TISAX Firewall Requirements: What Automotive Suppliers Must Document

If you’re an automotive supplier preparing for TISAX certification, your firewall documentation will be under the microscope. TISAX firewall requirements define exactly what auditors expect—and most suppliers aren’t prepared.

The VDA (Verband der Automobilindustrie) created TISAX to protect sensitive vehicle data across the supply chain. Every firewall rule, every change, every exception must be documented and justified. This isn’t bureaucracy—it’s how OEMs like BMW, Mercedes, and Volkswagen protect their intellectual property.

This guide breaks down the specific TISAX firewall requirements you must meet, common audit failures, and how to build documentation that passes on the first attempt.

What Is TISAX and Why Does It Matter for Firewalls?

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry’s information security standard. It’s managed by the ENX Association and based on the VDA Information Security Assessment (ISA) catalog. Over 30,000 suppliers worldwide need TISAX to work with German OEMs.

Firewalls sit at the heart of TISAX compliance. They control access to vehicle development data, prototype specifications, and supplier networks. The TISAX firewall requirements ensure every access path is documented, authorized, and auditable.

Unlike ISO 27001, TISAX is specifically designed for automotive. Auditors understand manufacturing environments, OEM connectivity requirements, and supply chain complexity. They also know exactly where suppliers cut corners on firewall documentation.

The 5 Core TISAX Firewall Requirements

The VDA ISA catalog specifies clear controls for network security. Here are the five TISAX firewall requirements that auditors check first:

1. Complete Change History

Every firewall rule change must be logged with timestamp, requestor, approver, and business justification. The German BSI guidelines require this for all security-critical systems. Auditors will request change logs for random date ranges—gaps mean findings.

Your TISAX firewall requirements documentation must show who requested each rule, why it was needed, and who approved it. “IT requested” or “standard change” doesn’t satisfy auditors. They want specific business context.

2. Rule Review and Recertification

TISAX requires periodic review of all firewall rules. At minimum, conduct annual reviews. For high-sensitivity data (Assessment Level 3), quarterly reviews may be expected.

Each review must document: rule necessity, current owner, expiration if applicable, and sign-off. Rules without active owners or business justification should be removed. Auditors specifically look for “orphan rules” that nobody owns.

3. Network Segmentation Evidence

The VDA ISA requires network segmentation between development, production, and office environments. Your firewall rules must demonstrate this segmentation. Meeting TISAX firewall requirements means showing clear boundaries between network zones.

Auditors expect network diagrams that map to firewall rule sets. Each inter-zone connection needs documented justification. OEM connectivity zones require extra scrutiny—these are primary targets for supply chain attacks.

4. Access Control Documentation

Who can modify firewall rules? TISAX requires documented access controls and separation of duties. The person requesting a change shouldn’t be the same person approving or implementing it.

Your documentation must show role-based access to firewall management systems. Privileged access should be time-limited and logged. Multi-factor authentication is increasingly expected for firewall administration.

5. Incident Response Integration

Firewall logs must feed your incident detection and response processes. TISAX firewall requirements include demonstrating how you detect and respond to anomalous traffic. Log retention, alerting thresholds, and response procedures all need documentation.

The ENISA (European Union Agency for Cybersecurity) provides guidance on log management that aligns with TISAX expectations. Auditors check that firewall events integrate with your SIEM or security monitoring platform.

Why 67% of Suppliers Fail Their First TISAX Audit

Most audit failures trace back to documentation, not technical controls. Suppliers have firewalls. They have rules. What they lack is the audit trail proving governance over those rules.

Common failure patterns include:

Excel-based change tracking: Spreadsheets get lost, overwritten, or lack integrity controls. Auditors cannot verify entries weren’t modified after the fact. TISAX firewall requirements demand tamper-evident records.

Ticket system gaps: Using ServiceNow or Jira for changes is better than Excel, but tickets often lack required fields. Requestor name, business justification, and formal approval chains are frequently missing.

Missing rule reviews: Many suppliers have never conducted a full rule base review. When auditors ask for evidence of annual recertification, there’s nothing to show. This is an automatic finding.

No connection to network diagrams: Rules exist but nobody can explain how they map to network architecture. Auditors expect rule sets to tell a story about your segmentation strategy.

How to Prepare Your Firewall Documentation for TISAX

Start preparation at least 6 months before your audit. Here’s a practical roadmap for meeting TISAX firewall requirements:

Step 1: Inventory All Firewalls

Document every firewall in scope: perimeter, internal segmentation, cloud security groups, and host-based. Include vendor, version, and management method. Auditors will ask for this inventory first.

