TISAX audits can feel overwhelming, but you can succeed with the right approach and tools. This guide shares expert tips on preparing for, undergoing, and passing your TISAX audit. Also, get your free audit checklist.

Key Takeaways:

• TISAX audits have three levels: AL 1 (self-assessment), AL 2 (remote third-party audit), and AL 3 (on-site third-party audit).
• Audits evaluate security maturity by assessing ISMS effectiveness, data protection practices, and prototype security, ensuring compliance with industry standards.
• Preparation includes gap analysis, implementing controls, documentation, employee training, and choosing an accredited auditor.
• The audit process involves registration, auditor selection, assessment, reporting, and corrective actions.
• Common challenges include insufficient documentation, vendor security gaps, weak incident response plans, and underestimating resource needs.
  
  

What do TISAX compliance audits cover?

TISAX audits cover how effectively auto vendors meet information security standards. You determine your objectives and scope, often based on contract requirements. That leads to your audit type and what measures you implement and document to pass the audit.

There are three types of audits in TISAX, or Trusted Information Security Assessment Exchange. Assessment level 1 (AL 1) is a self-assessment mainly for internal purposes. AL 2 is a third-party audit conducted remotely, and AL 3 includes an on-site audit.

Depending on your assessment objectives, audits focus on these key aspects of an organization’s information security:

• Information security controls: These criteria include evaluating technical measures like access management, network security, and encryption protocols, as well as security policies, incident response procedures, and employee security training programs.
• Data protection practices (AL 2 and AL 3): The audit assesses how you handle personal data, ensuring compliance with relevant privacy regulations and implementing appropriate safeguards for sensitive information.
• Prototype protection measures (AL 2 and AL 3): The audit evaluates criteria designed to cover prototype vehicles or components, including physical security measures, confidentiality agreements, and specific protocols for protecting intellectual property.
  
  

The TISAX audit assessment scope is location-based, as your partner’s requirements dictate. The assessment objectives you choose for the audit determine your information security management system (ISMS) protection requirements. The type of data you handle determines your TISAX assessment objectives:

• TISAX Level AL1: For information with normal protection needs. Satisfied with a self-assessment.
• TISAX Level AL2: For information requiring high protection. Satisfied with a remote audit of the self-assessment results and a documentation review.
• TISAX Level AL3: For information requiring very high protection. Satisfied with an on-site audit and documentation review.
  
  

Each audit level builds upon the previous one, with self-assessments providing an internal foundation. AL 2 (remote audit) adds a verification layer and documentation review with an ENX-accredited auditor. AL 3 (on-site audit) offers the most comprehensive evaluation of your security controls and processes and takes the most time and resources to complete. 

TISAX audits assess an organization's information security management system (ISMS) against the VDA ISA criteria, focusing on three primary areas: information security, prototype protection, and data protection. The depth and scope of the assessment objectives vary based on the type of data you handle.

TISAX responds to the growing need for strong information security in the automotive sector. It helps organizations follow high standards for data protection and maintain trust. The framework offers a transparent and efficient way to evaluate security, allowing companies to share results safely with Original Equipment Manufacturers (OEMs) and other partners in the automotive supply chain.

The 2021 research paper TISAX – optimization of IT risk management in the automotive industry explains that automotive OEMs' exchange of sensitive data, such as design details with supply chain partners and vendors, necessitated the need for a repository of automotive-specific security requirements and simplified verification of accredited partners.

"TISAX enables a mutual acceptance of information security assessments and provides a common evaluation and exchange mechanism," the authors write. "The evaluation results are always under the control of the evaluated company."

TISAX maturity levels and criteria

TISAX uses a six-point maturity level scale to measure operational effectiveness across more than 100 specific requirements. This scale starts at Level 0, indicating non-existent or ad-hoc processes. It goes up to Level 5, a fully optimized and continuously improving system.

