Get through the TISAX assessment process and share the assessment result with your partner

Published by

ENX Association
an Association according to the French Law of 1901,
registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France

20 rue Barthélémy Danjou, 92100 Boulogne-Billancourt, France
Bockenheimer Landstraße 97-99, 60325 Frankfurt am Main, Germany


Florian Gleich









ENX doc ID:


All rights reserved by ENX Association.
ENX, TISAX, and their respective logos are registered trademarks of ENX Association.
Third party trademarks mentioned are the property of their respective owners.

1. Overview

1.1. Purpose

Welcome to TISAX, the Trusted Information Security Assessment Exchange.

One of your partners requested that you prove that your information security management complies with a defined level according to the requirements of the “Information Security Assessment” (ISA). And now you want to know how to fulfil this request.

The purpose of this handbook is to enable you to fulfil your partner’s request — or to have an edge by anticipating it before a partner asks for it.

This handbook describes the steps you need to take in order to pass the TISAX assessment and for sharing your assessment result with your partner.

Establishing and maintaining an information security management system (ISMS) is already a complex task. Proving to your partner that your information security management is up to the job adds even more complexity. This handbook won’t help you manage your information security. However, it aims to make the work of proving your efforts to your partner as easy for you as possible.

1.2. Scope

This handbook applies to all TISAX processes that you may be part of.

It contains all you need to know to go through the TISAX process.

The handbook offers some advice on how to deal with the information security requirements at the core of the assessment. But it does not aim to generally educate you on what you need to do to pass the information security assessment.

1.3. Audience

The main audience of this handbook are companies that need or want to prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA).

As soon as you are actively involved in TISAX processes, you will benefit from the information provided in this handbook.

Companies that are requesting their suppliers to prove defined levels of information security management will benefit, too. This handbook allows them to understand what their suppliers are required to do to fulfil their request.

1.4. Structure

We begin with a brief introduction of TISAX, then we immediately move on with instructions on HOW to do things. You will find all you need to go through the process — in the order you need to know it.

The estimated reading time for the document is 75-90 minutes.

1.5. How to use this document

Sooner or later, you will probably want to understand most of what is described in this document. To be properly prepared, we recommend reading the entire handbook.

We structured the handbook along the three main steps of the TISAX process, so you can go to the section you need and read the rest later.

The handbook uses illustrations to help you improve your understanding. The colours in the illustrations often have additional meaning. We therefore recommend reading the document on a computer screen or as a colour hard copy.

We appreciate your feedback. If you think something is missing in this handbook or is not easy to understand, please don’t hesitate to let us know. We and all future readers of this handbook will be thankful for your feedback.

If you have already used a prior version of the TISAX participant handbook, you may find some helpful notes at the end of the document in Section 8, “Document history”.

1.6. Contact us

We’re here to guide you through the TISAX process and to answer any questions you may have.

Send us an email at:

Or call us at:

+49 69 9866927-77

You can reach us during regular business hours in Germany (UTC+01:00).

We all speak Icon of the flag of the United Kingdom English and Icon of the flag of Germany German. One colleague is native speaker of Icon of the flag of Italy Italian.

1.7. The TISAX participant handbook in other languages and formats

The TISAX participant handbook is available in the following languages and formats:

Language Version Format Link

Icon of the flag of the United Kingdom English





Icon of the flag of Germany German





Icon of the flag of France French

2.3 beta




Icon of the flag of China Chinese

2.3 beta




Icon of the flag of Spain Spanish

2.3 beta





Important note:

The English version is the leading version.
All other languages are translations of the English version.
In case of doubt, the English version is authoritative.

1.7.1. About the online format

Each section has a unique ID (format: ID1234).
An ID references a specific section, regardless of the language.
If you want to link to a specific section, you can:

  • right-click on the section title and copy the link, or

  • click the section title and copy the link from the address bar of your browser.

Most figures are available in a larger size than displayed here by default. Click on the figure to open the larger version.

1.7.2. About the offline format

The offline format retains most features of the online format. Most notably, the figures are embedded in the HTML file. You need only one file to use the offline format.

Compared to the online format, the offline format comes without:

  • the larger images

  • the original fonts of the online format
    Your browser’s defaults define the fonts.

1.7.3. About the PDF format

The PDF format is based on the online format. We basically use a browser to save the online format as a PDF.

If you use the PDF format on your computer, you can still click all the references. But if you print the PDF version, you won’t have things like page numbers and you will have to look up the references yourself.