Step 2: Export and Analyze Current Rules

Pull complete rule exports from each firewall. Identify rules without clear ownership or business purpose. Flag “any/any” rules, disabled rules that remain in configuration, and rules older than 12 months without review.

Step 3: Implement Change Management Process

Establish a formal process capturing all TISAX firewall requirements: request, approval, implementation, and verification. Document the process and train staff. Every change from this point forward must follow the process.

Step 4: Conduct Rule Review

Review every rule with business owners. Document necessity, assign ownership, set expiration dates where appropriate. Remove unnecessary rules. This is often the most time-consuming step but provides immediate security benefit.

Step 5: Map to Network Architecture

Create or update network diagrams showing segmentation zones. Cross-reference rule sets to these zones. Auditors should be able to trace any rule back to an architectural decision.

Manual vs. Automated Firewall Documentation

Suppliers face a choice: continue with manual documentation or implement automated firewall change management. The difference in audit outcomes is significant.

Manual approaches (Excel, tickets, shared drives) require constant discipline. One missed entry, one undocumented emergency change, and your audit trail has gaps. Staff turnover means institutional knowledge disappears.

Automated tools capture changes directly from firewalls. Every modification is logged automatically with full context. Historical data is preserved and searchable. TISAX firewall requirements become easier to demonstrate because evidence is generated continuously.

According to Gartner research, organizations using automated policy management reduce audit preparation time by 60-80%. For TISAX specifically, automated documentation eliminates the most common failure points.

Assessment Levels and Firewall Expectations

TISAX has three assessment levels. Your required level depends on the sensitivity of OEM data you handle:

Assessment Level 1 (Normal): Basic TISAX firewall requirements apply. Change documentation and annual reviews expected. Self-assessment may be sufficient.

Assessment Level 2 (High): Stricter controls. Quarterly rule reviews recommended. On-site audit by accredited provider required. Most OEM development data falls here.

Assessment Level 3 (Very High): Maximum controls. Prototype data, unreleased vehicle specifications. Enhanced logging, more frequent reviews, detailed access controls mandatory.

Know your assessment level before preparing. Over-engineering for Level 1 wastes resources. Under-preparing for Level 3 guarantees failure.

Preparing for the Auditor’s Questions

TISAX auditors follow the VDA ISA catalog systematically. For network security, expect these questions:

“Show me the change history for your perimeter firewall over the last 6 months.” You need timestamped records with business justification for every change.

“How do you ensure firewall rules remain necessary over time?” Describe your review process, frequency, and provide evidence of recent reviews.

“Walk me through how a firewall change request is processed.” Demonstrate the workflow from request to implementation. Show separation of duties.

“How does this rule set map to your network segmentation?” Connect rules to architecture. Explain why specific traffic is permitted between zones.

Prepare your team to answer confidently. Documentation should be immediately accessible, not buried in shared drives or ticket systems.

Next Steps: Your TISAX Firewall Checklist

Meeting TISAX firewall requirements is achievable with proper preparation. Use this checklist to assess your readiness:

☐ All firewalls inventoried with vendor, version, location
☐ Complete change history available for past 12 months
☐ Formal change management process documented and followed
☐ All rules have assigned owners and documented justification
☐ Annual (or quarterly) rule reviews conducted and evidenced
☐ Network diagrams map to firewall rule sets
☐ Access controls and separation of duties documented
☐ Firewall logs integrated with security monitoring

If gaps exist, address them before scheduling your audit. The cost of remediation and re-audit far exceeds proper preparation.

Get Your Free TISAX Firewall Audit

FwChange helps automotive suppliers automate firewall documentation and meet TISAX firewall requirements. Our platform captures every change automatically, generates audit-ready reports, and eliminates manual tracking.

Request a free firewall audit to see how your current documentation measures against TISAX requirements. We’ll identify gaps and show you exactly what auditors will question.

Frequently Asked Questions

What firewall documentation does TISAX require?

TISAX requires complete change history with timestamps, requestor, approver, and business justification. You also need evidence of periodic rule reviews, network segmentation documentation, access controls, and incident response integration.

Can I use Excel for TISAX firewall documentation?

Excel is not recommended. Auditors question spreadsheet integrity since entries can be modified without audit trails. Automated change management systems or ticketing systems with proper controls are preferred for meeting TISAX firewall requirements.

How often must firewall rules be reviewed for TISAX?

Annual reviews are the minimum requirement. For Assessment Level 3 (very high protection needs), quarterly reviews are often expected. Each review must document rule necessity, ownership, and formal sign-off.

What happens if I fail the TISAX firewall audit?

You’ll receive findings that must be remediated before certification. This delays your TISAX label and may impact OEM contracts. Re-audits incur additional costs and timeline delays, typically 3-6 months.