TISAX Advisory and Engineering for Automotive Suppliers Protecting Prototype, Production, and Partner Data at Scale

TISAX is the automotive supply chain’s controlled trust exchange: VDA ISA objectives, ENX registration, audit provider assessment, and shareable labels. bladestack.io embeds with your technical team to convert that process into a defensible ISMS, clean assessment scope, and evidence set built from real operations.

  1. Home
  3. Compliance
  5. TISAX Advisory and Engineering | bladestack.io
Why bladestack.io?

We Engineer Boundaries. Not Just Binders.

Protecting a cloud-native SaaS environment differs entirely from protecting a pre-series prototype vehicle sitting in a physical garage with Tier-1 suppliers dropping ECU firmware onto a bench-test rack one door over. The compliance industry flattens both realities into the same ISMS template. We refuse the flattening. TISAX succeeds or fails at the intersection of cyber controls, physical security, OT boundaries, and supplier data flows, and that intersection is where our engineers live. The VDA ISA 6.0 catalogue knows the difference between a policy describing prototype protection and an access control system that enforces it. So do we.

We sit with your facilities lead and walk your prototype garage badge-by-badge. We read your MDM geofencing rules and test them against an actual device inside the R&D zone. When your team asks how to classify the CAD file a supplier just sent through an unmanaged email attachment, we do not quote an ISA 6.0 control number. We architect the data flow, harden the supplier portal, and write the classification logic that keeps that file inside your authorization boundary. We treat TISAX as a function of your actual engineering and manufacturing workflow, not as a paper exercise laid on top of it.

Differentiators

Same Catalogue. Different Discipline.

Advisory-only. Engineer-led. Automotive-aware. Prototype-native. Here is why suppliers trust us with their pre-series data, their OEM contracts, and their labels on the ENX portal.

We speak VDA ISA 6.0, not just ISO 27001 with commentary

The ISA catalogue references ISO/IEC 27001:2022, ISA/IEC 62443-2, NIST Cybersecurity Framework, and BSI Baseline Protection, but TISAX is not a subset of any of them. It has its own maturity model, its own label taxonomy, and its own audit philosophy. We know where VDA ISA 6.0 diverges from ISO 27001 Annex A, which controls carry heavier weight under the maturity assessment, and how the confidentiality and availability label splits introduced in version 6 change the scope of an AL3 engagement. Our consultants read the ENX Participant Handbook every quarter because the guidance evolves, and we adjust our client programs when it does. Your audit provider will notice. So will your OEM.

Engineers Who Walk Your Prototype Floor

Every TISAX engagement eventually lands in your engineering organization. CAD workflows, PLM systems, CI/CD pipelines for embedded firmware, ADAS sensor data flows, bench-test environments, prototype garages with physical access controls that integrate with your IT identity plane. Auditor-trained consultants interview your engineers and document what they hear. Our engineers sit with your engineers, read your infrastructure-as-code, review your Active Directory group policies, and walk the prototype room with a badge in one hand and a network diagram in the other. When the ENX-accredited audit provider arrives, they find controls that were built into the environment, not controls described in a Word document that happens to match the room.

Built for Real OEM Pressure, Not Theoretical Compliance

BMW, Volkswagen, Mercedes-Benz, Porsche, Audi, Ford, Stellantis, and the rest of the OEM base do not read your policy binder. They check the ENX portal for your labels, assessment level, and scope ID. If your Proto Parts or Info Very High label is not there with the right scope, your PO does not move and your development contract does not get signed. We structure every TISAX engagement around the specific labels your OEM contracts demand, the scope boundaries that survive an AL3 on-site audit, and the timeline pressure that comes with a signed SOW waiting on a verified assessment. We build to the outcome your commercial team needs, not to an abstract notion of "good security posture."

Custom-Written ISMS That Reflects How You Actually Build

Most TISAX consultancies hand you a templated ISMS with your logo on the cover and hope the audit provider does not read it carefully. The auditors always do. When your access control policy references file shares you deprecated two years ago, or your SDLC policy describes a waterfall process while your embedded team runs Kanban with GitLab CI, the maturity level for that control drops from a 3 to a 1 in front of the assessor. We write your ISMS documentation the same way your engineers write architecture decision records: from the actual system, referencing the actual tools, with diagrams that match the production environment. A document set that matches reality takes longer to produce. It also passes.