2. Introduction

The following sections introduce the TISAX concept.

If you are in a hurry, you can skip them and start right away at Section 4.3, “Registration preparation”.

2.1. Why TISAX?

Or rather, why are you here?

In order to answer this question, we will start with some thoughts about doing business in general and protecting information in particular.

Imagine your partner. He has confidential information. He wants to share it with his supplier — you. The cooperation between you and your partner creates value. The information your partner shares with you is an important part of this value creation. Therefore, he wants to protect it appropriately. And he wants to be sure that you are handling his information with the same due care.

But how can he be sure that his information is in good hands? He can’t just “believe” you. Your partner needs to see some proof.

Now there are two questions. Who defines what “secure” handling of information means? And next, how do you prove it?

2.2. Who defines what "secure" means?

You and your partner are not the only ones facing these questions for the first time. Almost everyone has to find answers to them and most of the answers will share similarities.

Instead of independently creating a solution for a common problem every time, a standard way of doing it removes the burden of creating everything from scratch. While defining a standard is a huge effort, it is made only once and those who follow it benefit every time.

There are surely different views of what’s the right thing to do for protecting information. But due to the aforementioned benefits, most companies settle on standards. A standard is the condensed form of all proven and time-tested best practices for a given challenge.

In your case, standards like ISO/IEC 27001 (about information security management systems, or ISMS) and their implementation establish a state-of-the-art way to securely handle confidential information. A standard like this saves you from having to reinvent the wheel every time. More importantly, standards provide a common basis when two companies need to exchange confidential data.

2.3. The automotive way

By nature, industry-independent standards are designed as one-size-fits-all solutions rather than tailored to specific needs of automotive companies.

A long time ago, the automotive industry formed associations that aimed — among other goals — to refine and define standards that suit their more specific needs. The “Verband der Automobilindustrie” (VDA) is one of them. In the working group that deals with information security, several members of the automotive industry came to the conclusion that they have similar needs to tailor existing information security management standards.

Their joint efforts led to a questionnaire that covers the automotive industry’s widely accepted information security requirements. It is called the “Information Security Assessment” (ISA).

With the ISA, we now have an answer to the question “Who defines what “secure” means?” Through the VDA, the automotive industry itself offers this answer to its members.

2.4. How to prove security efficiently?

While some companies use the ISA for internal purposes only, others use it to assess the maturity of the information security management of their suppliers. In some cases, a self-assessment is sufficient for the business relationship. However, in certain cases, companies conduct a complete assessment of their supplier’s information security management (including on-site audits).

Along with generally increasing awareness of the need for information security management and the spreading adoption of the ISA as a tool for information security assessments, more suppliers were facing similar requests from different partners.

Those partners still applied different standards and had varying opinions on how to interpret them. But the suppliers essentially had to prove the same things, just in different ways.

And the more suppliers were asked by their partners to prove their level of information security management, the louder their complaints grew in terms of repeat efforts. Showing auditor after auditor the same information security management measures is simply not efficient.

What can be done to make this more efficient? Wouldn’t it help if the report of any auditor could be reused for different partners?

OEMs and suppliers in the ENX working group that is responsible for maintaining the ISA listened to their supplier’s complaints. Now they offer an answer to their suppliers as well as to all other companies in the automotive industry to the question “How to prove security?”

The answer is TISAX, short for “Trusted Information Security Assessment Exchange”.

3. The TISAX process

3.1. Overview

The TISAX process usually[1] starts with one of your partners requesting that you prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA). To comply with that request, you have to complete the 3-step TISAX process. This section gives you an overview of the steps you need to take.

The 3-step TISAX process consists of the following steps:

TISAX process overview
Figure 1. TISAX process overview
  1. Registration
    We gather information about your company and what needs to be part of the assessment.

  2. Assessment
    You go through the assessment(s), which are conducted by one of our TISAX audit providers.

  3. Exchange
    You share your assessment result with your partner.

Each step consists of sub-steps. These are outlined in the three sections below and described in detail in their respective sections further down.


Please note:

While we would certainly like to tell you how long it will take you to get your TISAX assessment result, we kindly ask for your understanding that it is not possible for us to forecast this in a reliable way. The overall duration of the TISAX process depends on too many factors. The wide variety of company sizes and assessment objectives plus the respective readiness of an information security management system make this impossible.

3.2. Registration

Your first step is the TISAX registration.

The main purpose of the TISAX registration is to gather information about your company. We use an online registration process to help you provide us this information.