TISAX audits evaluate the maturity of your information security processes, focusing on criteria such as documentation quality, procedural consistency, and integration into business operations. By progressing up the maturity scale, companies demonstrate compliance and a commitment to improving their security posture. 

TISAX audits evaluate the following criteria:

• Information security management system (ISMS): This aligns the overall criteria for ISMS compliance with ISO 27001, ensuring all processes meet ISO benchmarks. It also adds additional industry-specific criteria tailored for the automotive manufacturing and supply-chain security standards.
• VDA Information Security Assessment (ISA): The ISA questionnaire is a critical self-assessment tool that empowers companies to evaluate their readiness against TISAX requirements before undergoing formal audits.
• Physical security: Ensuring secure handling and storage of sensitive information.
  Data handling: Protecting vehicle and component prototypes and related intellectual property throughout the automotive manufacturing supply chain.
• Vendor risk management: Assessing the security posture and compliance of third-party suppliers and partners in all aspects of the supply chain.
• Incident response planning: Ensuring companies are prepared to handle security incidents effectively with documented and tested security policies and action plans.
• Operational effectiveness: Evaluating how well security processes are implemented and integrated into daily business operations, ensuring consistency and efficiency across all departments.
  
  

TISAX is a vital standard created by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. The VDA designed the TISAX framework to set strong information security standards for the automotive industry. The ENX Association runs the TISAX program, which includes overseeing audit providers and maintaining the ENX TISAX portal for sharing assessment results. 

What are the different types of TISAX compliance audits?

TISAX has three audit types, known as assessment levels. They determine the audit’s approach and rigor. The TISAX assessment levels start at AL 1, a self-assessment that doesn’t result in a TISAX label. In AL 2, an external auditor remotely conducts a document audit. AL 3 includes an on-site audit.

Here is a more detailed breakdown of the TISAX assessment levels:  

• Self-assessment (assessment level 1 or AL1): The entry point for TISAX compliance is self-assessment, where organizations evaluate security measures against the VDA ISA framework. This internal review helps companies identify gaps in their security controls and prepare for higher-level assessments. While self-assessment provides valuable insights, it typically doesn't meet the requirements of major automotive manufacturers or Tier-1 suppliers.
• Remote assessment (assessment level 2 or AL2): Remote audits involve a “plausibility check” conducted virtually by an accredited TISAX audit provider. During these assessments, auditors review documentation in a video call with the company being audited. 
• On-site assessment (assessment level 3 or AL3): The most comprehensive TISAX audit type involves physical inspection of your facilities by qualified auditors. These assessments include in-person interviews, direct observation of security controls, and thorough examination of both physical and digital security measures. On-site audits are mandatory for organizations with very high protection requirements (AL3), particularly those involving prototype protection.
  
  

Each assessment level up to AL 3 increases the scrutiny and verification of security controls. The automaker you’re working with will dictate which assessment level you need to use, says TISAX expert Michael Kirsch. He is a co-founder, board member, and Customer Success Officer at Isegrim X, an information security company specializing in TISAX assessment and audit support. 

He states that in Europe, it took about seven years for TISAX to become an industry-wide requirement. Before TISAX, companies without the certification could not deliver services or products to the major automotive OEMs (Original Equipment Manufacturers). Kirsch anticipates a faster adoption timeline in the United States, potentially within the next two to three years. TISAX will become just as essential as security frameworks like ISO 27001, NIST, or SOC 2, but with a specific focus on data protection and prototype security that is unique to the automotive sector.

 "The TISAX AL 1 level is a baseline and rarely recognized by major automotive OEMs for potential business partners," says Kirsch. He emphasizes the importance of TISAX AL 3 for most companies due to the time and effort required to achieve it compared to doing AL 2 and then starting over if another OEM partner requires AL 3.

"Always strive for the TISAX Level 3 assessment," says Kirsch. "You can't upgrade from Level 2 to Level 3 without starting the process from the beginning with a new auditor and potentially investing more time and resources in preparation." 

