01
Gap Analysis
We assess your current status against the full VDA ISA requirements catalogue and identify concrete areas for action.
CONSUVATION prepares your company systematically for the VDA ISA requirements catalogue – from gap analysis through implementing measures to assessment readiness for information security, prototype protection and data protection.
What it's about
The VDA ISA requirements catalogue forms the technical basis for an industry-wide assessment and exchange mechanism in the automotive sector. OEMs and Tier-1 suppliers increasingly require their partners to demonstrate a defined level of security – the implementation of TISAX is therefore no longer an optional project for many suppliers, but a business requirement.
01
We assess your current status against the full VDA ISA requirements catalogue and identify concrete areas for action.
02
Together with your team, we implement the required organisational and technical measures in a practical way.
03
We support you through to registration and prepare your company in terms of content for the assessment carried out by an accredited audit provider.
Assessment Areas
Which assessment areas are relevant for your company depends on your customer's requirements and the type of data processed. We assess your actual protection needs together with you.
Protection of confidential information, development data and trade secrets against unauthorised access, loss or manipulation. The specific scope of requirements depends on your customer's specifications.
Needs-basedAdditional requirements for companies working with physical or digital prototypes, components or camouflaged test vehicles.
Needs-basedRelevant when personal data is processed on behalf of the customer – supplemented by requirements from the GDPR. On request, we build your data protection management system on the basis of ISO 27701 and ISO 27100.
Needs-basedOur Approach
A structured, six-step consulting process from the initial assessment to a successful audit.
Clarifying which assessment areas and which assessment target level are relevant for your company.
approx. 1–2 weeksSystematic comparison of your existing measures against the full requirements catalogue.
approx. 2–4 weeksPrioritised roadmap including responsibilities, effort estimation and timeline.
approx. 1–2 weeksSupport with documentation, technical measures and staff training.
approx. 6–16 weeksSimulated assessment situation to identify remaining gaps before the official assessment.
approx. 2 weeksSupport with registration as well as expert guidance during the assessment by the accredited audit provider.
approx. 2–4 weeksSynergies
Companies that have already invested in other management systems benefit when implementing TISAX – CONSUVATION shows you the concrete synergies.
CONSUVATION has been supporting the protection of physical and digital prototypes in the automotive industry since 2006 – well before today's VDA ISA requirements catalogue was introduced. These early precursor concepts have created a practice-tested understanding of the prototype protection assessment area, which flows directly into our consulting for the implementation of TISAX today.
The VDA ISA requirements catalogue is structurally aligned with ISO 27001 Annex A. Companies with a certified ISMS often achieve the implementation of TISAX with significantly reduced additional effort.
Current requirements catalogues are increasingly extending their scope to production and OT environments. For manufacturing companies, IEC 62443 complements the organisational requirements with technical OT depth.
If the data protection assessment area is relevant, requirements from the GDPR flow directly into the assessment – particularly regarding data processing agreements and technical-organisational measures.
For suppliers who also fall under NIS2, information security measures from the implementation of TISAX can largely be transferred to the NIS2 requirements.
Added Value
| Criterion | Without Implementation |
|---|---|
| Eligibility for Contracts | Likely exclusion from OEM tenders |
| Trust with Partners | Self-declared assurances without external confirmation |
| Responsiveness | Security gaps often only identified after an incident |
| Competitive Position | Disadvantage against already-assessed competitors |
| Criterion | With Implementation |
|---|---|
| Eligibility for Contracts | Meets common OEM requirements |
| Trust with Partners | Externally confirmed level of security |
| Responsiveness | Established risk-detection processes |
| Competitive Position | Differentiation in the tender process |
Our Solutions
To ensure that the requirements of the VDA ISA catalogue are not just documented but also lived in practice by your staff, CONSUVATION offers its own e-learning portal with training modules covering the three core assessment areas.
Covers the fundamentals of the information security management system, roles and responsibilities, and secure behaviour in everyday work.
Practical modules on handling personal data, aligned with GDPR, ISO 27701 and ISO 27100.
Trains secure handling of physical and digital prototypes – building on our practical experience since 2006.
Our Packages
Tailored to company size and protection needs – based on the structure of proven consulting packages for automotive compliance.
For small companies with up to 50 employees
For mid-sized companies, 50–250 employees
For corporations and suppliers with 250+ employees
Why CONSUVATION
Our consultants combine practical experience from ISO 27001 projects with specific industry knowledge of the automotive sector. Through our proprietary correlation matrix, we identify synergies between standards that remain hidden to other consulting approaches.
CONSUVATION has been protecting prototypes and sensitive development data in the automotive industry since 2006 – long before today's VDA ISA requirements catalogue existed. These early precursor concepts for prototype protection still form the practical foundation of our consulting for the implementation of TISAX today.
Our correlation matrix maps requirements from VDA ISA, ISO 27001, NIS2, IEC 62443 and the GDPR simultaneously. This allows us to identify, already during the gap analysis, which measures satisfy multiple standards at once – saving time and budget in your implementation of TISAX.
Our consulting team has many years of experience and is familiar with all major standards in information security and management systems – including Business Continuity Management according to ISO 22301. This broad foundation flows directly into your implementation of TISAX, for example when assessing emergency and recovery requirements.
In-depth knowledge of the current requirements catalogue
Efficient dual use of existing ISMS structures
No business relationship with audit providers
Consulting for Germany, Austria, Switzerland and international clients
Emergency and recovery know-how complementing information security
Frequently Asked Questions
The implementation of TISAX refers to the structured preparation of your company for an assessment mechanism for information security in the automotive industry, based on the VDA ISA requirements catalogue. Depending on protection needs, the areas of information security, prototype protection and data protection are assessed.
Automotive suppliers, development service providers, engineering firms, IT and cloud providers, and logistics service providers working with OEMs or Tier-1 suppliers are increasingly required to undergo an implementation of TISAX.
Depending on maturity level and company size, an implementation of TISAX typically takes between three and nine months, from gap analysis through implementing measures to assessment readiness.
The VDA ISA requirements catalogue is structurally aligned with ISO 27001 Annex A. Companies with an existing ISMS based on ISO 27001 can achieve the implementation of TISAX with significantly less additional effort.
No. CONSUVATION is an independent consulting firm and has no business relationship with the ENX Association. We exclusively support the content-related and organisational preparation; the actual assessment is carried out by an accredited audit provider.
Which assessment area is relevant for your company depends on your customer's requirements: information security is requested when confidential information or development data is involved, prototype protection when physical or digital prototypes are processed, and data protection when personal data of customers is processed – the specific combination depends on your customer's protection needs.
Yes. Through our e-learning portal, we offer training modules on the three core assessment areas of ISMS, data protection and prototype protection, so that requirements are not just documented but also lived by your staff in everyday work.
Yes. On request, we build your data protection management system on the basis of ISO 27701 and ISO 27100, so that it integrates seamlessly into your implementation of TISAX.
Schedule a free initial consultation and receive an initial assessment of effort and approach for your company.