TISAX · Automotive Security · VDA ISA

TISAX pentest:
Security evidence for the automotive industry

As a supplier or service provider in the automotive sector, you must demonstrate your information security to OEMs. Our TISAX pentest delivers the technical evidence required by the VDA ISA - structured, auditable, and report-ready within 5 working days.

Request TISAX pentest now Understand assessment levels
VDA ISA mapping included in report AL 1 to AL 3 fully covered Report delivered within 5 working days
What TISAX requires of you
Evidence per VDA ISA
The VDA ISA questionnaire is the assessment basis for all TISAX labels. Our report maps every finding directly to the relevant controls.
Technical penetration test
From Assessment Level 2, technical tests are required as mandatory evidence. We deliver the practical pentest report to support your audit.
Prototype & data protection
Dedicated TISAX labels for prototype protection and GDPR compliance require specific test scenarios - both physical and technical.
OEM supplier obligation
BMW, VW, Mercedes-Benz, Porsche, Audi, Bosch and Continental require TISAX from all Tier-1 and Tier-2 suppliers.
Our TISAX pentest report is designed as a technical evidence document for your accredited ENX auditor and is ready for direct use in your assessment.
TISAX explained

What is TISAX and who does it affect?

TISAX (Trusted Information Security Assessment Exchange) is the binding information security standard of the German automotive industry, developed by the VDA. It is based on ISO/IEC 27001 and the VDA ISA questionnaire and defines how suppliers must demonstrate the protection of sensitive information. Results are shared exclusively via the ENX platform - not publicly accessible.

TISAX labels are valid for three years - after which a full recertification is required.

Results are shared exclusively via the closed ENX platform - there is no public certificate.

Mandatory for suppliers of BMW, VW, Mercedes-Benz, Porsche, Audi, Bosch, Continental, and other OEMs.

TISAX vs. ISO 27001

How does TISAX differ from ISO 27001?

Criterion TISAX® ISO 27001
Industry focus Automotive Cross-industry
Framework basis VDA ISA + ISO 27001 ISO 27001
Evidence type Label via ENX platform Public certificate
Pentest mandatory From AL 2 Optional
Validity 3 years 3 years (annual surveillance)
Assessment levels

Which assessment level applies to your organisation?

TISAX distinguishes three protection requirement levels. Your OEM specifies which level you must meet. We conduct penetration tests for all three assessment levels.

Assessment Level 1

Normal protection requirement

For organisations processing confidential information without particularly sensitive content. A qualified self-assessment is generally sufficient - a pentest is nonetheless recommended as voluntary evidence.

Self-assessment / own declaration
No on-site audit required
Pentest recommended as voluntary evidence
Assessment Level 2

High protection requirement

For organisations handling highly sensitive information such as development data or vehicle concepts. An external auditor and a technical penetration test are mandatory.

On-site audit by accredited auditor
Technical pentest as mandatory evidence
Most common level for Tier-1 suppliers
Assessment Level 3

Very high protection requirement

For organisations working with prototypes and strictly confidential data. The highest requirements for physical and technical security apply. Multiple audits by accredited bodies are mandatory.

Multiple on-site audits required
Extended physical security assessment
Full-scope infrastructure penetration test
Assessment areas

VDA ISA controls we test technically

The VDA ISA questionnaire covers all security-relevant areas. Our pentest delivers the technical evidence for the following controls - ready for direct use with your ENX auditor.

VDA ISA 1.x

Information security management

Evidence of a functioning ISMS: policies, roles, responsibilities, and awareness measures in line with VDA ISA Chapter 1.

Policy & governance review
VDA ISA 3.x

Physical security

Access control, building security, secure disposal of storage media, and protection of server rooms in line with VDA ISA Chapter 3.

Physical pentest & tailgating
VDA ISA 4.x

IT & cyber security

Network segmentation, vulnerability management, patch management, access control, and logging in line with VDA ISA Chapter 4.

Infrastructure pentest
VDA ISA 5.x

Prototype protection

Special protection for prototype vehicles and components: covers, camouflage, secure storage, transport, and access control to prototype areas.

Prototype protection assessment
VDA ISA 6.x

Data protection (GDPR)

Processing of personal data in the automotive context: consent, deletion concepts, and technical protective measures in line with VDA ISA Chapter 6.

GDPR technical layer review
VDA ISA 7.x

Third parties & supply chain

Security requirements for service providers and sub-suppliers: contracts, audits, remote access, and security clauses in line with VDA ISA Chapter 7.