Also, Kirsch says the experience of hosting an ENX-accredited auditor on site may provide lasting internal benefits and improvements for your overall information security posture.

Beyond the commercial benefits, Kirsch highlights that implementing a TISAX-compliant ISMS also provides internal advantages.

“TISAX provides a structured ISMS to document risks, processes, and access controls," says Kirsch. "This improved visibility and accountability can benefit your overall security posture and risk management."

For more, see our guide to TISAX assessment levels.

Key differences between TISAX assessment levels

The three types of TISAX audits, or assessment levels, differ in depth, methodology, and validation. These differences directly impact their suitability for different business needs. Each level—AL 1, 2, and 3—serves a unique purpose.

Here is a closer look at the differences between TISAX audit levels: 

• Validation depth and evidence requirements: Self-assessments (AL 1) rely entirely on internal documentation and self-reporting, with no external verification of implemented controls. Remote document audits (AL 2) require concrete evidence through digital documentation and a video call. On-site audits (AL 3) represent the highest level of scrutiny, combining physical inspection with extensive documentation review and in-person interviews.
• Results recognition: Self-assessment results have limited recognition in the automotive industry and rarely satisfy automaker requirements. No TISAX label results from AL 1. Passing an AL2 or AL 3 audit will result in a TISAX label, shareable with partners to verify contract eligibility.
• Protection needs: Different types of data require higher protection for automotive OEMs and partners. The TISAX ISA defines three "protection needs": normal, high, and very high. The more sensitive information you handle, the more significant the data protection requirements. High protection needs align with AL 2, and very high needs correspond to AL 3.
  
  

How TISAX Assessment Levels Differ

How to determine your TISAX audit level

Selecting the appropriate TISAX audit level requires careful evaluation of your organization's role in the automotive supply chain and specific customer requirements. Here's a systematic approach to making this determination:

• Assess your customer requirements: Review your contracts and communicate with automotive partners. Many OEMs and Tier-1 suppliers explicitly state their required TISAX assessment level in their supplier requirements documentation. BMW, for example, typically requires AL 2 or AL 3 assessments for suppliers handling sensitive data or prototypes.
• Evaluate data and information: Consider the types of information your organization processes. AL 2 is typically required to process technical drawings, specifications, or personal data. Working with prototypes or highly confidential development data requires AL 3.
• Consider your business activities: Your business activities impact the required TISAX assessment level. Software development or IT service providers usually need AL 2 at a minimum. Prototype vehicle component manufacturers need AL 3 certification. 
• Geographic and operational factors: Multiple locations or international operations may influence your audit requirements. Each facility handling protected information needs separate protection needs assessments.
• Future business opportunities: Consider your business strategy and potential future requirements. Opting for AL 3 initially might be more cost effective than upgrading later, particularly if you plan to expand your automotive industry partnerships.
  
  

It's crucial to assess the sensitivity of the information your company manages and the relevant protection needs to determine the appropriate TISAX audit. TISAX defines three primary protection needs:

• Normal Protection: For routine data requiring standard safeguards.
• High Protection: For sensitive information, such as supplier contracts.
• Very High Protection: Critical prototypes or intellectual property necessitating stringent security measures.
  
  

Utilizing the TISAX Protection Needs Assessment can help evaluate your organization's specific requirements. Consulting with partners and stakeholders also ensures that the selected audit level aligns with contractual obligations and business objectives.

Steps to Prepare for a TISAX Audit

You can prepare for a TISAX audit by following a recommended series of steps. This includes understanding your security needs and analyzing gaps to see where you fall short. Later steps include implementing the required controls, documenting them, and training your team. Then, schedule your audit.

"You must train every employee for the TISAX-specific requirements by location," says Kirsch. "It's not enough to show that you have an ISMS implemented without documenting security incidents and improving how you communicate policy. The TISAX auditor wants to see incidents recorded. Otherwise, that is a red flag for an audit." 

Kirsch says it's often a delicate balance to help companies understand this topic and the audit process, especially at the C-suite and leadership levels.