It is the prerequisite for all subsequent steps. It is subject to a fee.

During the online registration process:

  • We ask you for contact details and billing information.

  • You have to accept our terms and conditions.

  • You can define the scope of your information security assessment.

For a direct start with this step, please refer to Section 4, “Registration (Step 1)”.

The online registration process is described in detail in Section 4.5, “Online registration process”. But if you want to start right away, please go to Icon of the flag of the United Kingdom

3.3. Assessment

Your second step is going through the information security assessment.

There are four sub-steps:

  1. Assessment preparation
    You have to prepare the assessment. The extent of this depends on the current maturity level of your information security management system. Your preparation has to be based on the ISA catalogue.

  2. Audit provider selection
    You have to choose one of our TISAX audit providers.

  3. Information security assessment(s)
    Your audit provider will conduct the assessment based on an assessment scope that matches your partner’s requirements. The assessment process will consist of the initial audit at a minimum.
    If your company does not pass the assessment right away, the assessment process may require additional steps.

  4. Assessment result
    Once your company passes the assessment, your audit provider will provide you with the official TISAX assessment report. Your assessment result will also receive TISAX labels[2].

For more information about this step, please refer to Section 5, “Assessment (Step 2)”.

3.4. Exchange

Your third and last step is to share your assessment result with your partner. The content of the TISAX assessment report is structured in levels. You can decide up to which level your partner will have access.

Your assessment result is valid for three years. Assuming you are still a supplier of your partner then, you will have to go through the three-step process again[3].

For more information about this step, please refer to Section 6, “Exchange (Step 3)”.

Now that you have a fundamental idea about what the TISAX process is, you will find instructions on how to complete each step in the following sections.

4. Registration (Step 1)

The estimated reading time for the registration section is 30-40 minutes.

4.1. Overview

The TISAX registration is your first step. It is the prerequisite for all subsequent steps.

The following sections will guide you through the registration:

  1. We start with explaining an essential new term.

  2. Then we advise you on what you should do to be prepared for the online registration process.

  3. Next, we guide you through the online registration process.

4.2. You are a TISAX participant

Let us first introduce a new term that is necessary to understand. So far, you have been the “supplier”. You are here to fulfil a requirement of your “customer”. TISAX itself however does not really differentiate between these two roles. For TISAX, everyone who registered is a “participant”. You — as well as your partner — “participate” in the exchange of information security assessment results.

Register to become a TISAX participant
Figure 2. Register to become a TISAX participant

To differentiate the two roles from the beginning, we refer to you, the supplier, as “active participant”. We refer to your partner as “passive participant”. As an “active participant” you get TISAX-assessed and you share your assessment result with other participants. The “passive participant” is the one who requested that you get TISAX-assessed. The “passive participant” receives your assessment result.

Passive participant and active participant
Figure 3. Passive participant and active participant

Any company can act in both roles. You might share an assessment result with your partner, while at the same time requesting your own suppliers to get TISAX-assessed.

TISAX participants can be active and passive at the same time
Figure 4. TISAX participants can be active and passive at the same time

Requesting your own suppliers to get TISAX-assessed may even be especially advisable if your own suppliers are handling your partner’s information with protection needs as well.

4.3. Registration preparation

In this section, we give you recommendations on how to prepare for the registration. We describe the registration process itself in detail in Section 4.5, “Online registration process”.

Before you start going through our online registration process, we strongly recommend:

  • gathering information in advance

  • and taking some decisions.

4.3.1. The legal foundation

Typically, you need to sign two contracts. The first contract you enter is between you and ENX Association: The “TISAX Participation General Terms and Conditions” (TISAX Participant GTCs). The second contract is between you and one of our TISAX audit providers. For the registration, we will look at the first contract only.

The TISAX Participant GTCs govern our mutual relationship and your relationship with other TISAX participants. They define the rights and duties for all of us. Besides the usual clauses you will find in most contracts, they define the handling of the information exchanged and obtained during the TISAX process in detail. A key objective of these rules is to keep TISAX assessment results confidential. As all TISAX participants are subject to the same rules, you can expect appropriate protection of your TISAX assessment result by your partner (in his role as passive participant).

Quite early in the online registration process, we will ask you to accept the TISAX Participant GTCs. As this is a real contract, we recommend reading the TISAX Participant GTCs before starting the online registration process. One reason is that depending on your role in your company, you may need to obtain a clearance from an in-house or external lawyer.

