Preparing for TISAX® audit: Key checklist for businesses

What is a TISAX audit?  

A TISAX (Trusted Information Security Assessment Exchange) audit is a standardized assessment process developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. The TISAX® audit is the testing process for obtaining a TISAX® label. It aims to ensure high levels of information security across the automotive supply chain.  

Based on the VDA Information Security Assessment (VDA ISA) catalog, which aligns with ISO/IEC 27001, the audit evaluates an organization’s data protection, risk management, and physical security measures. Results are shared on the TISAX platform, enhancing trust and reducing the need for multiple audits by different partners. 

What is the main goal of the TISAX® audit? 

The main goal of the TISAX® audit is to ensure and verify high standards of information security across the automotive industry’s supply chain. This standardized assessment helps organizations protect sensitive data, manage risks effectively, and comply with industry-specific security requirements. By doing so, TISAX® enhances trust and credibility among business partners and customers, facilitating secure and reliable information exchanges within the automotive sector. 

What are assessment levels, and what are their main types?   

There are three TISAX assessment levels (AL), each reflecting different degrees of information security requirements. 

TISAX Level 1: Basic protection 

This level is for organizations handling general business information. Assessments focus on basic security measures like password management, secure data storage, and access control. Organizations at this level must ensure a basic level of security for non-sensitive information. 

TISAX Level 2: Advanced protection 

Level 2 is for organizations handling sensitive information, such as intellectual property or personal data. This assessment is more thorough, covering additional controls like data classification, protection, and encryption. Organizations at this level must follow stricter security standards to protect sensitive information. 

TISAX Level 3: Enhanced protection 

This level is for organizations dealing with highly sensitive information, such as prototypes or confidential projects. The assessment is very rigorous, focusing on advanced security measures like strict access controls, enhanced monitoring, and detailed incident response procedures. Companies at this level must have strong security measures to protect highly sensitive data. 

TISAX® has eight different test objectives. A company can get eight different labels according to TISAX®.  

	TISAX® test objective	Assessment Level (AL)
1	Handling information with a high need for protection	AL 2
2	Handling information with a very high need for protection	AL 3
3	Protection of prototype parts and components	AL 3
4	Protection of prototype vehicles	AL 3
5	Handling test vehicles	AL 3
6	Protection of prototypes during events and film/photo shoots	AL 3
7	Data protection (according to Art. 28 GDPR)	AL 2
8	Data protection with special categories of personal data	AL 3

Three TISAX® assessment levels also describe the auditor’s activities during the audit. 

At AL 1, the auditor does not participate. The company provides a self-assessment of its information security management system (ISMS), which is not further questioned or checked. AL 1 is formal and doesn’t result in any test label, so it isn’t practically used. 

For AL 2, the company must complete the VDA ISA questionnaire and send it along with complete ISMS documentation to the selected auditor. The auditor reviews these documents and prepares for an audit interview, which is conducted remotely. 

The main difference between AL 3 and AL 2 is how the audit is done. At AL 3, the audit is conducted in person. The auditor visits the company to ensure that the ISMS guidelines and measures are effectively implemented.

---

Compliance Aspekte is an efficient AI-enabled tool for TISAX® implementation.  

Using the tool, organizations can seamlessly manage compliance processes, evaluate risks, and manage relevant documentation and TISAX®-related tasks. 

Compliance Aspekte supports multiple automotive spandards including TISAX® VDA ISA 6.0, ASPICE®, ISO 21434, ISO 26262, KGAS.

---

How does a TISAX® audit work? 

Companies must register for the TISAX® process through the ENX online portal, where they specify their desired audit objectives. 

After registering and selecting the audit objectives, companies can choose an accredited audit service provider to conduct the audit. They need to provide the auditor with the completed VDA ISA questionnaire and documentation of their ISMS. The auditor reviews these documents, checks the relevant evidence, and performs a remote or on-site audit before issuing the TISAX® label(s). 

The VDA ISA questionnaire includes a self-assessment of how well each measure has been implemented. The auditor verifies this information by requesting suitable evidence. Simply creating internal guidelines and policies is not enough. TISAX® participants must demonstrate that they follow these guidelines. 

Who needs a TISAX® certificate? 

A TISAX® certificate is needed by organizations within the automotive industry that handle sensitive information and need to demonstrate their compliance with high standards of information security.  

Such organizations include: 

• Automotive manufacturers (OEMs): Companies that design, produce, and sell vehicles. 
• Automotive suppliers and vendors: Organizations that provide parts, components, or services to automotive manufacturers. 
• Automotive service providers: Businesses that offer IT, logistics, consulting, or other services to the automotive sector. 
• Automotive partners and subcontractors: Entities involved in collaborative projects or who have access to sensitive information shared by automotive companies. 

Obtaining a TISAX® certificate helps these organizations demonstrate their commitment to information security, meet industry requirements, and build trust with their business partners. 

The main benefits of TISAX® audit 

The TISAX® audit offers several key benefits for organizations looking to enhance their information security practices and meet the security requirements of their partners or customers, including: 

• Enhanced security posture: The TISAX® audit helps organizations identify and address security gaps, leading to a stronger and more resilient security posture. 
• Compliance with standards: TISAX® compliance demonstrates that an organization meets the security requirements of the automotive industry, which can be a competitive advantage when working with automotive manufacturers and suppliers. 
• Improved risk management: By conducting a TISAX® audit, organizations can better understand and manage their information security risks, reducing the likelihood of security incidents. 
• Enhanced customer trust: TISAX® compliance demonstrates to customers and partners that an organization takes information security seriously, which can help build trust and credibility. 
• Cost savings: While the initial investment in a TISAX® audit may be significant, achieving compliance can lead to cost savings in the long run by reducing the likelihood of security breaches and associated costs. 
• Competitive advantage: TISAX® compliance can give organizations a competitive advantage in the automotive industry by demonstrating their commitment to security and compliance. 
• Global recognition: TISAX® is recognized internationally as a standard for information security in the automotive industry, which can be beneficial for organizations operating in multiple regions. 

