For automotive vendors, TISAX compliance is no longer optional — it’s a ticket to doing business in the competitive auto industry. This guide compares the three TISAX assessment levels to help you prepare for compliance. Also, get a free TISAX prep checklist.

TISAX levels explained

TISAX, or Trusted Information Security Assessment Exchange, has three assessment levels. Level 1 is a self-assessment mainly for internal purposes. Level 2 is a remote document audit, and Level 3 advances to an on-site audit. Only levels 2 and 3 result in a TISAX certificate, called a label. 

The three levels aim to establish standard security assessments for organizations throughout the automotive supply chain. TISAX is mandatory for any vendor working with a German auto manufacturer and is quickly becoming the gold standard for U.S. automakers like Ford and General Motors.

The TISAX assessment levels match the sensitivity of information an organization handles, as defined by its TISAX assessment objectives and scope ID. Scope ID helps delineate the specific areas covered by the company’s information security management system (ISMS). For example, a supplier handling prototype vehicle data may have a scope ID requiring assessment level 3 (AL 3), whereas an HR service provider handling employee data might only need AL 2. 

Also, take note that suppliers already certified for ISO 27001 have a head start. The German Association of the Automotive Industry (VDA) developed TISAX based on ISO 27001 but also included automotive-specific requirements. (For more, see our article on TISAX vs. ISO 27001.)

TISAX controls remain the same across all three assessment levels, though the assessment approach changes significantly by level. Here’s a quick overview of the TISAX security requirements: 

• Information Security Policies – Establishing and maintaining security governance.
• Organization of Information Security – Defining roles, responsibilities, and leadership oversight.
• Human Resource Security – Training employees, onboarding/offboarding securely, and enforcing security awareness.
• Asset Management – Identifying, classifying, and protecting critical information assets.
• Access Control – Ensuring role-based and least-privilege access to systems and data.
• Cryptography – Encrypting sensitive data at rest and in transit.
• Physical and Environmental Security – Protecting facilities, data centers, and prototype storage areas.
• Operations Security – Managing IT operations securely, including logging, monitoring, and endpoint security.
• Communications Security – Safeguarding data transmission and network connections.
• System Development & Maintenance – Implementing secure software development practices and patch management.
• Supplier Security (Third-Party Management) – Assessing and managing risks in vendor relationships.
• Incident Management – Detecting, responding to, and documenting security incidents.
• Business Continuity & Disaster Recovery – Maintaining operational security during disruptions.
• Compliance & Legal Requirements – Meeting TISAX, GDPR, ISO 27001, and contract obligations.
  
  

TISAX Level 1 (AL 1)

TISAX Level 1, also called AL 1 for assessment level 1, is the entry point for organizations to establish information security. Level 1 relies on self-assessment and doesn’t result in a TISAX label. However, it does help prepare an organization for Level 2 or Level 3.

“TISAX Level 1 is not merely a preliminary step but a critical foundation for building an organization's information security framework,” says Michael Kirsch, co-founder, board member and customer success officer at ISEGRIM X, an information security company in Friedrichshafen, Germany.  “While it is an internal exercise, it enables organizations to establish baseline controls and prepare for AL2 or AL3 assessments.”

The TISAX self-assessment is available as an Excel download from the ENX Association, which manages TISAX.

TISAX Level 2 (AL 2)

With TISAX Level 2, a third-party auditor remotely reviews your organization’s self-assessment and documentation and interviews you on a call. This is called a plausibility check.

“He will check if what you have written and are referencing makes sense or not,” Kirsch says. “It is not that you have to send in documents. You just have to have the catalog filled out and reference your documents by name.”

He adds: “Then the auditor will have some questions. He normally does a 4- or 5-hour online call, and he might ask you to show some of these documents online. And he just checks if this makes sense, or if this doesn't make sense, and then you will get your audit result.”

The required security controls remain the same across all three TISAX levels. However, Level 2 (AL 2) demands stronger enforcement, clearer evidence of compliance, and a more formalized approach to risk management. This level is often required when handling sensitive but not highly classified data.

TISAX Assessment Level 2.5 (AL 2.5)

TISAX Level 2.5 is an alternative approach to Level 2. An auditor does a full remote assessment instead of the usual plausibility check of the organization’s self-assessment.

“The advantage of AL 2.5 is that the approach is methodically compatible with AL 3,” states the TISAX Participant Handbook. “It is therefore possible to upgrade to a full-fledged assessment in AL 3 with a manageable effort at a later point in time.” 

Kirsch says AL 2.5 was mainly used during COVID-19 when on-site visits became more difficult.

TISAX Level 3 (AL 3)

TISAX Level 3 (AL 3) includes an on-site security audit for organizations managing highly sensitive information. This includes prototypes, advanced development projects, and highly confidential business data. 

An accredited TISAX audit provider performs an on-site audit to thoroughly evaluate the organization’s controls and processes. This ensures that the implemented measures meet the highest standards of protection required for critical and classified data.

A Level 3 assessment starts the same way as Level 2, with an auditor reviewing your documentation.

“But he will also be on-site conducting a physical security audit,” Kirsch says, “meaning he will go through your facility and check if the measurements that are required by the catalog are met, and he will also ask you to provide evidence. What have you written in these documents? Did you execute them? Is the process implemented? Do you have evidence on what this process looks like?”

What’s the difference between TISAX assessment levels 2 and 3?

TISAX Level 2 involves a remote audit to verify protections for sensitive information like intellectual property. Level 3 requires an on-site audit and goes into more depth to ensure you can properly handle highly sensitive data, like prototypes.

AL2 and AL3 share the same security control domains, but they differ significantly in their depth of validation and audit rigor. AL2 requires organizations to demonstrate structured implementation of security controls through documentation and remote audits. In contrast, AL3 mandates include an on-site audit and verify that security controls are not only implemented but actively functioning as intended.

Kirsch sums up the difference between Level 2 and 3 assessments: “Level 2 is you will fill out a questionnaire with documents that you will send to the auditor, and he will conduct an audit. Level 3 is you will send him this catalog with the documents, but he will also spend two, three, four days on-site, at your location to conduct physical security.”

TISAX assessment levels vs. TISAX maturity levels

TISAX assessment levels (AL1, AL2, and AL3) define the audit type and depth, while maturity levels (0-5) measure an organization's information security management system (ISMS). TISAX requires aligning assessment levels with a strong ISMS maturity framework.

Here are the ISMS maturity levels from the TISAX Participant Handbook:

• Level 0 – Incomplete: No structured process exists.
• Level 1 – Performed: Process exists but is undocumented.
• Level 2 – Managed: Documented and effective process.
• Level 3 – Established: Standardized and consistently applied.
• Level 4 – Predictable: Process is measured and controlled.
• Level 5 – Optimizing: Continuous improvement based on business goals.

“The ISA (Information Security Assessment) uses the concept of ‘maturity levels’ to rate the quality of all aspects of your information security management system,” states the TISAX Participant handbook. “The more sophisticated your information security management system is, the higher your maturity level will be.”

Using the right tools – such as a Governance, Risk and Compliance (GRC) system, can make a big difference, says Micah Spieler, Chief Product Officer at Strike Graph.

“Implementing any ISMS from scratch can feel daunting,” Spieler says, “and so I think it’s important to consider what additional tools might help organize your growing security program. Consider GRC systems, central document repositories, and mobile device management software. If you go with a consultant, they can help you select the right tools for your needs.”

How TISAX assessment levels connect with other TISAX elements

TISAX has four main elements. Assessment objectives define the security areas to be evaluated. Assessment levels determine the audit's depth. Maturity levels reflect how well you manage security processes. TISAX labels are the result.

Here’s a more detailed look at how the TISAX levels connect with the other elements in the TISAX framework: 

• TISAX assessment objectives and scope ID define the scope of the evaluation (e.g., protecting prototypes or complying with GDPR) and which locations, processes, and systems are covered.
• TISAX assessment level determines how detailed the audit should be (e.g., AL 3 for highly sensitive objectives like prototype protection).

• The organization’s ISMS maturity level reflects how well its security measures are implemented and managed (e.g., from basic implementation to continuous improvement).
• A TISAX label is awarded as the final output, representing that the organization meets the required security standards for the assessed objective.

Kirsch of ISEGRIM X provides this practical example of how the TISAX elements interconnect:

“Imagine a car manufacturer is developing a new vehicle prototype. The TISAX assessment objective is prototype protection. Due to the sensitive nature, the audit is conducted at Assessment Level 3 (on-site audit). The organization demonstrates a high maturity level, showing its security processes are well-implemented, monitored, and improved. After passing the audit, the company is awarded a prototype protection label, which it can share with partners to prove compliance.”

Kirsch provides the following table to further explain how the TISAX elements interconnect.

Who does TISAX apply to?

TISAX applies to companies in the auto supply chain. This includes parts suppliers and software, engineering, and logistics firms. Also, TISAX labels are location-specific. A company with more than one physical location must earn the necessary TISAX label for each location involved in the work.

Who needs TISAX Level 1?

TISAX Level 1 is for automotive-related companies seeking a self-assessment for baseline security. These could be logistics providers, administrative service firms, or small suppliers. It doesn’t lead to a TISAX label.

Who needs TISAX Level 2?

Auto parts suppliers and vendors typically need TISAX Level 2 (AL2) if they handle sensitive business information. This could include confidential manufacturing processes or customer data.

Who needs TISAX Level 3?

R&D firms, prototype manufacturers, and design consultants handling highly confidential information will likely need TISAX Level 3 (AL3). This level includes on-site physical audits.

How to prepare for TISAX compliance at each level

Automotive contractors must implement particular information security measures based on their assessment level. For Levels 2 and 3, contractors must undergo a formal assessment by an accredited audit provider. Contracts will typically specify whether you need AL 2 or AL 3 to do work for an auto company.

Here are the overall steps to prepare for TISAX compliance:

1. Understand the TISAX requirements

• Read the VDA Information Security Assessment (ISA) catalog and determine which TISAX level (1, 2, or 3) applies to your organization. Seek a consultant’s help if necessary.
• Assess the sensitivity of the information you handle (e.g., internal company data vs. prototypes).
  
• Register your company at the ENX portal.
  
  

2. Establish an information security management system (ISMS)

• Develop a comprehensive ISMS based on ISO 27001 standards.
• Define your ISMS scope and create a risk assessment process.
• Develop security procedures and policies.
  
  

3. Enact information security controls 

• Implement the controls specified in the VDA ISA catalog.
• Create documentation. Verification rigor increases by assessment level, with AL 3 including an on-site audit.
  
  

4. Train your team

• Ensure employees understand their roles and responsibilities regarding information security.
• Conduct periodic training, phishing simulations, and update workshops.
  
  

5. Conduct internal audits

• Perform internal audits to evaluate ISMS effectiveness.
• Identify compliance gaps.
  
  

6. Address the gaps

• Use internal audit findings to update your security measures.
• Document the improvements.
  
  

7. Schedule a TISAX assessment for AL2 and AL3

• AL1: AL 1: No external audit is required; self-assess and document compliance.

• AL2: Hire a TISAX-approved auditor for a remote document review.

• AL3: Schedule an on-site audit, where auditors conduct physical security checks and interview team members.
  
  

8. Maintain and improve your ISMS

• After achieving the TISAX label, continuously monitor and improve security processes.
• Regularly update your policies to keep up with trends.
  
  

TISAX checklist for preparation and certification

Click here to download the checklist today

How ISO 27001 helps with TISAX certification levels

ISO 27001 provides an ISMS framework to meet TISAX requirements. Having ISO 27001 certification provides a head-start on TISAX, which is based on its principles and many of its controls.

“Having an ISO 27001 program already in place is like starting a race from the halfway mark,” says Strike Graph’s Spieler. “There’s significant overlap. You’ll be very well prepared for continuing to refine your program to meet the specific requirements defined for TISAX without having to start from scratch."

For more, see our full article on TISAX vs. ISO 27001.

The benefits of completing TISAX at each level

The biggest benefits come with TISAX levels 2 and 3. Passing the audit results in a TISAX label, making you eligible to win more contracts. However, even Level 1 has the benefit of establishing your information security foundation.

Here’s a more detailed overview of TISAX benefits for assessment levels 2 and 3:

• Enhanced trust and reputation: TISAX compliance demonstrates your organization's commitment to maintaining a robust information security posture, thereby building trust with partners, suppliers, and customers.
• Competitive advantage: TISAX compliance can provide a competitive advantage, as it is often a mandatory requirement for working with leading automotive companies. Additionally, achieving a higher TISAX level can open up new business opportunities within the automotive industry. Companies handling more sensitive information may require partners and suppliers to have a higher TISAX level to ensure appropriate protection.
• Streamlined assessment process: TISAX enables organizations to share assessment results with other companies in the automotive industry through a secure platform, reducing the overall cost and effort involved in demonstrating compliance to various partners.
• Improved information security: Implementing the security controls required for TISAX compliance helps organizations identify and mitigate potential risks and vulnerabilities, leading to better protection of sensitive information and reduced chances of security incidents.
• Regulatory compliance: Complying with TISAX requirements may also help organizations meet their obligations under various data protection regulations, such as the European Union's General Data Protection Regulation (GDPR).
  
  

How long does it take to get TISAX certification at each level?

How long TISAX takes depends on your starting point. It will often take 12-15 months or more, but it depends on the maturity of your ISMS, the size of your organization, and how prepared you are for your audit. 

A business without an ISMS will need to implement one. That takes at least 12 months, as you need to complete a Plan-Do-Check-Act (PDCA) cycle. That means preparing documentation, implementing and reviewing processes, and doing an internal audit.

Organizations that already follow ISO 27001 may complete the process more quickly, as many of the required security controls are already in place. Internal readiness also plays a major role—companies with well-documented policies, risk assessments, and security procedures will require less preparation time.