You can download the “TISAX Participation General Terms and Conditions”[4] on our website at:
Icon of the flag of the United Kingdom

During the online registration process, we will ask you to check two mandatory checkboxes:

  • We accept the TISAX Participation General Terms and Conditions

  • We confirm knowledge of Applicant’s release of Audit Providers’ professional duties of secrecy acc. to Sec. IX.5. and X.3 of the TISAX Participation General Terms and Conditions;

We have the second checkbox because some of our TISAX audit providers are certified public accountants. They have special requirements regarding professional secrecy. Usually, the special requirements regarding professional secrecy prohibit the certified public accountants among our audit providers from sharing information with us. Particularly, this would cancel the control options we need for our governance role. Therefore, we need this release. You may want to pay special attention to those clauses before checking the box.

If you usually require a non-disclosure agreement (NDA) between you and anyone who handles confidential information, please examine the respective sections of our GTCs. They should address all your concerns. Moreover, you usually don’t have to provide us any confidential information at all.

Concluding the legal section, we ask for your understanding that the system depends on everyone accepting the same rules. We therefore can’t accept any additional general terms and conditions[5].

4.3.2. The TISAX assessment scope

In the second step of the TISAX process, one of our TISAX audit providers will conduct the information security assessment. He needs to know where to start and where to stop. That’s why you need to define an “assessment scope”.

The “assessment scope” describes the scope of the information security assessment. In simple terms, every part of your company that handles your partner’s confidential information is part of the assessment scope. You can consider it a major element of the audit provider’s task description. It dictates what the audit provider needs to assess.

The assessment scope is important for two reasons:

  1. An assessment result will only fulfil your partner’s requirement if the respective assessment scope covers all parts of your company that handle partner information.

  2. A precisely defined assessment scope is an essential prerequisite for meaningful cost calculations by our TISAX audit providers.


Important note:

ISO/IEC 27001 vs. TISAX

First, we have to differentiate two types of scopes:
1) the scope of your information security management system (ISMS) and
2) the scope of the assessment.
These two are not necessarily identical.

For the ISO/IEC 27001 certification, you define the scope of your ISMS (in the “scope statement”). You are completely free to define the scope of your ISMS. However, the scope of the assessment (also known as “audit scope”) must be identical with the scope of your ISMS.

For TISAX, you also have to define your ISMS. But the scope of the assessment can be different.

For the ISO/IEC 27001 certification, you can freely shape the scope of the assessment through the way you define the scope of your ISMS.

In contrast, for TISAX, the scope of the assessment is predefined. The scope of the assessment can be smaller than the scope of your ISMS. But it must be within the scope of your ISMS. Scope description

The scope description defines the assessment scope. For the scope description, you have to choose one of two scope types:

  1. Standard scope

  2. Custom scope

    1. Custom extended scope

    2. Full custom scope

We discuss the standard scope in the following section. The standard scope is the right choice for well over 99% of all participants. Therefore, we only discuss the custom scopes in Section 7.8, “Annex: Custom scopes”. Standard scope

The standard scope description is the basis for a TISAX assessment. Other TISAX participants only accept assessment results based on the standard scope description.

The standard scope description is predefined and you can’t change it.

A major benefit of having a standard scope is that you don’t have to come up with your own definition.

This is the standard scope description (version 2.0):

The TISAX scope defines the scope of the assessment. The assessment includes all processes, procedures and resources under responsibility of the assessed organization that are relevant to the security of the protection objects and their protection goals as defined in the listed assessment objectives at the listed locations.
The assessment is conducted at least in the highest assessment level listed in any of the listed assessment objectives. All assessment criteria listed in the listed assessment objectives are subject to the assessment.

We strongly recommend choosing the standard scope. All TISAX participants accept information security assessment results based on the standard scope. Scoping

Your next task after defining the scope type is to decide which locations belong to the assessment scope.

If your company is small (one location), this is an easy task. You simply add your location to the assessment scope.

If your company is large, you can consider registering more than one assessment scope.

Having a single scope that contains all your locations has advantages:

  • You have one assessment report, one assessment result, one expiration date.

  • You can benefit from reduced costs for the assessment because a TISAX audit provider only has to assess your central processes, procedures and resources once.

But a single scope may have disadvantages such as:

  • All locations must have the same assessment objectives.

  • The assessment result is only available once the TISAX audit provider has assessed all locations. This fact may be relevant if you urgently need an assessment result.

  • The assessment result depends on all locations passing the assessment. If just one location fails, you won’t have a positive assessment result. A workaround for this is to: a) remove the location from the scope, b) solve the issues, c) add the location afterwards with a scope extension assessment. Scope tailoring

The question whether to have just one scope or several scopes is one that only you can answer. But answering the questions in the following diagram may help you decide.

Scope tailoring decision tree
Figure 5. Scope tailoring decision tree

Please note:

Don’t let this decision intimidate you. You can change any scope as long as the audit provider didn’t conclude the assessment.

For example, during your assessment preparation you may find that the scope does not fit — and change it accordingly. Or your audit provider may recommend changing the scope during the earlier stages of the assessment.

Additional notes:

  • Technically, you can’t change the assessment scope that you defined during the online registration process in the ENX portal. But the audit provider can update your assessment scope when he uploads your assessment result to the ENX portal.

  • Adding to the scope increases the fee and you won’t get a refund if you remove locations from the scope. Since the audit providers use the original scope as a basis for their cost calculation, you should also expect changes. Scope locations

Now that you have decided which locations are part of your assessment scope, you can continue gathering some location-specific information.

For each location we ask for information like company name and address. We also ask for some additional information that allows our TISAX audit providers to get a better idea of your company structure. Your answers will be the basis of their effort estimations.

Please prepare yourself to provide the following details for each of your locations (the red asterisk * indicates mandatory information in the online process):

Table 1. Location-specific details
Field Options

Location Name *




Location Type *

Building(s) owned and used exclusively by company
Building(s) rented by company
Floor/office rented by company in a shared building
Office shared with other companies
Own Datacenter
Shared Datacenter

Passive Site Protection *


(Several selections possible)

Information Technology

  • ❏ IT Services

  • ❏ Telecommunication Services

  • ❏ Software Development


  • ❏ Consulting


  • ❏ Marketing

  • ❏ Agency

  • ❏ Printing Services

  • ❏ Photography

  • ❏ Translation Services

Research And Development

  • ❏ Vehicle Testing

  • ❏ Vehicle Simulation

  • ❏ Prototype Construction

  • ❏ Miniature Car Models

  • ❏ Development Services

  • ❏ CAx Development Services


  • ❏ Production Services

  • ❏ Contract Manufacturing

  • ❏ Shop Floor

  • ❏ Logistics

Sales And Aftersales

  • ❏ Import, NSC

  • ❏ Dealership

  • ❏ Financial Services

  • ❏ Insurance

  • ❏ Claims Settlement

Other Industry
(please enter)

Employees at Location: Overall *

More than 5.000

Employees at Location: IT *

More than 50

Employees at Location: IT Security *

Part Time
More than 25

Employees at Location: Location Security *

Part Time
More than 10

Certifications for this Location

ISO 27001
Other (please enter)
ISAE 3402


Please note:

Regarding the “Industry”: Select to the best of your knowledge. There is no right or wrong when selecting from the options above. If you can’t find an option that matches your type of business, just enter the appropriate option under “Other”.

For each location you have to specify a “location name”. The purpose of the location name is to make it easier to refer to the location when you assign them to an assessment scope.

We recommend assigning location names based on the following pattern:


[Geographical reference]


for the fictitious company “ACME”

  • Frankfurt
    (for a location in the German city Frankfurt) Scope name

For each scope, you have to specify a “scope name”. The main purpose of the scope name is to make it easy for you to identify a scope in the overview list of scopes in the ENX portal. You should assign a name that is helpful to the reader and your colleagues. For external communication, you should use the Scope ID.

You can specify any name you want. But you shouldn’t assign the same scope name for more than one scope.

When you later want to renew your TISAX assessment, you need to create a new scope (possibly identical to the current scope). We therefore recommend adding the year of the assessment to the scope name.

We recommend assigning scope names based on the following pattern:


[Geographical or functional reference] [Year of the assessment]


for the fictional company “ACME”

  • 2020
    (without geographical reference if your company has just one location)

  • Frankfurt 2020
    (for a scope with several locations in the German city of Frankfurt)

  • Lower Saxony 2020
    (for a scope with all locations in the German state of Lower Saxony)

  • Germany 2020
    (for a scope with all locations in the country of Germany)

  • EMEA 2020
    (for a scope with all locations in the EMEA region (“Europe, Middle East, Asia”))

  • Prototype development 2020
    (functional reference for a scope with all locations involved in developing prototypes) Contacts

In order to communicate with you, we collect information about contacts at your company.

