Each step includes practical instructions, real-world examples, common risks, and support available from AvISO and ISOvA to help you prepare for and succeed in your TISAX assessment.
(Assessment scope and level selection)
What This Step Covers
Before implementing controls, you must
• Define the scope of your TISAX assessment
• Select the appropriate Assessment Level (AL1, AL2, or AL3)
• Identify the protection needs of the information handled
• Understand requirements based on the VDA ISA control sets
How to
• Identify if you handle prototypes, personal data, or third-party sensitive information
• Map services, locations, and systems involved in handling that information
• Select an Assessment Level based on your clients’ expectations and contractual obligations
Example
An automotive marketing agency handles customer PII and prototype imagery and is requested by the OEM to achieve AL2 with data protection and prototype module coverage.
Risks if Overlooked
• Misalignment between customer expectations and audit results
• Selecting the wrong Assessment Level or modules
• Unclear system boundaries causing evidence gaps
How AvISO and ISOvA Help
• TISAX scoping workshops
• Protection needs classification templates based on the VDA ISA catalogue
• System boundary mapping tools via ISOvA
(Governance and accountability)
What This Step Covers
TISAX requires strong top-level support and clear assignment of roles. You must
• Confirm leadership endorsement of the security objectives
• Assign key personnel for implementation and policy ownership
• Promote a security culture and regular reviews of the ISMS
How to
• Issue a signed Information Security Policy from leadership
• Assign a TISAX coordinator or ISMS lead
• Establish a steering committee to oversee governance and continual improvement
Example
A design supplier assigns its IT manager as TISAX lead and holds quarterly ISMS steering reviews chaired by the COO.
Risks if Overlooked
• Delays due to unclear responsibility for evidence gathering
• Lack of visibility at leadership level
• Weak security culture and process ownership
How AvISO and ISOvA Help
• Policy development and review templates
• Role-based document management and dashboards via ISOvA
• Governance framework examples adapted to TISAX
(Risk-based planning)
What This Step Covers
TISAX is risk-driven. You must
• Identify risks to information security and data protection
• Assess protection needs based on confidentiality, availability, and integrity
• Define controls proportionate to those risks
How to
• Use the VDA ISA risk methodology or integrate your ISO 27001 risk register
• Classify assets (e.g. PII, prototype data, client IP) by protection level
• Link risks to mitigating controls and assign ownership
Example
A logistics provider identifies high-risk exposure to client IP in transport manifests and applies enhanced encryption and access controls.
Risks if Overlooked
• Unjustified control gaps or over-engineered responses
• Poor alignment between risks and selected controls
• Missed legal and contractual data protection obligations
How AvISO and ISOvA Help
• Risk assessment frameworks tailored to TISAX
• Preloaded risk libraries and mitigation templates
• Integration of protection needs into asset and process mapping
(Policy and control implementation)
What This Step Covers
Controls must be documented, implemented, and linked to TISAX requirements. This includes
• Security policies and procedures
• Access control, change management, backup, encryption, and more
• Operational and organisational safeguards
How to
• Use the VDA ISA catalogue as a checklist to develop controls
• Document each policy with scope, responsibility, frequency, and evidence
• Control versions, access, and approvals centrally
Example
A mobility provider creates and manages 20+ security policies including asset management, IT operations, and secure development.
Risks if Overlooked
• Nonconformance due to undocumented or unused controls
• Missing approval records or outdated policies
• Over-documentation causing operational inefficiency
How AvISO and ISOvA Help
• Customisable TISAX policy sets
• Policy management workflows with audit trails
• Evidence tracking linked to each VDA ISA control
(Implementation and logging)
What This Step Covers
You must demonstrate that your controls are operational and effective. This includes
• Access and activity logging
• Incident response and reporting
• Regular system maintenance and updates
How to
• Log access reviews, firewall changes, and system patches
• Run phishing simulations or awareness training
• Document and test incident handling procedures
Example
An IT services firm sets up regular audit log reviews and maintains evidence of antivirus updates, user training, and server patching.
Risks if Overlooked
• Inadequate audit trail for implemented controls
• Unnoticed security incidents or near misses
• Reactive rather than proactive incident handling
How AvISO and ISOvA Help
• Operational log management
• Corrective action tools linked to incidents
• Guidance on evidence capture for each assessment topic
(Audit readiness and internal reviews)
What This Step Covers
You must periodically evaluate the performance of your Information Security Management System. This includes
• Internal audits against the VDA ISA catalogue
• Management review meetings
• Action planning and performance tracking
How to
• Schedule internal audits at least annually
• Hold a formal management review covering risks, objectives, changes, and incidents
• Track non-conformities and close actions in a timely manner
Example
A supplier to a German OEM performs a full TISAX readiness review using ISOvA’s VDA ISA checklist and logs gaps with evidence links.
Risks if Overlooked
• Non-compliance due to undocumented internal reviews
• Untracked gaps or audit failures
• Leadership detachment from system performance
How AvISO and ISOvA Help
• Internal audits and gap analysis against TISAX
• Audit dashboards and management review templates
• Real-time compliance tracking per assessment objective
(Continual improvement and audit readiness)
What This Step Covers
TISAX requires you to learn and improve continuously. You must
• Address weaknesses and audit findings
• Update documentation and practices
• Prepare for follow-up assessments and demonstrate sustained compliance
How to
• Maintain an improvement log
• Investigate incidents and root causes
• Monitor maturity of your system over time
Example
A vehicle component supplier closes four minor nonconformities from its first AL2 assessment and implements a revised onboarding and access control policy.
Risks if Overlooked
• Repeated findings or escalating concerns at reassessment
• Compliance fatigue from static procedures
• Loss of customer trust or approved supplier status
How AvISO and ISOvA Help
• Ongoing improvement support
• Tracking tools linked to audit results, risks, and objectives
• Templates for reassessment preparation and reporting
Need help with our how-to guide, have a question, or want to know more about how we can help you gain certification? Get in touch.
Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk