The ISA (Information Security Assessment) is the heart of your TISAX journey, and a critical first step in preparing for your TISAX assessment. You'll also hear it referred to as the “self-assessment.” The most recent iteration of the ISA spreadsheet, version 6.0.3, can be downloaded here for reference.
This spreadsheet can be intimidating upon first view, so we’ve written this blog post to help walk you through the process, covering the key steps in the TISAX self-assessment process and what to expect.
Key Steps in Your TISAX Self-Assessment
As you begin the process, it’s critical to define your TISAX scope, which will consist of your assessment level and assessment objectives. These components will have a downstream effect on what part(s) of the ISA are applicable to your organization and assessment.
Step 1: Define Your Assessment Level
In TISAX, the Assessment Level (AL) defines the intensity of the audit, determining how deeply an auditor will poke and prod your Information Security Management System (ISMS).
While there are three assessment levels, they are strictly tied to the protection needs of the data you handle.
The Three Assessment Levels
|
Level |
Protection Need |
Audit Method |
Trust Level |
|---|---|---|---|
|
AL 1 |
Normal |
Self-assessment only |
Low (Internal use only) |
|
AL 2 |
High |
Plausibility check (Remote) |
High |
|
AL 3 |
Very High |
Full verification (On-site) |
Very High |
Assessment Level 1 (AL 1): The Starting Block
AL 1 consists solely of the self-assessment using the ISA (Information Security Assessment) questionnaire. No external auditor will visit you or call to check your answers.
- Who is AL 1 for? Mostly for internal gap analysis or companies with very low-security requirements.
- The Catch: You cannot obtain a public TISAX label with AL1. Most customers do not accept this for active business.
Assessment Level 2 (AL2): The Remote Check
AL 2 is the most common starting point for many service providers.
An accredited assessor performs a plausibility check on your self-assessment. After submitting your self-assessment and supporting documentation and undergoing an offsite review, the auditor conducts a follow up interview (via web conference) to ensure your answers match your actual processes and ask any clarifying questions.
Based on the assessment results, labels (certification) are issued based on the selected assessment objectives.
Assessment Level 3 (AL3): The Gold Standard
AL 3 is the most rigorous level, requiring thorough verification of your security implementation, design, and operating effectiveness of the ISMS. The AL3 consists of a review of the self-assessment and supporting documentation, as well as onsite interviews with control owners at each in-scope location.
The AL3 is intended to be an exhaustive check of the entire ISMS. Based on the assessment results, labels (which serve as certification) are issued based on the selected assessment objectives.
How to Determine Your TISAX Assessment Level
You don't typically choose your level—your customers select it based on their requirements. When an Original Equipment Manufacturer (OEM) requests a TISAX assessment, they will often specify an "Assessment Objective" (or Label). These objectives will dictate your assessment level.
Step 2: Define Your Assessment Objective
There are a variety of assessment objectives that could be selected, summarized in the table below and further expanded on.
No. |
ISA Criteria Catalogue |
TISAX® Assessment Objective |
Assessment Level |
|---|---|---|---|
|
1 |
Information Security |
Handling of information with high protection needs |
AL2 |
|
2 |
Information Security |
Confidential |
AL2 |
|
3 |
Information Security |
High Availability |
AL2 |
|
4 |
Information Security |
Handling of information with very high protection needs |
AL3 |
|
5 |
Information Security |
Strictly Confidential |
AL3 |
|
6 |
Information Security |
Very High Availability |
AL3 |
|
7 |
Prototype Protection |
Protection of prototype parts and components |
AL3 |
|
8 |
Prototype Protection |
Protection of prototype vehicles |
AL3 |
|
9 |
Prototype Protection |
Handling of test vehicles |
AL2 |
|
10 |
Prototype Protection |
Protection of prototypes during events and film or photo shoots |
AL2 |
|
11 |
Data Protection |
Data protection in accordance with Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR) |
AL2 |
|
12 |
Data Protection |
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR) |
AL3 |
Number 1
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Handling of information with high protection needs
- Assessment Level (AL): AL 2
Number 2
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Confidential
- Assessment Level (AL): AL 2
Number 3
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: High Availability
- Assessment Level (AL): AL 2
Number 4
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Handling of information with very high protection needs
- Assessment Level (AL): AL 3
Number 5
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Strictly Confidential
- Assessment Level (AL): AL 3
Number 6
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Very High Availability
- Assessment Level (AL): AL 3
Number 7
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototype parts and components
- Assessment Level (AL): AL 3
Number 8
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototype vehicles
- Assessment Level (AL): AL 3
Number 9
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Handling of test vehicles
- Assessment Level (AL): AL 2
Number 10
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototypes during events and film or photo shoots
- Assessment Level (AL): AL 2
Number 11
- ISA Criteria Catalogue: Data Protection
- TISAX® Assessment Objective: Data protection in accordance with Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
- Assessment Level (AL): AL 2
Number 12
- ISA Criteria Catalogue: Data Protection
- TISAX® Assessment Objective: Data protection with special categories of personal data according to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)
- Assessment Level (AL): AL 3
As illustrated above, there are three main buckets of assessment objectives which could be selected based on scope.