"You need to prepare your people to be transparent and to produce thorough, honest documentation to achieve TISAX compliance."

Here's a step-by-step guide to prepare for your TISAX audit:

1. Understand protection needs: Assess your information security risk level to determine the required TISAX level. Use the VDA ISA framework to evaluate your protection needs and the current state of your ISMS accurately. Engage with an ENX-accredited partner early in the process to assist with your audit goals. If you partner with an auditor in the preparation phase, remember that you will need to engage with a different TISAX auditor to obtain your certification per ENX requirements.  
2. Conduct a gap analysis: Conduct an audit readiness assessment to compare current practices against TISAX standards. Identify gaps and vulnerabilities that need immediate attention. Prioritize the gaps from your TISAX self-assessment that could jeopardize certification.
3. Implement required controls: Based on your gap analysis, implement necessary security to align with ISO 27001 standards while incorporating TISAX-specific criteria for the automotive industry. Include policies on data classification, incident response, and secure communication measures for your ISMS, including:
   - Developing or updating security policies and procedures
   - Implementing technical controls and security tools
   - Establishing incident response processes
   - Creating employee training programs
   - Setting up physical security measures
4. Organize documentation: Prepare key documents, including access control logs and risk assessments, and consider using a document management system or tool for easy retrieval and documentation updates.
5. Conduct the TISAX self-assessment: Identify any remaining gaps and allow time for final adjustments to your corrective action plans. Consider engaging external consultants familiar with TISAX requirements for an objective evaluation. Identify non-conformities and ensure readiness for your desired audit level. Develop corrective action plans to address identified gaps, strengthen weak points in compliance, and ensure alignment with TISAX requirements.
6. Train your team: Ensure employees are trained on security awareness, phishing prevention, and privacy to strengthen your ISMS. Provide clear guidance and resources and ensure employees access up-to-date policies, procedures, and other resources to understand their responsibilities and how to fulfill them. Encourage feedback and open communication and create channels for employees to provide input, raise concerns, or suggest improvements to the compliance program. 
7. Choose an accredited auditor: Select a TISAX-accredited provider via the ENX Association website. Build a collaborative relationship to ensure audit success.
   
   

Micah Spieler, Chief Product Officer at Strike Graph, shares some insights to help you effectively prepare for TISAX audits and ensure a smooth certification process:

• Form a cross-functional TISAX audit committee: Involve stakeholders from various departments, such as IT, HR, sales, and executive leadership, to ensure a collaborative and comprehensive approach to TISAX compliance.
  
  “Recognizing that, just like the biggest security threats to organizations are people and process, the biggest hindrance to a successful TISAX audit isn't' the technology behind your ISMS,” says Spieler. “Establishing that the right people are in place with the right processes will produce a more successful TISAX program and reduce some of the anxiety that hinders progress.”
  
  
• Start with policy development: Establish clear information security policies and distribute them to all employees to embed a culture of compliance and security awareness.
  
  “Pull people in early so that they're stakeholders in the audit,” says Spieler. "A culture of security and compliance requires that everyone understand their level of ownership in information security and can identify the why behind the policies they sign, the training required, or the controls they own and implement."
  
  
• Identify an experienced TISAX partner early: Work with a reputable and experienced TISAX auditor who can guide you through the process, help you right-size your compliance efforts, and provide constructive feedback.
  
  “Identifying an experienced early partner early in the design and preparation phase of the TISAX Compliance process can help you right-size your approach,” says Spieler. “The right TISAX audit partner will lead you down the right path with clear and concise communication to concerns and quality feedback.”
  
  
• Prioritize and phase your compliance efforts: If resources are limited, focus on the most critical areas, such as policies and basic security controls, and then gradually expand your compliance program.
  
  “Make sure your audit partner can leverage your existing governance, risk, and compliance platform,” says Spieler. “You want them to help you efficiently manage controls, evidence, and the audit process within your environment and avoid getting lost in translation with different systems and the time lost to importing and exporting information.”
  
