1. The Early Days: ISO 27001 Hits the Road
In the late 2000s and early 2010s, automotive OEMs like BMW, Mercedes, Volkswagen, as well as suppliers like Bosch, Mahle-Behr, Rheinmetall, and ZF faced increasing pressure to protect intellectual property, development prototypes, and sensitive customer data. As vehicles became connected and digitalization spread across engineering, production, and logistics, the need for structured Information Security grew rapidly.
Complicating matters is the deeply layered, or tiered structure of the automotive supply chain. OEMs might directly manage their Tier 1 suppliers, but once information and assets move further downstream – to Tier 2, Tier 3, and beyond – visibility and control diminish sharply. Even component-level suppliers or basic service providers found themselves in risky positions, as their data could end up in the hands of partners far removed from their original business relationships. This interdependency meant that data security policies couldn’t be confined to individual companies. They had to be comprehensive and industry-wide.
To address emerging threats, many manufacturers adopted ISO 27001, the globally recognized standard for Information Security Management Systems (ISMS). However, ISO 27001 by itself wasn’t sufficient to address these concerns. Each OEM developed custom extensions – addressing their own risk priorities like prototype protection, lab security, or early GDPR-style privacy safeguards – creating a patchwork of overlapping, non-aligned security standards.
2. A Tower of Babel: Supplier Confusion & Audit Fatigue
This decentralized approach led to widespread confusion and inefficiency. Suppliers working with multiple OEMs were forced to navigate slightly different versions of essentially the same requirements, each with unique structures, naming conventions, and audit expectations.
For example, BMW, Daimler, Volkswagen, and others all had their own internal information security catalogs. Though each was based on ISO 27001, the lack of uniformity resulted in duplicate audits, redundant documentation, and wasted resources. Suppliers often had to “translate” between similar controls simply because of formatting or terminology differences. The situation became increasingly unsustainable as more global OEMs and suppliers joined the digital transformation journey.
3. Open Channel: ENX & the VDA ISA Framework
Recognizing the inefficiencies and growing frustration and being again a leader in all things automotive, German OEMs rallied around the VDA (Verband der Automobilindustrie – German Association of the Automotive Industry) around 2015 to co-develop a unified framework for assessing and managing Information Security risks. The goal was to pick the cherries off all company specific standards to coherently increase Information Security, Prototype Protection, Data Protection, and Business Continuity.
Another new Information Security challenge at the time was the introduction of the GDPR in 2016, the General Data Protection Regulation mandated by the EU, which holds any organization to strict standards and threatens with stiff penalties for non-compliance when handling personally identifiable information of EU citizens – even organizations outside of the EU. Once again, the intense collaboration of suppliers and service providers over several layers or tiers in the supply chain exposed all players to tremendous risks. Simply sharing the names of project team members or department heads without prior consent became a problem. It was obvious that the GDPR and Data Protection in general needed to become a major aspect of the new standard.
The result of this targeted collaboration was the “VDA Information Security Assessment (VDA‑ISA) Catalog”: a structured control framework grounded in ISO 27001 and its crucial Annex A, but tailored with automotive-specific requirements, including cross-company data exchange, prototype protection, and supplier maturity levels. It also included key Data Protection controls.
Simultaneously, the ENX Association – an organization that had managed secure data exchange across the automotive industry since 2000 – was chosen as the neutral governance body. ENX would provide oversight, certify auditors, and serve as the trusted exchange platform for assessment results.
4. Enter TISAX®: A Unified Label for Infosec Readiness
In 2017, the VDA and ENX formally launched TISAX® (Trusted Information Security Assessment Exchange), a milestone initiative that transformed fragmented policies into a standardized, scalable, and mutual recognition system for Information Security in the automotive sector.