We Stay Until the Label Is Live on the ENX Portal

The ENX process does not end at the audit. A plausibility check at AL2 or an on-site audit at AL3 typically produces findings. Those findings require a Corrective Action Plan, remediation work, and a follow-up assessment before the audit provider uploads results to the ENX portal and your labels become visible to OEM counterparties. Plenty of advisory firms hand off at the audit day and bill for their time. We stay through CAP execution, follow-up plausibility checks, and the label issuance workflow inside the ENX portal. Our engagement ends when your ENX participant ID shows the green labels your OEM requires, at the correct assessment level, with the scope ID your contract references.

Prototype Protection as an Engineering Discipline, Not a Policy Chapter

The ISA 6 catalogue dedicates significant weight to prototype protection, with dedicated labels for Proto Parts, Proto Vehicles, and Test Vehicles. These are not document-first controls. They involve physical segregation validated by badge systems integrated with HR and procurement flows, camera coverage with retention and access policies, visitor escort protocols with enforcement mechanisms, mobile device restrictions in design and bench areas enforced by MDM geofencing, and data classification flows that start at the CAD workstation and continue through every supplier portal downstream. We treat prototype protection as a cross-functional engineering problem that connects facilities, IT, OT, and HR. Our advisors have built these programs for companies handling pre-series platforms that do not exist outside the prototype garage.

Differentiators

Same Standard. Different Staffing Model.

Advisory-only. Engineer-led. Fixed-fee where methodology allows. Time-and-materials where honesty demands it. Here is what those words actually mean.

TISAX · Advisory Service Components

For organizations building the VDA ISA 6.0 ISMS foundation.

Advisory engagements are the bladestack.io core. We deploy a TISAX-specialist lead with two to four engineers who embed with your security, engineering, and facilities teams across the assessment scope. The goal is not to hand you a report. It is to build an ISMS, prototype protection program, and technical control environment that pass the ENX-accredited assessment at your target level and label set. Whether you are starting from ISO 27001 alignment, a legacy SOC 2 program, or nothing formal, we scope the engagement against your OEM contract requirements, your assessment objectives, and the timeline you are committed to.

  • TISAX Readiness Review For organizations evaluating their TISAX posture before committing to an assessment. An 8 to 10 week technical deep-dive into your ISMS, prototype workflows, OT boundaries, and supplier data flows. We produce a control-by-control maturity scoring against the relevant VDA ISA 6.0 sections, a prioritized gap remediation roadmap mapped to your OEM deadlines, a scope ID recommendation for the ENX portal registration, and a realistic timeline to audit readiness. Right entry point when you have not yet registered with ENX or you need to size the full program before committing advisory budget.
  • Phase 0: TISAX Discovery Fast Track For organizations committed to the full certification journey. Accelerated discovery that bypasses the standalone assessment and flows directly into implementation. We produce foundational artifacts including your asset and system inventory, data classification matrix for pre-series and serial production data, prototype protection perimeter map, and governance architecture blueprint. Everything discovered becomes input for the build phase. No assessment report gathering dust while you decide next steps.
  • TISAX Advisory Engagement The core engagement. We design and build your complete TISAX program. ISMS documentation for VDA ISA 6.0. Prototype protection architecture for Proto Parts, Proto Vehicles, or Test Vehicles labels where in scope. Supplier data flow controls for Info High and Info Very High labels. Data protection integration for Data and Special Data labels where GDPR alignment is required. We embed with your ML, platform, and OT teams, work through implementation challenges together, and ensure governance designs translate into operational reality. Typical duration is 5 to 7 months.
  • Sentinel: Assessment and Audit Support We stay until labels are issued. Evidence coordination for AL2 plausibility checks and AL3 on-site audits. Interview preparation for your technical stakeholders. Real-time response to auditor findings. CAP execution alongside your engineering team. Follow-up plausibility check management with the audit provider. ENX portal coordination through label issuance. The engagement ends when your labels are visible on the ENX portal, not when documentation delivery is complete.

Every deliverable reflects your actual infrastructure. Your prototype floor. Your supplier portals. Your production pipelines. Documentation that your engineers recognize as accurate descriptions of systems they built and operate daily. When auditors review our packages, technical claims trace to implementation evidence, governance controls trace to infrastructure configurations, and interviews validate rather than contradict written artifacts.

Includes:

  • TISAX Readiness Review
  • Phase 0 Fast Track Discovery
  • Full ISMS Documentation (VDA ISA 6.0)
  • Prototype Protection Architecture
  • Supplier Data Flow Controls
  • Scope ID and ENX Portal Registration Support
  • Internal Audit Rehearsal
  • Sentinel Assessment and Audit Support Through Label Issuance

TISAX · Enjinia Blade Division

Technical firepower when your team needs reinforcement.

VDA ISA 6.0 has technical control expectations that most advisory firms cannot implement because they do not have the engineers on staff to do the work. Asset inventory at the CAD workstation level. Identity federation across the IT/OT boundary in a prototype garage. Network segmentation between your corporate environment and the bench-test infrastructure where pre-series firmware runs. MDM with geofenced restrictions in R&D zones. Our engineering practice exists to execute this work directly, embedded with your platform and security engineering teams. We are not a staffing firm placing resources by the hour. We are a delivery team that builds, configures, and hands off technical controls that the auditor will verify against live systems.

  • Core TISAX Implementation The full-scope engineering build-out for companies that need a complete technical control environment stood up against VDA ISA 6.0. We scope the environment, select the tooling against your existing stack, implement the controls across IT, OT, and prototype-facing systems, instrument the ISMS with logging and monitoring that produces evidence on demand, and train your team to operate what we built. Typical duration is 4 to 6 months running in parallel with an advisory engagement or as a follow-on. We deliver identity, access, endpoint, network, classification, and prototype protection control sets as an integrated program.
  • Fast-Track TISAX Engineering When your advisory partner has an ISMS on paper but no engineering capacity to implement the controls before audit, we come in as the delivery team. Fast-track engineering assumes the policies, procedures, and scoping are already defined and the remaining work is execution. We take the ISMS control matrix, the maturity target for each control, and the audit timeline, and we build. This is a 6 to 10 week engagement with a senior engineering lead and a small delivery pod. Our output is live, auditor-ready controls, not documentation about controls we plan to build next quarter.
  • TISAX Technical Recovery When an audit produced non-conformities that require technical remediation before the CAP can close, and your internal engineering team does not have bandwidth or specialist depth, we take the findings list and execute against it. We have remediated identity federation failures across hybrid Active Directory environments, rebuilt network segmentation between IT and OT zones that failed AL3 on-site verification, implemented prototype access control integrations that the original deployment missed, and closed logging gaps that made evidence collection impossible during the initial assessment. Scope is defined by the findings list. Timeline is defined by the audit provider's follow-up date.
  • Prototype Protection Engineering TISAX labels for Proto Parts, Proto Vehicles, and Test Vehicles have technical control requirements that go far beyond anything in ISO 27001. Physical segregation validated by badge system integrations. Camera systems with retention and access policies that pass AL3 on-site review. Mobile device restrictions enforced by MDM geofencing inside R&D zones. CAD workstation hardening with DLP rules tuned to automotive file formats. Supplier portals with data classification controls that prevent pre-series designs from flowing outside approved channels. Our prototype protection engineers have built these programs end-to-end, and we take on this scope standalone or as part of a broader TISAX implementation.

Engineering engagements deliver working technical controls, not designs for controls. Our engineers operate in your environment with your tooling, document against your architecture conventions, and validate against the specific VDA ISA 6.0 control language the audit provider will use on assessment day. Every engineering engagement includes post-build hardening, runbook documentation written for your operations team, and audit-day support where our engineers answer questions directly alongside yours.

Includes:

  • Core TISAX Implementation
  • Fast-Track TISAX Engineering
  • TISAX Technical Recovery
  • Prototype Protection Engineering
  • Identity, Access, and Endpoint Control Build-Out
  • Network Segmentation Across IT/OT Boundaries
  • Logging and Evidence Automation Infrastructure
  • Runbook Documentation and Audit-Day Engineering Support

TISAX · Managed Services

Ongoing operations, continuous monitoring, handled

A TISAX label is valid for three years. Maintaining the ISMS maturity that produced it is the actual work. Controls drift as your engineering organization grows, new product lines pull new assessment objectives into scope, and your OEM customers add label requirements that were not in the original assessment. Our managed services practice runs your ISMS between renewals so you are not rebuilding the program six months before re-assessment. This is not a staff-augmentation service. It is continuous operations of the control environment we either built originally or took over from a prior vendor.