1. Information Security (The Core)
Information security is the most common category that will be applicable to most organizations. It has been redesigned in Version 6 to allow organizations to choose a focus based on their specific risk profile:
- Confidentiality: For companies handling sensitive data (e.g., blueprints, financial info, or R&D data).
- Labels: High (Assessment Level 2) or Strictly (Assessment Level 3).
- Availability: For companies critical to the supply chain (e.g., parts manufacturing or logistics).
- Labels: High (Assessment Level 2) or Very High (Assessment Level 3).
2. Data Protection
This objective is based on Art. 28 of the GDPR. It could be required if your company processes personal data on behalf of an OEM (e.g., handling customer databases or HR services).
- Labels: Data Protection (PII) (Assessment Level 2) or Special Data Protection (for highly sensitive data like health or biometric info) (Assessment Level 3).
3. Prototype Protection
Prototype protection is for companies that come into physical or digital contact with unreleased prototype parts, vehicles, or components. Example use cases could include:
- Physical Prototypes: Guarding actual cars or parts (think camo-wrapped test cars).
- Digital Prototypes: Guarding 3D CAD models and digital twins.
- Events/Shoots: Specifically for agencies handling secret film shoots or reveals.
Step 3: Complete the self-assessment
Once you’ve selected your level and objectives, you can dive into completing the self-assessment. The Excel spreadsheet downloaded via the link mentioned above, screenshot excerpted below, includes a number of tabs for reference, but the tabs where you should pay the most attention will be based on your assessment objectives.
If you’ve only selected information security-related assessment objectives, only the information security tab will need to be completed. The prototype protection and data protection tabs only need to be completed if you’ve selected those objectives.
Source: ENX Association – TISAX Downloads (https://enx.com/en-US/TISAX/downloads/)
Within the respective columns, the areas of focus detailing what the auditee will need to complete are the implementation descriptions, reference documentation, findings/result, and maturity level:
- Implementation description: Describe the current status of the control area, and ensure the "who, what, when, where, and how" for each process to demonstrate how the control questions are answered and that a process is in place. For any applicable requirements, ensure the response includes detail for how the requirements are met.
- Reference documentation: Include reference documents that would serve as evidence for an assessment, including policies or procedures, as well as system documentation, configurations, IT tickets, system documentation, etc.
- Findings/result: Treated as a true “self-assessment” and should be utilized by the auditee to identify any potential gaps or items that are in progress.
- Maturity levels: TISAX doesn't just ask if you have a firewall. It asks how mature your process for managing that firewall is. Maturity levels are scored on a scale of 0 to 5, with a score of 3 being the target maturity level, which indicates that a standard process is documented, followed, and integrated.
Step 4: Prepare for your TISAX assessment
Once you’ve completed your first draft of the self-assessment, you should continue maintaining the document as part of your ISMS, with updates made as needed based on control changes. Additionally, the completed self-assessment will be one of the first action items and evidence requirements as part of your TISAX journey.
Turning Your TISAX Self-Assessment into a Successful Audit
Completing the ISA self-assessment is the preliminary step in the TISAX process and serves as the foundation of a successful assessment. By clearly defining your assessment level and objectives, thoroughly documenting your implementation of controls, and identifying potential gaps early, organizations can significantly streamline the formal TISAX audit process.
Because the self-assessment provides assessors with their first view into your information security program, accuracy and clarity are critical. A well-prepared ISA not only demonstrates the maturity of your ISMS but also helps ensure that supporting documentation, processes, and control owners are aligned before the assessment begins.
Organizations that treat the ISA as a living document, by updating it as controls evolve and processes mature, are often best positioned for a smoother TISAX assessment experience. Taking the time to complete the self-assessment thoughtfully can help reduce surprises during the audit and accelerate your path to achieving your desired TISAX labels.
For more information about the TISAX assessment process requirements and what to expect, contact us today. In the meantime, discover additional helpful insights in these resources: