Damian Strobel
Founder and CEO
"The automotive industry has always been an interesting target for attackers of various stripes."
Who is TISAX relevant for?
In Germany, TISAX is primarily known within the automotive industry. It is based on the VDA-ISA industry standard and is basically relevant for any company that intends to work with automotive groups and/or their suppliers. As with VDA-ISA, the aim here is to record and continuously improve the level of IT security throughout the entire company. Compared to ISA, TISAX is somewhat more specific in some areas - for example, it explicitly requires penetration tests to be carried out.
The auditor works with the company through a questionnaire created by VDA or ENX Association (developer of TISAX). It can be found here (VDA) or here (ENX TISAX).
Are penetration tests mandatory in TISAX?
Yes, the instrument “penetration tests” is explicitly mentioned in two points of the linked questionnaire:
"To what extent are IT systems and services technically checked (system and service audit)?"
There are target requirements that must be met. If you have systems with high protection requirements, this means
"For critical IT systems or services, additional requirements for the system or service audit have been identified and are met (e.g. service-specific tests and tools and/or penetration tests, risk-based time intervals)"
Are regular penetration tests necessary as part of TISAX?
Here, too, the answer is yes.
The following question is asked in the question box: “To what extent is information security taken into account in new or further developed IT systems?”
The requirements here are for systems with very high protection requirements:
- The security of software specially developed for a specific purpose or of software customized to a considerable extent is tested (e.g. penetration tests)
- – during commissioning
- – in the event of significant changes
- – or at regular intervals
Why should DSecured perform your TISAX pentest?
Experienced team
Benefit from our experienced team of bug bounty hunters and ethical hackers who have already carried out numerous successful penetration tests - including within the automotive industry.
Outstanding report
Without a comprehensible and understandable report that offers concrete recommendations, certification in accordance with TISAX/VDA/ISA is difficult to achieve. We provide you with exactly that.
Maximum creativity
You can also run a vulnerability scanner yourself. We rely on maximum creativity and manual tests to find even the most hidden vulnerabilities. This is the only way to achieve the best possible security.
Effective risk management
Protect your business with targeted testing that minimizes potential security risks and secures your IT infrastructure. Black hats and cyber criminals are usually not long in coming and will exploit any weakness.
Communication tailored to your needs
We tailor our communication to your needs, be it through regular updates, detailed discussions or clear explanations. It doesn't matter whether it's via WhatsApp, Signal or Slack. You decide!
Long-term partnership
Rely on a long-term collaboration that offers not just one-off tests, but continuous security optimizations and support. We can take any perspective and are your partner when it comes to security.
Pentest: Services
Some companies we have been able to help
Further questions and answers on the topic
"Penetration testing for TISAX certification"
How long does a penetration test for TISAX certification take?
It depends on the target system - it is not possible to give a general answer. In some cases a test takes 2-3 days, in others 2-3 weeks.
What results can I expect after a penetration test for TISAX certification?
You will receive a report in PDF form containing a management summary and a technical section. The latter allows your developers to fix the vulnerabilities found. These are also categorized by criticality. If required, we can also give a presentation.
How is the security of my data guaranteed during the penetration test for TISAX certification?
Where possible, we require the client to provide test/demo systems on isolated servers that can be tested safely. These test systems do not contain any sensitive/genuine data.
What advantages does a manual security test offer for my TISAX compliance?
No software can beat the creativity of a real attacker, that was and remains the case. The advantage is quite clear - manual tests find vulnerabilities that automated tools overlook.
How often should a detailed security review be carried out for TISAX?
The general recommendation is “annually”. However, depending on the protection requirements according to TISAX, penetration tests should also be carried out at the beginning and in the event of major adjustments to a software/service.
Can DSecured continue to support us after the penetration test?
Certainly - we offer further services to optimize the IT security of your company.
Request a quote