  • Continuous ISMS Operations Ongoing operations of your TISAX-aligned ISMS between assessments. Monthly control testing against VDA ISA 6.0 maturity scoring. Quarterly internal audits that surface drift before it compounds. Evidence collection workflows that keep ENX portal documentation current. Policy and procedure updates as your organization changes. Change management integration so new product launches or organizational restructuring do not create compliance gaps. Staffed by the same engineer archetype as our advisory practice, not a Tier-1 ticket queue in a shared service center.
  • Supplier Assessment Coordination If your organization is an OEM or Tier-1 responsible for TISAX verification across your supply chain, the coordination work is substantial. We run the supplier-facing assessment program: scope validation against their contracts, assessment objective mapping, ENX portal coordination, plausibility check oversight for AL2 relationships, and escalation management when suppliers miss deadlines. This service integrates with your procurement and vendor risk functions and produces a live dashboard of your supply chain's TISAX posture.
  • TISAX Label Lifecycle Management Scope changes require re-registration. New labels require scope amendments. Geographic expansion brings new site scope into the assessment. Label splits introduced in VDA ISA 6 created re-labeling work for organizations certified under ISA 5 that is still being processed across the industry. We run this workflow as a managed service: portal coordination, audit provider scheduling, CAP management across active assessments, and label lifecycle documentation so your commercial and legal teams always have current assessment status ready for contract negotiations.

Managed services engagements are structured as annual contracts with quarterly operating reviews and specific SLAs tied to your re-assessment timeline. Our team is the same people who build advisory and engineering engagements. We do not hand off to an offshore operations team in year two. When your audit provider calls with a question during the re-assessment cycle, the engineer who answers knows your environment from the original build.

  • Continuous ISMS Operations
  • Supplier Assessment Coordination
  • TISAX Label Lifecycle Management
  • Monthly Control Testing Against VDA ISA 6.0 Maturity Scoring
  • Quarterly Internal Audits and Drift Detection
  • Evidence Collection Workflows for ENX Portal Currency
  • Change Management Integration for Org and Product Launches
  • Re-Assessment Readiness Through the Three-Year Cycle
Our Approach

How We Engineer TISAX Programs That Pass.

Most firms treat TISAX like a documentation project. Interview stakeholders. Draft policies. Map controls to a template. Hope the audit provider does not look too closely. We treat TISAX as an infrastructure engineering challenge, because it is. Our four-phase approach builds governance into your platform, network, OT, and facilities architecture, where access control, prototype protection, and evidence generation become structural properties of how your organization operates.

00.

PHASE 0: Objective and Scope Reconnaissance

For organizations committed to the full governance journey

We start by identifying what the business actually needs to prove. A TISAX requirement may arrive as a procurement note, supplier portal request, contract clause, OEM email, or partner security questionnaire. We translate that into assessment objective, label expectation, protection need, assessment level, scope candidate, location list, and timeline.

This phase produces the scope map: legal entities, business units, systems, data flows, physical sites, prototype areas, cloud tenants, repositories, identity providers, suppliers, managed service dependencies, and partner exchange points. ENX defines the assessment objective based on the type of data handled on behalf of the partner, and that objective determines the applicable ISMS requirements.

  • TISAX Strategy Brief
  • Scope Boundary Diagram
  • Assessment Objective Recommendation
  • Label Path Selection
  • Stakeholder Map
  • Audit-Provider Bid Package Inputs
  • Readiness Backlog
  • Framework Gap Analysis (ISO 42001 / NIST AI RMF / EU AI Act)
  • Remediation Roadmap with implementation priorities

Scope errors compound. Every downstream phase inherits the decisions made here, which is why we spend more time in Phase 1 than most firms spend across their entire engagement.

01.

TISAX · VDA ISA Control Mapping

Every claim mapped to operational proof

Next, we map the current environment to VDA ISA. The ISA contains criteria catalogues for information security, prototype protection, and data protection, and each objective defines the applicable catalogues, control questions, and requirements.

We do not treat the self-assessment as a writing assignment. We map each claim to operational proof: policy, system configuration, ticket trail, log output, meeting record, inventory, workflow, risk decision, supplier evidence, or physical control. We identify maturity gaps, evidence gaps, implementation gaps, and ownership gaps. Then we separate cosmetic edits from control work.

  • VDA ISA Maturity Map
  • Evidence Matrix
  • Remediation Backlog
  • Control-Owner Assignments
  • Interview-Risk Register
  • Executive Readiness View

By the end of this phase, every control in scope has a named owner, a target maturity level, and a clear path from current state to assessment-ready.

02.

TISAX · Advisory & Engineering Remediation and Evidence Build

Where bladestack.io earns the room

This is where policies become configurations. We embed with the teams that own the systems: IT, security, cloud, engineering, DevOps, facilities, HR, legal, procurement, production operations, and lab management. We implement access control changes, logging fixes, vulnerability workflows, supplier processes, backup tests, incident procedures, training evidence, prototype handling controls, physical security records, and risk treatment actions.

The evidence set is built as a working system, not a static artifact dump. Screenshots decay. Console exports drift. Tickets close. Owners change. We build repeatable evidence paths so the assessment can be supported without panic and reproduced on demand when a partner asks for a deeper sharing level six months later.

  • Implemented Technical Controls
  • Updated ISMS Artifacts
  • Audit-Ready Evidence Pack
  • Remediation Validation
  • Interview Prep Materials
  • Control Operation Cadence

When an audit question lands on a control we built, your engineer answers it without paging us. That is the goal. Every word written for your architecture. Documentation your engineering team recognizes as accurate.

03.

TISAX · Audit Provider Execution Support

We stay on your side of the independence line

After registration and audit provider selection, we support the assessment without crossing independence lines. Participants ask audit providers for bids after registration, and audit providers conduct the assessment as approved parties. We stay on your side of that line.

We prepare the team for the assessment method. For AL2, that means coherent evidence, plausible self-assessment logic, and clean interviews. For AL3, that adds on-site walkthrough readiness, physical-area narratives, live control demonstration, and location-specific evidence. During assessment execution, we manage evidence requests, owner coordination, issue tracking, response consistency, and finding triage.

  • Assessment Support Workspace
  • Evidence Request Tracker
  • Interview Guide
  • Finding Log
  • Audit-Provider Response Coordination
  • Corrective Action Plan Support

Label issuance is the finish line, not report delivery. We stay engaged through the full assessment cycle until your labels are visible to your OEM counterparties on the ENX Portal.

TISAX · Labeled Without Fiction

The label is the passport. Keeping it valid is the discipline

Your labels are live on the ENX Portal. Your OEM counterparties can see them with the correct scope ID, sharing status, and objective set. The work it took to get here paid off.

TISAX is not a badge-shaped illusion. The label is an assertion about a live ISMS, and live ISMSs drift. Controls degrade. Product lines expand into new assessment objectives. OEM customers add label requirements that were not in the original assessment. The VDA ISA catalogue updates. Partner requests arrive asking for higher sharing levels than your current report posture was built to answer. Your three-year validity clock is already running toward re-assessment.

Whether you run the ongoing program internally or want a team that already knows your environment, the path forward is yours.

  • Managed TISAX Services Full-stack ISMS operations from the team that designed your program.
  • Engineering Support Enjinia Blade resources for future technical work: new labels, scope expansion, supplier portal hardening, prototype protection extension into new sites.
  • Advisory Services Ongoing access to architecture guidance for expansion decisions, new OEM contracts, and partner sharing negotiations.
  • TISAX Modernization ISA 5 to ISA 6 upgrades, and templated ISMS transitions into engineered controls without rebuilding from scratch.
  • Adjacent Framework Alignment NIS-2, ISO/SAE 21434, UN R155 and R156, ISO 27001. When TISAX is your foundation and the next regulatory wave arrives, we engineer the bridge.

Ready to Cross the Supplier Gate?

Start with a TISAX readiness review. We will map your assessment objective, scope, evidence posture, technical gaps, and remediation path so your team knows exactly what has to be built before the audit provider enters the room.