TISAX for automotive suppliers — without reinventing ISO 27001.
TISAX is the automotive-industry information security assessment based on the VDA ISA control set. Matproof maps TISAX and ISO 27001 from the same control library — so one investment produces both labels.
Why this matters now
OEM procurement requirements now routinely specify TISAX AL2 (standard protection) or AL3 (high protection) for tier-1, tier-2, and increasingly tier-3 suppliers. Without TISAX, you lose business with VW, BMW, Mercedes-Benz, Audi, Porsche.
- VDA ISA updates every 1-2 years — new control set every cycle requires re-alignment
- Prototype protection rules add physical + IT controls beyond classic ISMS
- Labels AL2 vs AL3 have different audit depth and preparation effort
- Data classification specific to OEM-assigned sensitivity labels
How Matproof covers TISAX for Automotive Supply Chain
VDA ISA control implementation
Matproof tracks the latest VDA ISA version with control-by-control implementation status, evidence collection, and audit readiness.
Prototype protection
Physical access controls, visitor management, photography restrictions, secure development environments — integrated into the TISAX scope and auditor workflow.
AL2 vs AL3 scoping
Determine which protection level applies per site and per OEM relationship. Matproof's scope configurator helps.
ISO 27001 dual mapping
80% overlap. Organizations certifying both leverage the same control evidence. Typical additional effort: 3-6 months after ISO 27001.
In scope
- Tier-1 OEM suppliers (direct to manufacturer)
- Tier-2 and tier-3 indirect suppliers
- Automotive software and embedded systems
- Component manufacturers requiring TISAX for OEM contracts
- Engineering service providers to OEMs
- Logistics providers handling automotive parts
Frequently asked questions
What's the difference between TISAX AL2 and AL3?+
AL2 (standard protection) is for regular business data and most tier-1/tier-2 suppliers. AL3 (high protection) is for prototypes, development data, and strategic intellectual property — additional control depth, stricter physical security, and separate on-site audit. Both require TISAX-accredited external auditor.
Can we certify TISAX after ISO 27001 or must we do them separately?+
Recommended sequence: ISO 27001 first, then TISAX 3-6 months later. VDA ISA's control set is 80% aligned with ISO 27001 Annex A. Matproof's dual-mapped platform means the same evidence satisfies both audits. Alternative: start with TISAX directly if OEM pressure is immediate — but the broader ISO 27001 investment is usually worth doing alongside.
How long does TISAX preparation take?+
From zero: 4-6 months typically (faster with existing ISMS). Registration with ENX (TISAX governing body), scope definition, self-assessment, auditor selection, on-site audit (AL3 only), remediation, label issuance. Matproof customers with ISO 27001 already in place typically achieve TISAX in 3-4 months.
Ready to start with TISAX?
30-minute demo tailored to Automotive Supply Chain. We show you exactly how Matproof covers TISAX for your sector.