TISAX® introduced:
A common assessment framework based on VDA‑ISA, aligned with ISO 27001 and GDPR
Assessment levels (self-assessment, remote audit, on-site audit) tailored to risk sensitivity
A labeling system that suppliers and partners could share securely across the industry
Governance and certification oversight managed by ENX to ensure neutrality and integrity
With TISAX®, OEMs and suppliers no longer had to duplicate efforts. Instead, a single, accredited assessment could be accepted across the entire supply chain, streamlining compliance while boosting trust.
5. Why TISAX® Changed the Game
TISAX® addresses long-standing challenges in automotive Cybersecurity and vendor management. By unifying the expectations of major players, it eliminates redundancy, reduces audit fatigue, and helps organizations of all sizes mature their InfoSec posture.
Key benefits included:
Efficiency: One assessment shared across multiple customers, scalable to the risk exposure
Clarity: A single set of expectations for all tiers of the supply chain
Relevance: Controls tailored specifically to automotive risks
Trust: Accredited audits governed by a neutral body (ENX)
TISAX® continues to evolve, with regular updates to the VDA‑ISA catalog (e.g., version 5.0 in 2020, version 6.0 in 2024), addressing emerging risks and regulatory changes across Europe and beyond.
6. Beyond IT and Prototypes: TISAX® Reaches Deep into the Supply Chain
TISAX® isn’t just for companies handling sensitive engineering data or developing prototype vehicles. As OEMs adopt a holistic approach to Information Security, the requirements now extend to a broad range of partners across the entire value chain.
This includes suppliers and service providers in automation, manufacturing systems, material handling, logistics, installation, maintenance, and even marketing. Even companies that don’t deal directly with vehicle designs or customer data may be required to meet TISAX® standards. Especially if they interact with clients or suppliers on-site, manage connected systems, or have access to secure facilities and infrastructure.
The rationale is simple: every connected system and contracted worker represents a potential risk vector. Whether it’s a conveyor PLC connected to the plant network, a warehouse worker with remote access, or a service technician operating under NDA—Information Security is no longer a siloed IT function, but an operational imperative. TISAX® provides a standardized way to assess and mitigate those risks consistently across all supplier and service layers.
7. Going Global: TISAX® Expands Beyond Germany
While TISAX® originated in Germany to resolve fragmented OEM-specific standards, it has since grown into a globally recognized InfoSec benchmark in the automotive industry. German OEMs such as BMW, Mercedes-Benz, and Volkswagen continue to lead its enforcement, but multinational manufacturers – including Stellantis, Ford, and others – are now mandating TISAX® compliance across their global supply chains.
Suppliers and service providers may be surprised to find a binding TISAX® mandate in their existing contractual agreements already – their customer just hasn’t enforced and audited it yet across the board.
This reflects a broader shift toward consistent, auditable Information Security practices across international operations. TISAX® enables OEMs to apply uniform expectations for risk management, data protection, and supplier trust, regardless of geography.
Notably, China currently ranks second globally in TISAX® adoption, right after Germany. Chinese suppliers are rapidly certifying to align with European OEM requirements and to position themselves as trusted global partners – as well as to protect their own proprietary and operational information assets from others.
In contrast, many U.S.-based suppliers are still catching up, even as TISAX® becomes a de facto requirement for accessing sensitive projects involving prototype data, connected systems, or shared platforms. As the industry continues to become more interconnected, TISAX® is no longer a European initiative. It’s a global standard for Cybersecurity readiness in the automotive supply chain.
German OEMs like Volkswagen and BMW have already made TISAX® mandatory for future bids in the US, with the years between 2024 and 2026 being the last warning for their supplier base. Suppliers and service providers are well-advised to get on the bus now before they find themselves excluded from the approved vendor lists they relied upon.
#TISAX #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #Automotive #GSInfoSec #NIST #CMMC #CRA #CyberResilience
Disclaimer
This article is intended for informational purposes only. Granite State InfoSec Consulting (GSIS), the author, and this publication are not affiliated with, endorsed by, or officially connected to the ENX Association or the TISAX® program. TISAX® is a registered trademark governed by the ENX Association. All references to TISAX® are made strictly for educational and illustrative purposes.
