Implement ISMS according to VDA ISA

Protect your critical business information according to VDA ISA.

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

The steps to your TISAX label

We are TISAX certified ourselves (Assessment Level 2) and know every single step very well. Therefore, we can accompany and coach you in the best possible way, from the start of the project to TISAX certification.

Tisax 01

Coaching workshop

Since there is not 'the one TISAX certificate', it is important to discuss at the beginning topics such as scope, audit objectives, TISAX label and assessment level. After all, in the end, you don't just want a TISAX label, but the right TISAX label that is also accepted by your target groups.

In this initial coaching session, we will impart to you the basics and requirements of TISAX, the structure of the TISAX assessment catalogue, as well as the TISAX assessment process. In other words, everything you need for a successful start.

In addition to your individual questions, we answer typical questions. For example:

  • Which parts of the test catalogue are relevant for me?
  • How are the maturity levels to be interpreted?
  • How should the sections must, should, and additional requirements be interpreted, or do any of them need to be taken into account at all?

Coaching workshop

'What exactly do we want to achieve?'
< >

TISAX gap analysis

The next step is a TISAX gap analysis. Our TISAX experts record and evaluate - through a mixture of document reviews and interview sessions with the respective departments - the status of your current implementation, based on the requirements of the VDA ISA test catalogue that are relevant for you.

This TISAX gap analysis gives you and us a clear picture and enables us to realistically estimate the implementation effort, to clearly structure the project and to define the individual work packages.

If you have already carried out a gap analysis, we work with this one and do not carry out a new one again.

TISAX gap analysis

'Where do you currently stand?'
< >

Establish framework

After we have identified the fields of action, we work together with you to create the framework conditions and the basis for a functioning ISMS in accordance with VDA ISA / TISAX. This includes, among other things:

  • The definition or concretisation of the scope, the audit objectives and the assessment level based on the requirements of your stakeholders (for example supplied OEMs).
  • The definition and establishment of the security policy and objectives.
  • The definition of the safety organisation including roles, committees and their responsibilities.
  • The creation of the necessary project organisation for the establishment of a TISAX-compliant ISMS.

Establish framework

'Creating the right basis'
< >

Define guidelines

We can only achieve the defined information security goals by defining clear and precise rules. We define these "rules" in various guidelines, both for the entire workforce within the scope of the ISMS and for specific areas or target groups (e.g. IT admins, software or system development, R&D, purchasing, prototype development, human resources or facility management).

Of course, we do not reinvent the wheel, but use our numerous templates. These have been successfully tested in practice for several years and are regularly updated, so they are always state of the art.

These guidelines are subsequently coordinated with the necessary people in the departments and integrated into the relevant business areas. 

Define guidelines

'Without clear rules there is no TISAX ISMS'
< >

Information security risk management

Information security risk management is at the heart of an effective ISMS, because it helps you to distinguish the important from the unimportant and to always proceed pragmatically. 

In this phase, we work together with you to create the necessary structural and procedural organisation to record, assess, deal with (meaning derive appropriate measures) and document all relevant information security risks in a structured and systematic way.

If you already have a risk management system or a comparable approach in your company, we will build on this and, if necessary, enrich it with missing relevant aspects of VDA ISA / TISAX.

Information security risk management

'Identify risks and derive measures'
< >

Implement measures

Now it's time to implement the defined measures. In this phase, we provide very targeted coaching and also support you as required in the event of any resource shortages. It is important to us to prepare you or a member of your team as optimally as possible for your tasks as an information security officer.

When implementing measures, we attach great importance to practicable solutions, i.e. measures

  • that help to achieve the desired level of security,
  • are economical and feasible and
  • still meet the VDA ISA requirements for your audit objective.

Implement measures

'Eliminate deficits and implement requirements'
< >

Pre-audit & certification coaching

For certification maturity, you justifiably have to carry out internal ISMS audits on a regular basis. Again, we support you in planning and conducting your internal TISAX 'pre-audits'.

And to avoid auditing our own work - which could lead to a significant conflict of interest - the internal TISAX audit is carried out by an experienced TISAX auditor from our partner network who was not involved in setting up the ISMS in your company and is consequently neutral and independent. 

Such 'pre-audits' deliver a high benefit:

  • You receive a realistic status of your status and progress.
  • They fulfil the requirement of the TISAX standard to conduct internal audits.
  • They prepare audit participants for the real TISAX audit sessions. If necessary, we coach the participants to confidently avoid "typical pitfalls" in the real TISAX audit.

Pre-audit & certification coaching

'Let's see how a TISAX audit would go'
< >

TISAX assessment

The last formal step is the TISAX assessment. This must be carried out by an accredited certification authority. Since we have already accompanied you in setting up the ISMS, we unfortunately can no longer accompany you in this last step due to a conflict of interest. 

However, we would be happy to establish contact with the certification authority of our trust.

TISAX assessment

'Passing the TSAX assessment'
< >

So you want help to help yourself?

Let us get to know you in a web meeting and talk about your situation and goals. We will show you how we have helped in similar customer situations.
Yes, let's talk!

What exactly is VDA ISA or TISAX?

TISAX® stands for Trusted Information Security Assessment eXchange and is a registered trademark of the ENX Association. The ISA in TISAX represents the requirements catalogue of the German Association of the Automotive Industry (VDA), whose requirements suppliers and service providers in the automotive industry must fulfil. The VDA ISA requirements catalogue (currently in version 5) is fundamentally based on the requirements of the international standard ISO 27001. 

Depending on the confidentiality of the information that an OEM (or the supplier of an OEM) transmits to you, various audit objectives (combination of assessment level and TISAX label) must be achieved. The audit objective to be achieved determines the type and scope of the TISAX assessment.

The TISAX labels depend on the type and criticality of the information provided, these include:

  • Info high / Info very high
  • Data / Special Data
  • Proto Parts / Proto vehicles / Test vehicles / Events & Shootings

A distinction is made between the following three assessment levels:


Tisax 02
Assessment Level 1
Assessment Level 1 / AL 1
Self-assessment by the company based on the test questions of the VDA ISA without additional requirements for high / very high protection needs. AL1 is hardly relevant in practice, as this is carried out as a self-assessment only and no evidence has to be submitted. Furthermore, there is no verification by a service-providing person for audits.
Assessment Level 2
Assessment Level 2 / AL 2
Self-assessment based on the test questions including additional requirements for high protection needs. Verification by a service-providing person for tests including plausibility check and verification of evidence. Assessments according to AL2 are usually carried out remotely (exception: prototype protection).
Assessment Level 3
Assessment Level 3 / AL 3
Self-assessment based on the test questions including additional requirements for high and very high protection needs. Verification of the self-assessment by a service-providing person for audits (plausibility check including verification of evidence). Assessments according to AL3 are carried out in the form of an on-site assessment.

Typical topics within the framework of an ISMS according to VDA ISA / TISAX are:

Personnel security, security in dealing with suppliers, access control, physical security and access protection, security aspects in BCM (Business Continuity Management), secure IT operation and IT administration, secure software development, network security, handling security incidents and compliance.