  
• Maintain a continuous compliance program: Continuously review and update your ISMS to adapt to changes in business, industry, and regulatory requirements.
  
  “Continuous compliance is crucial for frameworks like TISAX,” says Spieler. “Your goal for obtaining a TISAX level is to grow and evolve your business with automotive OEMs and the larger supply chain, so make sure your compliance posture evolves and stays aligned with your business goals. You want to continuously maintain that compliance posture, evaluate controls beyond implementation, and ensure they are up to date and serve the intended purpose.”
  
  

The TISAX audit process

TISAX follows a structured evaluation process. It starts with ENX registration and auditor selection. From there, you undergo a preliminary assessment and actual audit. The auditor then provides your results. They typically include non-conformities and corrective actions. Successful completion results in a TISAX label.

Here are the phases of the TISAX audit process in detail:

1. Initial registration: Register your organization on the ENX portal and select your desired assessment scope. This step involves providing basic company information and choosing assessment objectives and scope by specified locations. You'll receive a TISAX participant ID, which is essential for all further proceedings.
2. Audit provider selection: Choose an ENX-accredited TISAX audit provider from the approved list. Consider factors such as industry experience, geographical presence, and cost. The selected auditor will guide you through their specific assessment methodology and timeline. If you partner with an auditor during the preparation phase, you will need a different auditor to certify your efforts. 
3. Preliminary assessment: Your auditor conducts an initial evaluation to establish the assessment framework. This step includes:
   • Reviewing your scope statement
   • Confirming protection requirements
   • Establishing assessment boundaries
   • Setting milestone dates
     
4. The assessment phase: The primary audit proceeds according to your selected assessment type:
   • Document review and policy evaluation
   • Technical control assessment
   • Interviews with key personnel
   • Physical security inspection (for on-site audits)
   • Process verification and testing
     
5. Results and reporting: The auditor delivers a detailed report outlining:
   • Conformity with requirements
   • Identified nonconformities
   • Required corrective actions
   • Temporary assessment results
     
6. Corrective actions: Address any identified gaps or nonconformities within the required timeframe. Submit evidence of corrections to your audit provider for verification. This phase may involve follow-up assessments to confirm implementation.
7. Final Certification: After completing all requirements and verifying corrective actions, your final assessment results are published on the ENX TISAX portal, which makes them available to authorized partners in the automotive industry.
   
   

TISAX audit checklist

This detailed checklist, developed from VDA ISA criteria and industry best practices, will help you prepare for your audit, regardless of the assessment objectives and TISAX level you're pursuing. Use it to track your progress and assign responsibilities during your TISAX audit preparation. 

Download a comprehensive TISAX audit checklist

How much time does a TISAX audit take?

Implementing TISAX requirements and undergoing your audit can take 12-15 months or more. Audit timelines vary significantly based on your current information security maturity, company size and type of work, and level of preparation. 

Kirsch explains that implementing a TISAX-compliant Information Security Management System (ISMS) often requires a 12-month project timeline. This timeline is necessary to go through a Plan-Do-Check-Act (PDCA) cycle, which includes preparing the documentation, implementing the processes, reviewing the implementation, and conducting an internal audit.

For larger organizations with more complex structures and "kingdoms" (separate IT, HR, and legal departments), there are more moving parts requiring further coordination. 

Once you start the actual TISAX audit process, you will score each TISAX requirement and document "no findings," "minor findings," or "major findings." Kirsch advises that you should expect to uncover at least some "minor findings" before submitting the documentation to the TISAX auditor, as no findings are a red flag for the audit review. He recommends creating a pre-prepared corrective action plan to streamline the external TISAX audit process and increase the chances of obtaining the desired temporary TISAX label.

Having ISO 27001 compliance provides a head start on TISAX, and hiring an experienced consultant can also speed up the process.