If auditors find non-conformities during the assessment, organizations will need additional time to implement corrective actions before certification is granted. Scheduling availability for TISAX auditors, particularly for AL3 on-site assessments, can also affect the timeline.

To speed up the TISAX certification process, organizations should begin with a gap assessment to identify missing security measures early. Companies that are already ISO 27001 certified can leverage existing security frameworks to streamline compliance. Using compliance management tools can also help organizations document security measures efficiently and prepare for audits more effectively.

It’s also important to note that you can’t upgrade from Level 2 to Level 3 without starting over with a new auditor. For this reason, it may benefit companies to do a Level 3 assessment even if current opportunities require only Level 2

How much does TISAX cost at each level?

TISAX costs vary widely depending on existing security practices, company size, and resources. Organizations with a well-established ISMS or ISO 27001 certification generally face lower costs. Level 3 (AL 3) will typically cost 20 percent more than Level 2 (AL 2). 

Expenses include the ENX registration fee (around $500 per site), audit provider fees, implementation costs for security upgrades, and consulting fees. Many companies hire consultants to help with preparation, which can streamline the process and reduce the risk of non-conformities. 

• AL1 (Self-Assessment): AL1 typically costs a few thousand dollars. Since there is no external audit, expenses are limited to the ENX registration fee and any internal costs for documentation and minor security improvements. Companies that already have strong security policies in place can complete this level quickly and with minimal investment.
  
  
• AL2 (Remote Document Audit): Costs vary widely depending on the organization's security maturity and objectives. The remote audit itself costs $5,000 to $10,000, but companies often invest much more in policy updates, risk assessments, and security upgrades to meet TISAX requirements. Many organizations hire consultants to help prepare documentation, address gaps, and meet the requirements efficiently and effectively.
  
  
• AL3 (On-Site Audit): Kirsch estimates that AL 3 typically costs 20 percent more than AL 2. In addition to audit provider fees, companies must demonstrate strong physical security, prototype protection, and cyber resilience. Security improvements and compliance consulting can add tens of thousands of dollars more, particularly if the organization lacks prior ISO 27001 certification or has multiple locations requiring assessment.
  
  

For all levels, audit findings and non-conformities can increase costs if corrective actions are required before certification is granted. To keep expenses under control, organizations should conduct internal audits, address security gaps early, and leverage existing security frameworks where possible.

How to simplify TISAX compliance with Strike Graph

As with any security framework, there’s a lot of information to process and work to do. It may be daunting if you’re approaching TISAX for the first time, but it doesn’t have to be.

Strike Graph’s comprehensive compliance platform helps automotive companies and their vendors prepare for and achieve TISAX labels in simple, manageable steps. You design, operate, and measure your security program all in one place — making TISAX compliance far quicker and cheaper than it has ever been with traditional approaches.

Strike Graph makes it simple to design, operate, and measure your ISMS on one comprehensive platform, speeding your TISAX process.

FAQs on TISAX levels

How do I determine which TISAX level applies to my organization?

Your TISAX level depends on audit requirements set by your business partners and the sensitivity of the information you handle. AL1 is for self-assessment, AL2 requires a remote audit, and AL3 involves an on-site audit for stricter verification. Contracts and risk factors typically determine the required level.

What is the highest ISMS maturity level for an organization in TISAX?

The highest maturity level in TISAX is level 5. It's called "Optimized." At this stage, security processes are fully integrated, continuously improved, and aligned with business goals. You proactively manage risks and automate security steps.

Do all TISAX levels require an audit?

No, only AL2 and AL3 require an external audit. AL1 is a self-assessment with no auditor validation. AL2 includes a remote audit by a TISAX-approved auditor. AL3 requires a comprehensive on-site audit for higher security verification.

What are the penalties for failing to meet the required TISAX level?

There are no regulatory fines for failing TISAX. However, you may lose opportunities. Automakers may require TISAX certification for partnerships.

Can I downgrade my TISAX level if my data sensitivity decreases?

TISAX certification does not downgrade; it simply expires after three years. When seeking a new certification, you can choose a lower assessment level if your data sensitivity has changed. However, partners may still require a higher level, so review contract obligations.

How do partner or vendor assessments impact my TISAX level compliance?

Your TISAX compliance depends not just on your own security but also on how well your vendors and partners protect shared information. Business partners may require you to assess third-party security or enforce stricter controls. Weak vendor security can lead to audit findings or higher assessment level requirements.

What role does encryption play in meeting the higher TISAX levels?

Encryption is essential for AL2 and AL3. Protecting confidential and highly sensitive data is required. It ensures data remains secure during storage and transmission.