Trusted Information Security Assessment Exchange (TISAX)

TISAX overview

The Trusted Information Security Assessment Exchange (TISAX) is administered by the ENX Association on behalf of the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA).

VDA developed an information security assessment (ISA) as a catalog of criteria for assessing information security. The VDA ISA is based on the ISO/IEC 27001 and ISO/IEC 27002 standards adapted to the automotive industry. In 2017, the VDA assessment was updated to cover controls for the use of cloud services.

VDA member companies used the ISA both for internal security assessments and for assessments of suppliers, service providers, and other partners that process sensitive information on their behalf. However, because these evaluations were handled individually by each company, they created a burden on partners and duplicated efforts on the part of VDA members.

To help streamline security evaluations, VDA set up TISAX, which is used by European automotive companies to provide a common information security assessment for internal analysis, evaluation of suppliers, and information exchange. The ENX Association is responsible for TISAX implementation - it accredits auditors, maintains the accreditation criteria and assessment requirements, and monitors the quality of implementation and assessment results.

The latest TISAX control scope is documented in the VDA ISA catalogue version 5.0.4.

Azure and TISAX

An independent ENX-accredited auditor completed the TISAX assessment of Microsoft datacenter infrastructure regions against TISAX specifications and IT security requirements. These TISAX certified regions provide the physical infrastructure for Microsoft online services, including Azure, Dynamics 365, and Microsoft 365, that are described in the assessment report.

If you're an automotive company interested in cloud adoption, you can evaluate the Microsoft TISAX assessment to create cloud solutions that benefit from strong information security and data protection. You can use Azure and other Microsoft cloud services, and exchange data with suppliers who are also TISAX compliant.

TISAX Assessment Level 3 (AL3)

AL3 is required for data with a very high need for protection, such as data classified as strictly confidential or secret, data from crash test and flow simulations, and artificial intelligence (AI) systems. The corresponding audit for AL3 included a thorough verification of security processes, comprehensive onsite inspection, and in-person interviews. The following Microsoft regions have been verified for TISAX AL3 with data protection module:

Americas APAC EMEA
Brazil Northeast Australia Central Austria East
Brazil South Australia Central 2 France Central
Brazil Southeast Australia East France South
Canada Central Australia Southeast Germany North
Canada East Central India Germany West Central
Central US East Asia North Europe
Central US EUAP Japan East North Europe 2
Chile Central Japan West Norway East
East US Jio India Central Norway West
East US 2 Jio India West South Africa North
East US 2 EUAP Korea Central South Africa West
East US STG Korea South Switzerland North
North Central US Korea South 2 Switzerland West
South Central US South India UAE Central
West Central US Southeast Asia UAE North
West US West India UK South
West US 2 UK West
West US 3 West Europe

EUAP = early updates access program; STG = staging environment

Attestation documents

If you're an industry representative registered with ENX, you can find the TISAX assessment details on the ENX Portal. To access Microsoft assessment results:

  • Sign in to your existing TISAX account and search for Microsoft

Alternatively, you may narrow your search using the following information:

  • Microsoft Assessment ID: AP78YM-1
  • Microsoft Assessment Level 3 (AL3) scope ID: SN2CV2

Resources