TISAX for Suppliers: The Levels, the Assessment, and the Findings That Repeat

Compliance

If you sell software or services into German automotive OEMs and Tier 1s, TISAX is the security baseline. The level matters, the assessment process is specific, and certain findings show up in almost every audit.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 25, 2024 · 7 min read

TISAX is the trusted information security assessment exchange operated by ENX Association on behalf of the German automotive industry. If your customer is Volkswagen, BMW, Mercedes-Benz, Bosch, or any Tier 1 supplier in their orbit, TISAX is not optional. It is the access ticket. We have walked three software vendors and one engineering services firm through TISAX assessments over the last two years. The pattern of what auditors find is more consistent than I expected.

The levels and what they signal

TISAX uses Assessment Levels (AL) 1, 2, and 3, plus a series of objectives that the customer specifies. AL1 is a self-assessment with limited scope, used for low-protection requirements. AL2 is a remote audit by an authorised audit provider, used for high protection. AL3 is an on-site audit, used for very high protection or specific objectives like prototype protection.

Most software suppliers land at AL2. AL3 is reserved for suppliers with access to vehicle development data, design files, or pre-launch prototype information. The cost difference between AL2 and AL3 is substantial: AL2 runs 25,000 to 50,000 EUR for the audit itself; AL3 runs 50,000 to 100,000 EUR depending on scope. The OEM tells you which level they require for their supplier relationship; you do not choose.

How the assessment runs

TISAX uses the VDA ISA catalogue as its control framework. The current version is 6.0.3, with about 100 control questions across information security, data protection (where applicable), and prototype protection (where applicable). Each control is rated on a maturity scale of 0 to 5. The target maturity is 3 for most controls.

1. Register on the ENX portal and choose your scope and objectives based on what your customer requires
2. Engage an ENX-authorised audit provider; there are roughly 25 globally
3. Run a self-assessment using the VDA ISA spreadsheet; this becomes the baseline document for the auditor
4. Pre-audit preparation: gather evidence for each control, ideally tying back to existing ISO 27001 or other framework artifacts
5. Initial audit (AL2 or AL3); receive a list of nonconformities and a deadline to remediate
6. Submit corrective actions; receive your TISAX label, which is shareable through the ENX portal with customers

Findings that repeat across audits

We have a pattern file of TISAX findings from our client work and conversations with audit providers. The same five issues come up in roughly 70 percent of first-time assessments.

• Asset management with incomplete classification: inventories exist but lack consistent confidentiality labels tied to OEM data handling requirements
• Insufficient evidence of supplier security assessments: the supplier has its own suppliers and cannot show meaningful due diligence on them
• Cryptographic policy that is general rather than specific: a one-page policy that does not name algorithms, key lengths, or rotation cadence
• Incident response that has never been tested: the runbook exists but the tabletop is more than a year old or non-existent
• Prototype protection physical controls that depend on assumptions: badge access without escort logs, conference rooms without sweeps, removable media policy without enforcement

The first three are remediable with documentation work. The last two require operational changes that take 3 to 6 months.

Prototype protection: the German specialty

TISAX is the only major framework with a prototype protection module. If you handle pre-launch vehicle design files, test data, or physical prototype components, this set of controls applies. They cover physical security of camouflaged vehicles, photography prohibitions, secure transport, and chain of custody documentation.

For a software supplier, prototype protection often comes up unexpectedly through engineering tools. If your platform stores CAD files for a vehicle that has not launched, you are inside prototype scope. We worked with a CAE platform that thought they had AL2 scope and discovered through their first OEM customer engagement that they needed prototype protection coverage too. The retrofit added six months and 80,000 EUR to the program.

When TISAX is the right work

The honest answer is: when an automotive customer asks for it. TISAX is not an industry-agnostic credential. Investing in it without an OEM customer to satisfy is a misallocation of compliance budget. But once an OEM is engaged, the work pays back through the entire supplier relationship lifecycle: questionnaire short-circuits, faster procurement, eligibility for follow-on contracts. The cost of the label is small relative to the revenue an active OEM relationship produces, which is why the suppliers we work with treat it as core infrastructure rather than a project.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.