According to Kirsch, an internal resource untrained in TISAX and ISO 27001 might take approximately 200 days to get up to speed and implement the standard ISMS requirements. However, an experienced consultant only needs around 50 days to implement the ISMS and prepare for the TISAX audit.

"The difference between the ISO 27001 and TISAX is the difference in ISMS implementation and ISMS operational maturity," says Kirsch. "We need to establish that you have guidelines and standards in place, process plans and documentation, and you have quality process performance records. There must be evidence that you are fulfilling different processes and achieving different outcomes to achieve the maturity level score required for TISAX AL 2 or AL 3."

What does a TISAX audit cost?

The cost of preparing and undergoing a TISAX audit varies widely. Factors include your organization’s security maturity, resources, and assessment level. AL 3, which includes an on-site physical audit, typically costs 15-20% more than AL 2. 

 Corrective actions required by the audit also can raise costs. Investment in proper preparation can significantly reduce overall costs by minimizing the need for reassessment or extended audit timeframes. It’s common to invest in experienced TISAX consultants to help expedite the process. 

Consider allocating a percentage of your overall project budget for contingencies and unexpected requirements:

• Additional cost factors: The audit cost depends on several variables:

• Company size and complexity

• Number of locations requiring assessment

• Selected TISAX assessment level (AL 1, AL 2, or AL 3)
• Selected assessment scope

• Current security maturity level

• Need for external consulting support

• Required security improvements

• Staff training requirements

• Hidden costs to consider:

• Implementation of new security controls and technologies

• Documentation development and management systems

• Staff training and awareness programs

• Potential business process changes

• Ongoing maintenance of security measures

• Resources for gap remediation
• External expertise, if required
  
  

Common challenges in TISAX audits

One common TISAX challenge is documenting your security controls. Auditors need clear evidence that security measures are implemented and followed. However, these new measures can also cause disruptions in a company. That becomes a second challenge.

"Knowing where to go to get guidance for your information can save you a lot of issues and hassle, especially for a newer, less adopted framework like TISAX with stringent documentation requirements," says Spieler. "This is why identifying a creditable TISAX partner early is important. Our customers don't want to get slowed down by accessing the wrong documentation. They want a source of truth, a central knowledge base, where they know the right information is being presented."

Spieler highlights the importance of having a trusted partner since the security community does not currently have as many public resources and professional guidance for TISAX requirements compared to more established and widely adopted frameworks like SOC 2 and ISO 270001.

Kirsch adapts to the client's existing systems and processes and helps clients establish templates and processes within their existing environment to ensure their documentation meets stringent TISAX requirements.

"Keep it simple with documentation. Use whatever makes the work easier for you," says Kirsch. "Whatever system or tool that records dates, tracks changes, versions, and review cycles, we'll use that."

The key is to work within your comfort zone and existing infrastructure if you're confident your documentation management will satisfy TISAX compliance requirements. If you lack systems or tools to manage information security documentation successfully, you may need to plan for more time and resources during the TISAX audit preparation phase.

Understanding some of the other common pitfalls of the TISAX audit process can help you prepare more effectively and avoid unnecessary delays or complications:

• Resource allocation: Many organizations underestimate the time and personnel needed for TISAX preparation. The process requires significant involvement from multiple departments, often competing with daily operations. This oversight becomes particularly challenging for smaller organizations with limited dedicated security personnel.
• Security control implementation: Technical requirements often prove more complex than anticipated, especially for:

• • Network segmentation implementation

• • Proper access control management

• • Secure development practices

• • Encryption key management

• • Mobile device security

• Employee awareness and training: Creating and maintaining a security-conscious culture presents ongoing challenges. Organizations frequently struggle with the following:

• • Ensuring consistent security awareness across all departments

• • Documenting training completion and effectiveness

• • Managing security responsibilities in job descriptions

• • Maintaining ongoing security communication

• • Enforcing security policies consistently
• Third-party management: Managing suppliers and service providers according to TISAX requirements is complicated. Organizations must ensure their partners meet security standards while maintaining proper documentation of these relationships.
• Scope definition: Many organizations struggle with properly defining their assessment scope. An overly broad scope increases complexity and cost, while an insufficient scope may not meet customer requirements. Finding the right balance requires careful consideration of business needs and customer expectations.
  
