Fib.Code
TISAX (Trusted Information Security Assessment Exchange) is the industry standard for information security required by OEMs and Tier 1 suppliers in the automotive supply chain. Without a TISAX label, it's increasingly difficult to maintain or win contracts in the automotive sector. We guide organizations through the entire process — from initial audit to successful assessment.
Tier 1 and Tier 2 suppliers to OEMs (VW, BMW, Mercedes, Stellantis, etc.)
Engineering and design firms working with the automotive industry
Electronic component and software manufacturers for automotive
Logistics companies serving the automotive supply chain
Any organization whose automotive partner requires a TISAX label
Comprehensive TISAX preparation — from initial audit to external assessment support
VDA ISA initial audit — assessment of current information security status against TISAX requirements for the selected Assessment Level. Gap identification and prioritization.
Implementation plan — designing the path to compliance considering organizational specifics, available resources, and required assessment timeline.
Control implementation — deploying technical and organizational safeguards, building documentation, prototype protection, staff training.
Internal audit — readiness verification for external assessment. Simulated assessment under near-real conditions.
External assessment — support during assessment by an accredited TISAX auditor. Assistance in addressing any nonconformities.
Label maintenance — periodic reviews, documentation updates, preparation for re-assessment.
TISAX is based on VDA ISA, which extends ISO 27001 with automotive-specific requirements: prototype protection, supply chain security, and automotive data protection. ISO 27001 certification facilitates the path to TISAX but doesn't replace it.
Typically 3 to 9 months, depending on organizational maturity and required Assessment Level. A company with ISO 27001 may be ready in 3–4 months. An organization starting from scratch needs 6–9 months.
TISAX has 3 levels: AL1 (self-assessment), AL2 (assessment with verification — most commonly required), AL3 (comprehensive assessment — for highly confidential information and prototypes). Higher levels mean more rigorous assessment.
Yes — TISAX doesn't restrict organization size. For smaller companies, the implementation scope is proportionally smaller. The key is meeting VDA ISA requirements for the selected Assessment Level.
A TISAX label is valid for 3 years from the assessment date. Re-assessment is required after that. In the meantime, the organization should maintain and improve implemented safeguards.