Overall, the TISAX® audit can help organizations improve their security posture, build trust with customers and partners, and achieve a competitive advantage in the automotive industry. 

How long does a TISAX® audit take? 

Preparing for a TISAX® audit can take weeks, months, or even years. However, the actual TISAX® assessment only takes a few days at most. The duration depends on the TISAX® label you want and your company’s structure. 

A company with many international locations and needing an on-site audit at Assessment Level 3 will need more time compared to a company with one location and an audit at AL 2. This is true even if the audit service provider has international teams to share the workload. 

---

Using the Compliance Aspekte tool, you can significantly cut down the time needed for audits and TISAX® implementation.

Additionally, we offer TISAX® compliance as a service. Our automotive compliance consultants can manage the entire TISAX® implementation process for you using the Compliance Aspekte tool, ensuring your company is well-prepared for the TISAX® audit.

---

TISAX audit checklist: Steps you need to follow 

Step 1: Your ISMS 

Define your ISMS scope: 

• Clearly outline the boundaries within which your ISMS will be implemented. This includes all systems, processes, physical locations, services, products, and departments that require protection according to TISAX® standards. 

List the information you protect: 

• Compile a comprehensive list of all information that needs protection, including data stored in cloud services (e.g., Office, G-Suite), tools like Salesforce, Pipedrive, and Slack, as well as information on servers, subcontractors/suppliers, and received from customers. 

Document information security goals: 

• Define and document your goals for ensuring the confidentiality, integrity, and availability of company information. 

Establish principles for secure operation: 

• Develop policies to safeguard information from unauthorized access or modification. Ensure information is readily accessible to authorized personnel. 

Step 2: Your team 

Define roles and responsibilities: 

• Identify team members responsible for preparing for the assessment. Include representatives from various departments, not just IT. 

Implement employee training: 

• Regularly train all employees on information security to keep them informed about potential risks and their impact on daily operations. 

Develop access control policy: 

• Create rules and policies for granting, controlling, and monitoring access to information. 

Step 3: Risk assessment and treatment 

Define risk assessment methodology: 

• Establish a methodology for assessing natural, physical, legal, contractual, compliance, and financial risks. 

Develop risk treatment plan: 

• Outline responses to potential risks, such as server crashes or critical cloud service failures. 

Prepare risk assessment report: 

• Summarize potential threats, their likelihood, impact, and necessary security controls/actions to prevent them. 

Step 4: Customers, suppliers, and partners 

Develop supplier compliance policy: 

• Clearly define your company’s requirements, expectations, and sanctions when working with suppliers and partners. 

Document customer data protection measures: 

• Ensure personal or sensitive customer data is protected as per legal and regulatory requirements. 

Meet legal, regulatory, and contractual requirements: 

• Document and adhere to requirements for each business relationship. 

Step 5: Testing and assessment 

Monitor and assess your ISMS: 

• Assess the effectiveness and detailed operation of your ISMS, including risk identification, assessment, treatment, documentation status, and management reviews. 

Evaluate monitoring results: 

• Analyze incident prevention, employee training effectiveness, and goal achievement. 

Document corrective actions: 

• Implement measures to prevent or neutralize threats, such as access protection or server relocation. 

Conduct TISAX® self-assessment: 

• Ensure ISMS stability and effectiveness by performing a self-assessment based on the Information Security Assessment (ISA) framework. 

The main challenges of TISAX® auditing 

The TISAX® audit, like any comprehensive security audit, comes with its own set of challenges. Some of the main challenges include: 

• Complexity of requirements: TISAX® compliance requires adherence to a detailed set of security requirements. Ensuring that all aspects are covered and implemented correctly can be challenging. 
• Scope definition: Defining the scope of the audit accurately, including all relevant systems, processes, and locations, can be complex, especially for large organizations with diverse operations. 
• Resource allocation: Conducting a TISAX® audit requires significant resources, including time, personnel, and financial resources, which can be a challenge for some organizations. 
• Continuous compliance: Maintaining compliance with TISAX® requirements over time can be challenging, especially as technology and security threats evolve. 
• Third-party cooperation: TISAX® audits often require collaboration with third-party vendors and partners to assess their security practices, which can be challenging to coordinate. 
• Auditor selection: Choosing a qualified and accredited auditor can be challenging, as the auditor must have the necessary expertise and experience to conduct a thorough audit. 
• Cost: TISAX® audits can be costly, especially for organizations undergoing the audit for the first time or those with complex security requirements. 

Addressing these challenges requires careful planning, resource allocation, and ongoing commitment to information security best practices. 

Conclusion 

The TISAX® audit is a detailed process that helps automotive companies meet high information security standards. By going through this audit, you can improve your security measures, manage risks better, and build trust with your partners and customers. This not only gives you a competitive edge but also helps ensure long-term success. 

Preparing for and passing the TISAX® audit can be challenging, but the Compliance Aspekte ISMS tool can help. Our easy-to-use platform makes it simpler to manage your compliance efforts, handle risks, and stay aligned with TISAX® standards. 

Get in touch with us today to learn more about how the Compliance Aspekte ISMS solution can help you achieve TISAX® compliance. Let us help you protect your data, secure your assets, and meet the highest information security standards.