Trusted Information Security Assessment Exchange (TISAX) Germany


To help secure the ever-increasing connectivity in the automotive industry, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) developed a catalogue of criteria for assessing information security. The VDA Information Security Assessment (German and English) is based on the fundamentals of the international ISO/IEC 27001 and 27002 standards adapted to the automotive industry. In 2017, it was updated to cover controls for the use of cloud services.

VDA member companies used this instrument both for internal security assessments and for assessments of suppliers, service providers, and other partners that process sensitive information on their behalf. However, because these evaluations were handled individually by each company, it created a burden on partners and duplicated effort on the part of VDA members.

To help streamline evaluations, the VDA set up a common assessment and exchange mechanism, the Trusted Information Security Assessment Exchange (TISAX). The catalogue of underlying TISAX requirements, Questionnaire for Checking Information Security Assessment and Information Security Management, Vers. 4 (German and English), provides common standards for IT security measures, and enables companies registered in TISAX to share assessment results. The VDA entrusted a neutral third party, the ENX Association, with TISAX implementation. In that capacity, it accredits audit providers (auditors), maintains the accreditation criteria and assessment requirements, and monitors the quality of implementation and assessment results.

Microsoft and TISAX

European automotive companies rely on trust to develop, build, and operate new cars. They use the Trusted Information Security Assessment Exchange (TISAX) to provide a common information security assessment for internal analysis, an evaluation of suppliers, and as an information exchange mechanism. An independent ENX-accredited auditor, PwC, completed the TISAX assessment of Microsoft datacenters and operations centers against TISAX specifications and IT security requirements.

Automotive companies around the world can now evaluate the TISAX assessment of Microsoft cloud services to create cloud solutions that integrate strong information security and data protection. Companies can use the TISAX assessment of Microsoft cloud services to confidently exchange data with suppliers who use workstations based on Microsoft 365 cloud services.

Microsoft provided a self-assessment of its cloud services, and the auditor performed two levels of assessment based on that. (The assessment level determines the depth of the evaluation and the methods the auditors use.)

  • Microsoft datacenters in Northern Europe (Dublin region, Ireland) and Western Europe (Amsterdam region, the Netherlands) were assessed at Level 3 (AL3). The audit included a thorough verification of security processes, a comprehensive onsite inspection, and in-person interviews. An AL3 assessment is required for data with a high need for protection, such as data classified as strictly confidential or secret—, data from crash test and flow simulations and AI (artificial intelligence) systems.
  • Selected Microsoft global datacenters were assessed at Level 2 (AL2) based on remote interviews. An AL2 assessment is required for data with a high need for protection, such as data classified as confidential.

Microsoft in-scope cloud services

The TISAX assessment focused on the following Microsoft services:

Audits, reports, and certificates

Industry representatives registered with ENX can find details on the TISAX assessment of in-scope Microsoft cloud services on the ENX portal. To search for Microsoft assessment results, sign in to your existing TISAX account, and search for Microsoft. Alternatively, you may narrow your search using the information below:

  • Microsoft Participant ID: PGKYK0
  • Microsoft Corp. EU Assessment Level (AL) 3 scope ID: SY869K
  • Microsoft Corp. WORLD Assessment Level (AL) 2 scope ID: S08NT9

This assessment is valid for three years.

How to implement

Manufacturing use cases

Use case overviews, solution guides, tutorials, and other resources to help build Azure solutions.

Frequently asked questions

Why I can't see a copy of the Microsoft TISAX certification?

ENX provides certification confirmation only to registered industry representatives through the ENX portal. For details about how to proceed, see the “Audits, reports, and certificates” section above.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.