  

Kirsch identifies a few more key areas where companies often fall short:

• Vendor risk assessments: Kirsch notes that companies frequently fail to thoroughly evaluate the security posture of third-party vendors, software, and outsourcing partners, which is a critical requirement under TISAX. He describes a scenario where his internal audit revealed that his client used a software service for event management that was explicitly banned in Germany and non-compliant with TISAX location-based requirements. This oversight was a significant non-conformity and thus prevented the client from obtaining the TISAX AL 3. 
• Physical security measures: Kirsch explains that companies often overlook physical security aspects, such as storing and handling prototypes and sensitive data.
• Incident response planning: Kirsch states that companies sometimes struggle to have a well-documented and tested incident response plan, which is crucial for business continuity.
  
  

As a consultant, Kirsch recommends you address these gaps with the following:

• Internal audits and corrective action plans: Kirsch conducts internal audits before the official TISAX audit to identify potential issues and then helps the client prepare a corrective action plan to address them.
• Vendor security assessments: Kirsch guides the client in reviewing vendor relationships and ensuring proper security assessments are in place.
• Incident response plan development: Kirsch works with the client to develop a comprehensive incident response plan and trains the relevant personnel on their roles and responsibilities.
  
  

How Strike Graph streamlines TISAX audits

As with any security framework, there’s a lot of information to process and work to do. It may be daunting to approach TISAX for the first time, but it doesn’t have to be.

Strike Graph’s comprehensive compliance platform helps automotive companies and vendors prepare for and achieve TISAX in simple, manageable steps. You design, operate, and measure your security program all in one place — making TISAX compliance far quicker and cheaper than it has ever been with traditional approaches.

TISAX Audit FAQs

Navigating the TISAX audit process can raise numerous questions. Below, we address some of the most common inquiries to help clarify the audit process, requirements, and best practices.

Who does TISAX audits?

TISAX audits are conducted by auditors authorized by ENX. These auditors assess organizations against TISAX standards. Visit the ENX Association's website to find a provider.

How often are TISAX compliance audits conducted?

External TISAX audits are typically conducted every three years. However, annual internal audits can help identify any gaps sooner. It's essential to keep up your TISAX label.

What are the benefits of TISAX?

TISAX benefits include eligibility for automaker contracts and partner trust. You can unlock business growth in the global auto supply chain.

How long is the TISAX audit valid?

TISAX audits are valid for three years. However, some assessment objectives may require annual surveillance audits. This includes AL 3 and prototype protection.

Can you fail a TISAX audit?

Yes, you can initially fail to meet TISAX requirements. However, the process allows for corrective actions. If gaps are identified, you'll receive time to implement necessary improvements before the final result.

Do all company locations need separate TISAX assessments?

Yes, for Level 3 audits. AL 3 includes an on-site audit for each company location. 

Can I change TISAX audit providers during the process?

Yes, you can change audit providers, but this usually results in starting the process over. It's recommended that you select your auditor carefully to avoid delays and additional costs.

What happens if you need to expand your TISAX assessment scope?

TISAX scope expansions require a new assessment for the extra elements. However, your existing label remains valid.

How does TISAX relate to ISO 27001?

TISAX is based on ISO 27001 but includes measures specific to auto vendors. These include physical security, incident management, and access control.

"ISO 27001 focuses on establishing and maintaining your ISMS against international standards," says Kirsch. TISAX emphasizes the operational effectiveness and maturity of your ISMS. You must demonstrate that the controls are in place and that they are consistently applied and optimized for the automotive industry."

Can you share TISAX results with potential customers?

Yes, TISAX operates on a sharing model. Once certified, you can authorize specific participants to view your results through the ENX portal.