Supply chain risk assessment

Without a TISAX label you risk:

Loss of OEM contracts: without a valid TISAX label you will typically not be approved as a supplier or will be excluded from tenders.
Breach of contract: existing supply agreements can be terminated or not renewed if a TISAX label is missing or has expired.
Reputational damage: security incidents without proven protective measures put long-term OEM partnerships at risk.
GDPR liability: missing data protection evidence in the automotive context can result in proceedings under GDPR Article 83.
Who is affected?

TISAX applies to these organisations in the automotive supply chain

TISAX is mandatory for all organisations that process confidential information from OEMs or Tier-1 suppliers - regardless of company size or headcount.

🚗OEMs & vehicle manufacturers
🔩Tier-1 suppliers
⚙️Tier-2 suppliers
💻Software & IT service providers
🏭Engineering & development offices
📐Design & prototyping firms
🚛Logistics & transport (prototypes)
🔬Research & development
📡Telematics & connected car
Our approach

How your TISAX pentest works

We guide you from scope definition to an audit-ready report - structured, on time, and fully aligned with the VDA ISA questionnaire.

SCHRITT 01

Scope definition & kickoff

Joint definition of TISAX assessment objectives, assessment level, systems in scope, and timeline. Exclusion zones are documented as binding commitments.

SCHRITT 02

Information gathering & reconnaissance

OSINT, network analysis, physical building walkthrough, and system inventory in line with the VDA ISA assessment catalogue.

SCHRITT 03

Technical penetration test

Infrastructure pentest, Active Directory analysis, physical security assessment, and social engineering in line with VDA ISA requirements.

SCHRITT 04

Analysis & VDA ISA mapping

All findings are mapped directly to the corresponding VDA ISA controls - for maximum auditability and minimum effort during the ENX audit.

SCHRITT 05

Report & handover

Detailed pentest report with CVSS ratings, VDA ISA mapping, prioritised remediation recommendations, and an executive summary for senior management.

TISAX-Pentest Report · Automotive GmbH TISAX-konform ✓
Unencrypted CAD file share accessible on internal network
Critical
Server room access without MFA and badge control
Critical
Tailgating: server room entry without authentication
High
Active Directory: kerberoastable service accounts
High
Missing network segmentation between development and production
Medium
Outdated TLS configuration on internal web server
Low
VDA ISA mapping included TISAX is a registered trademark of the ENX Association.
3 years
Validity of the TISAX label
5 days
Report after test completion
AL 1-3
All levels covered
100+
Completed pentests
Our services

TISAX pentests from a single source

We combine physical, digital, and social engineering attack vectors into a comprehensive TISAX assessment - everything from one provider, everything VDA ISA-mapped.

Physical security pentest

Access control, tailgating, lock bypass, camera blind spots, and prototype areas: we test whether your physical security holds up under TISAX AL 2 and AL 3 requirements.

Learn more

Infrastructure & Active Directory

Network segmentation, patch status, Active Directory security, and remote access: technically verified and directly mapped to VDA ISA Chapter 4.

Learn more

Social engineering & awareness

Phishing, vishing, and pretexting targeting your employees: we test the human firewall that VDA ISA Chapter 1 requires as a central protective measure.

Learn more
Frequently asked questions

TISAX pentest - your questions answered

Every organisation that works for OEMs or Tier-1 suppliers and processes their confidential information. From Assessment Level 2, a technical penetration test is mandatory as evidence. At AL 1 it is recommended as voluntary evidence.
Costs depend on scope, company size, and assessment level. Contact us for an individual quote - you will typically receive one within 24 hours of the free initial consultation.
Typically 3 to 10 working days depending on scope and assessment level. The written report with VDA ISA mapping is delivered within 5 working days of completing the test.
No. The TISAX audit is conducted by an accredited ENX auditor. Our pentest report is the technical evidence document that the auditor requires and accepts for VDA ISA-relevant controls.
Yes. The TISAX prototype protection label has its own questionnaire. We conduct targeted physical assessments for this: camera blind spots, vehicle covers, secure storage areas, access control, and transport processes.
TISAX builds on ISO 27001 and extends it with automotive-specific requirements from the VDA ISA catalogue. Existing ISO 27001 evidence is taken into account during the TISAX audit but does not fully replace it.

Ready for your TISAX pentest?

In 30 minutes we discuss your TISAX scope, clarify the assessment level, and you receive a no-obligation fixed-price quote - free of charge and without commitment.

Book your free initial consultation hello@access-granted.de

About Access Granted

Address
Albert-Einstein-Straße 1, 95028 Hof
E-Mail
hello@access-granted.de
Phone
+49 9281 5918506

Useful Links

Pentest Portfolio

Think like an Attacker, Act as a Partner

© AccessGranted X GmbH