We ask for at least one contact for your company as TISAX participant in general and one for each assessment scope. You have the option to provide additional contacts.

During your registration preparations, you should decide who at your company will be a contact.

We ask for the following contact details:

Table 2. Contact details
Contact detail Mandatory? Example




Mrs., Mr.


Academic degree

Dr., Ph.D., other


First name




Last name




Job title


Head of IT




Information Technology


Primary phone number


+49 69 986692777


Secondary phone number


Email address



Preferred language


English (default)


Other languages

German, French


Personal address identifier

HPC 1234


Street address


Bockenheimer Landstraße 97-99


Postal code














Important note:
We recommend assigning at least one alternate for each contact. If a contact is temporarily unavailable or leaves the company, someone else can manage your company’s participant data.
If you need to assign a new contact (without any other remaining valid contacts), you have to go through a complex process. Our process ensures that only persons who can prove that they are entitled to legally represent the company can approve assigning a new main contact. Publication and sharing

The main purpose of TISAX is to publish your assessment result to other TISAX participants and to share your assessment result with your partner(s).

You can decide about the publication and sharing of your assessment result either during the registration process or at any time later.

If you are going through the TISAX process as a pre-emptive step, you can already decide to publish your assessment result to the community of TISAX participants. Otherwise, there is nothing to prepare for at this stage.

If your partner requested that you to go through the TISAX process, you need to share your assessment result sooner or later. You can already share status information with your partner during the registration. Once your assessment result is available, your partner will then automatically have the permission to access it[6].

There are two things you need to share status information:

  1. Your partner’s TISAX Participant ID

    The TISAX Participant ID identifies your partner as a TISAX participant.

    Usually, your partner should provide you his TISAX Participant ID.

    For your convenience, our registration form provides a drop-down list of Participant IDs for some companies that frequently receive shared assessment results.[7]

  2. The required sharing level

    The sharing level defines the depth to which your partner can access your assessment result.

    Either your partner requests a specific sharing level or you decide up to which level you want to grant your partner access to your assessment result.

    For more information on sharing levels, please refer to Section 6.5, “Sharing levels”.

So you may want to make sure you have this information.


Please note:

  • You can always decide to publish your assessment result later.

  • You can always create a sharing permission for your partner later.


Important note:

If you don’t publish your assessment result or don’t share it, no one can see your assessment result.


Important note:

You can’t revoke publication or sharing.


Please note:

It may sound odd, but you can in fact share your “assessment result” even if haven’t started the assessment process yet. At this early stage, you are just sharing the “assessment status”. The participant with whom you share your “assessment result” will see where you are in the assessment process.

Some TISAX participants have to issue a special release if you have to show TISAX labels, but haven’t finished the assessment process yet. In such a case, your partner may need to see your “assessment status” in his account for the ENX portal.

For more information on the assessment status, please refer to Section 7.6, “Annex: Assessment status.

For more information on publishing and sharing your assessment result, please refer to Section 6, “Exchange (Step 3)”.

4.3.3. Assessment objectives

You have to define your assessment objective(s) during the registration process. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfil. The assessment objective is entirely based on the type of data you handle on behalf of your partner.

In the following sections, we describe the assessment objectives and provide advice on how to select the right assessment objective(s).

The use of assessment objectives makes the TISAX-related communication with your partner and our TISAX audit providers easier because they refer to a defined input to the TISAX assessment process.


Please note:

Some partners may request you to get TISAX-assessed with a certain “assessment level” (AL) instead of specifying an assessment objective. For more information on assessment levels, please refer to Section, “Protection needs and assessment levels” (sub-section “Additional information”). List of assessment objectives

There are currently eight TISAX assessment objectives. You have to select at least one assessment objective. You may select more than one.

Consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.

The current TISAX assessment objectives are:

Table 3. The current TISAX assessment objectives
No. Assessment objective Abbreviation


Handling of information with high protection needs

Info high


Handling of information with very high protection needs

Info very high


Protection of prototype parts and components

Proto parts


Protection of prototype vehicles

Proto vehicles


Handling of test vehicles

Test vehicles


Protection of prototypes during events and film or photo shoots

Proto events


Data protection
According to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)



Data protection with special categories of personal data
According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)

Special data

Example: If you are conducting test drives on public roads, then the assessment objective No. 5 “Handling of test vehicles” is one of your assessment objectives.

For some of the following illustrations, we will use a table representation of the eight TISAX assessment objectives. Furthermore, we will shorten the long forms for an easier visual representation.