How To Guide

A Practical, Optimised Guide to TISAX Implementation with AvISO and ISOvA

A Practical, Optimised Guide to TISAX Implementation with AvISO and ISOvA

Introduction

Step 1

Understand the TISAX Scope and Requirements

(Assessment scope and level selection)

What This Step Covers
Before implementing controls, you must
• Define the scope of your TISAX assessment
• Select the appropriate Assessment Level (AL1, AL2, or AL3)
• Identify the protection needs of the information handled
• Understand requirements based on the VDA ISA control sets

How to
• Identify if you handle prototypes, personal data, or third-party sensitive information
• Map services, locations, and systems involved in handling that information
• Select an Assessment Level based on your clients’ expectations and contractual obligations

Example
An automotive marketing agency handles customer PII and prototype imagery and is requested by the OEM to achieve AL2 with data protection and prototype module coverage.

Risks if Overlooked
• Misalignment between customer expectations and audit results
• Selecting the wrong Assessment Level or modules
• Unclear system boundaries causing evidence gaps

How AvISO and ISOvA Help
TISAX scoping workshops
• Protection needs classification templates based on the VDA ISA catalogue
• System boundary mapping tools via ISOvA

Discuss scope early with your sponsor (typically a customer or OEM). Clarify expectations on information types, maturity levels, and whether a site-specific or corporate assessment is expected.

Step 2

Confirm Leadership Commitment and Assign Responsibility

(Governance and accountability)

What This Step Covers
TISAX requires strong top-level support and clear assignment of roles. You must
• Confirm leadership endorsement of the security objectives
• Assign key personnel for implementation and policy ownership
• Promote a security culture and regular reviews of the ISMS

How to
• Issue a signed Information Security Policy from leadership
• Assign a TISAX coordinator or ISMS lead
• Establish a steering committee to oversee governance and continual improvement

Example
A design supplier assigns its IT manager as TISAX lead and holds quarterly ISMS steering reviews chaired by the COO.

Risks if Overlooked
• Delays due to unclear responsibility for evidence gathering
• Lack of visibility at leadership level
• Weak security culture and process ownership

How AvISO and ISOvA Help
Policy development and review templates
• Role-based document management and dashboards via ISOvA
• Governance framework examples adapted to TISAX

Use ISO 27001 principles for governance. Regular management review meetings that cover objectives, risks, and audit findings help demonstrate leadership commitment. Assign process and control owners early.

Step 3

Identify Risks and Protection Needs

(Risk-based planning)

What This Step Covers
TISAX is risk-driven. You must
• Identify risks to information security and data protection
• Assess protection needs based on confidentiality, availability, and integrity
• Define controls proportionate to those risks

How to
• Use the VDA ISA risk methodology or integrate your ISO 27001 risk register
• Classify assets (e.g. PII, prototype data, client IP) by protection level
• Link risks to mitigating controls and assign ownership

Example
A logistics provider identifies high-risk exposure to client IP in transport manifests and applies enhanced encryption and access controls.

Risks if Overlooked
• Unjustified control gaps or over-engineered responses
• Poor alignment between risks and selected controls
• Missed legal and contractual data protection obligations

How AvISO and ISOvA Help
Risk assessment frameworks tailored to TISAX
• Preloaded risk libraries and mitigation templates
• Integration of protection needs into asset and process mapping

Apply the protection needs concept across information types and processing environments. Even standard client data may require elevated controls under certain contractual or legal terms. Keep risk reviews current and action-driven.

Get In Touch

Step 4

Develop and Document Control Measures

(Policy and control implementation)

What This Step Covers
Controls must be documented, implemented, and linked to TISAX requirements. This includes
• Security policies and procedures
• Access control, change management, backup, encryption, and more
• Operational and organisational safeguards

How to
• Use the VDA ISA catalogue as a checklist to develop controls
• Document each policy with scope, responsibility, frequency, and evidence
• Control versions, access, and approvals centrally

Example
A mobility provider creates and manages 20+ security policies including asset management, IT operations, and secure development.

Risks if Overlooked
• Nonconformance due to undocumented or unused controls
• Missing approval records or outdated policies
• Over-documentation causing operational inefficiency

How AvISO and ISOvA Help
Customisable TISAX policy sets
Policy management workflows with audit trails
• Evidence tracking linked to each VDA ISA control

Avoid copy-pasting ISO 27001 content unless aligned with TISAX modules. Each control must reflect your real environment. Use workflows and automation to track document changes, approvals, and audit logs.

Get In Touch

Step 5

Operate and Monitor Controls

(Implementation and logging)

What This Step Covers
You must demonstrate that your controls are operational and effective. This includes
• Access and activity logging
• Incident response and reporting
• Regular system maintenance and updates

How to
• Log access reviews, firewall changes, and system patches
• Run phishing simulations or awareness training
• Document and test incident handling procedures

Example
An IT services firm sets up regular audit log reviews and maintains evidence of antivirus updates, user training, and server patching.

Risks if Overlooked
• Inadequate audit trail for implemented controls
• Unnoticed security incidents or near misses
• Reactive rather than proactive incident handling

How AvISO and ISOvA Help
Operational log management
Corrective action tools linked to incidents
• Guidance on evidence capture for each assessment topic

Use automated monitoring tools where possible but also ensure manual review and signoff. Evidence of ongoing operation is critical for audit success. Make reporting part of your monthly routines.

Get In Touch

Step 6

Evaluate and Review System Effectiveness

(Audit readiness and internal reviews)

What This Step Covers
You must periodically evaluate the performance of your Information Security Management System. This includes
• Internal audits against the VDA ISA catalogue
• Management review meetings
• Action planning and performance tracking

How to
• Schedule internal audits at least annually
• Hold a formal management review covering risks, objectives, changes, and incidents
• Track non-conformities and close actions in a timely manner

Example
A supplier to a German OEM performs a full TISAX readiness review using ISOvA’s VDA ISA checklist and logs gaps with evidence links.

Risks if Overlooked
• Non-compliance due to undocumented internal reviews
• Untracked gaps or audit failures
• Leadership detachment from system performance

How AvISO and ISOvA Help
Internal audits and gap analysis against TISAX
Audit dashboards and management review templates
• Real-time compliance tracking per assessment objective

Use the VDA ISA catalogue as your internal audit baseline. Be sure to document results, discussions, and actions clearly – your assessor will want to see this trail. Management review must show top-level engagement.

Get In Touch

Step 7

Improve and Prepare for Reassessment

(Continual improvement and audit readiness)

What This Step Covers
TISAX requires you to learn and improve continuously. You must
• Address weaknesses and audit findings
• Update documentation and practices
• Prepare for follow-up assessments and demonstrate sustained compliance

How to
• Maintain an improvement log
• Investigate incidents and root causes
• Monitor maturity of your system over time

Example
A vehicle component supplier closes four minor nonconformities from its first AL2 assessment and implements a revised onboarding and access control policy.

Risks if Overlooked
• Repeated findings or escalating concerns at reassessment
• Compliance fatigue from static procedures
• Loss of customer trust or approved supplier status

How AvISO and ISOvA Help
Ongoing improvement support
Tracking tools linked to audit results, risks, and objectives
• Templates for reassessment preparation and reporting

Treat TISAX as a recurring cycle, not a one-off audit. Use feedback from customers, assessors, and internal teams to refine the system. Align improvements with your business and IT roadmaps.

Get In Touch
Need help, or got a question?

Need help with our how-to guide, have a question, or want to know more about how we can help you gain certification? Get in touch.
Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
ISO consultants kent
Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.