions" from data protection or ISO 27001 software solutions. However, the process-related requirements are not met by these software offerings. A simple question about the representation of the interaction of the processes quickly separates the "wheat from the chaff" here.

Third solution category are external consultants. Here, you are usually better off if you have a good consultant who covers the areas of competence described above. However, finding such a consultant is usually not easy, not even the auditing organizations can find enough TISAX auditors. It is also important to note that an ISO 27001 consultant is far from being a TISAX consultant. Many providers on the market "think" they have the competence - for example, as a system house they cover the IT topics or have basic knowledge of ISO 27001, but they have lack comprehensive TISAX knowledge.

A TISAX implementation is a complex project. Even small companies are required to fulfill all VDA ISA requirements. Exclusion of requirements is only possible in very rare cases. For a project implementation, 6 to 15 months should be calculated. Depending on complexity, locations, employees and IT implementation.
Information about TISAX VDA ISA Questionnare .....
Info  ENX:                                                              Informationen TISAX
Download ENX Participant Manual:                     ENX TISAX Paticipant Manual
Download Info VDA:                                          TISAX and VDA ISA
VDA ISA Questionnaire
Download VDA ISA Questionnaire:                VDA ISA Questionnaire
VDA Press Release
Press Release VDA:                                           VDA Pressrelease zu TISAX
Definition:                                                              Wiki declaration TISAX
Automobil Industrie
Publication TISAX dt.:                                     Zertifiziert oder außen vor
Interesting links:
We can help you with all your questions about the Trusted Information Security Exchange procedure
This site is operated by CONSUVATION GmbH.
+49 (0) 7031.4181-860
Ziegelstraße 20
71063 Sindelfingen
Here you will find information
about our company
09:00  - 17:00

If you do not want to use the contact form, you can also send us an email or call us directly. We process your data from the contact form or email exclusively for processing your request and do not pass them on to third parties. We comply with the requirements of the Data Protection Regulation (DS GVO) and BDSG-neu.
Here you will find information about
Data protection
Back to content