TISAX getting started: A Deep Dive into the ISA Assessment Workbook (part 1)

Contents


		My company offers consulting on how to prepare for TISAX, ISO27001, NIS2, CSMS and SOC2 audits.
		Get in touch with us here: https://www.endpoint-cybersecurity.com/contact/

TISAX — the Trusted Information Security Assessment Exchange — or Trusted ISA Exchange – is the automotive industry’s answer to a decades-old problem: every OEM was running its own supplier security questionnaire, and tier-1 and tier-2 suppliers were drowning in redundant audits. ENX Association, backed by the VDA (Verband der Automobilindustrie), formalized the exchange mechanism in 2017.

The result is a scheme where a single audit, conducted by an accredited assessment service provider (ASP), yields a result that any participating OEM can query via the ENX portal — no re-auditing required.

This series of articles is describing the requirements of the ISA and providing some insights.

How to get started

1. Download the TISAX Participant Handbook TISAX

This handbook applies to all TISAX processes that you may be part of. It contains all you need to know to run through the TISAX process. The handbook offers some advice on how to deal with the information security requirements at the core of the assessment.

But it does not aim to generally educate you on what you need to do to pass the information security assessment. Yes, you still need someone who actually understands how the controls in the next document.

2. Download the technical backbone of TISAX – the ISA — Information Security Assessment – currently at version 6.0.3 from here: workbook . The ISA is published by the VDA as an Excel workbook and serves simultaneously as the questionnaire, the scoring model, and the audit evidence tracker. Understanding its structure is not optional for any organization preparing for a TISAX assessment; it is the map of exactly what an auditor will walk through on-site.

What to do if you are a small company

For a small company, the TISAX assessment can be overwhelmingly complicated and … very expensive.
My advice to all small companies is to have a conversation with your TISAX certified customer which asked you to provide the label about the real needs.

In my experience, you can ask them to give you their Security Self-Assessment for Suppliers document (usually an Excel or PDF document) and you can fill it in.

Of course, you should be compliant to most of the security controls mentioned there.

If you think you are, you can fill in that document and discuss.

If you see clearly that you are not compliant, then try to negotiate down the requirements, focus on those that do not directly apply to the work you are doing for the customer.

If your customer wants to have a long-term working engagement with you (becoming a client) then it will have to make some compromises. Don’t forget that the bigger your company gets, the more important the security controls are.

If you will engage with other customers, in the end it might be that it makes perfect sense to become TISAX certified.

Assessment Levels and Label Scopes

Before examining the workbook itself, one distinction shapes everything: the Assessment Level.

AL1 is a self-assessment with no on-site verification.
AL2 requires a remote audit by an accredited ASP with evidence review and remote interviews.
AL3 demands a lot of preparation since it requires ultimately a mandatory on-site audit. Before the on-site audit, there is a phase for submitting evidence and having remote online interviews with key stakeholders. It is suitable for the highest-sensitivity scenarios — handling classified vehicle data, prototypes under embargo, or personal data processed on behalf of an OEM under GDPR data processor obligations.

Most suppliers in the automotive supply chain will be assessed at AL2 or AL3. The label a company requires determines which subset of the ISA they are audited against:Very High Protection Need, High Protection Need, Prototype Protection, or Data Protection .

The ISA workbook is structured to reflect this: it contains sheets for each major assessment domain, and the applicable controls per domain depend on the label scope agreed between the OEM and the supplier.

My company offers consulting on how to prepare for a TISAX and ISO27001 audit.

Get in touch with us here: https://www.endpoint-cybersecurity.com/contact/

The Workbook Sheet by Sheet

I will write separate articles about the important sheets: Information Security (part 2) and Data Protection (part 3).

Sheet 1 — Cover / Overview

The first sheet is the administrative header of the entire assessment. It captures the organization’s name, the assessment scope (which legal entity, which sites, which processes are in scope), the applicable label(s), and the assessment level. In practice, this sheet is also where the ASP documents the assessment date, the lead assessor’s identity, and the version of the ISA being used.

From an ISMS perspective, this sheet maps directly to the context of the organization requirement in ISO/IEC 27001:2022 (Clause 4). An organization that has already defined its ISMS scope in a formal Scope Statement will find that most of the Cover sheet data is already governed — the TISAX scope and the ISMS scope should be congruent, and any divergence is itself an audit finding waiting to happen.

Sheet 2 — Maturity Levels Reference

The ISA uses a six-level maturity scale (0 through 5) derived from the Capability Maturity Model (CMM) concept. Level 0 means the control is absent or completely ineffective. Level 5 means the control is continuously optimized and benchmarked. For a standard AL2 audit, the target threshold is level 3 (“established”) across applicable controls — meaning the process is documented, implemented, and verifiably practiced. AL3 assessments hold the same threshold but with more rigorous evidence scrutiny on-site.

This reference sheet is the normative scoring anchor for the entire workbook. Every self-assessment score entered elsewhere is implicitly a claim against these definitions, and auditors will challenge any score they cannot corroborate with observable evidence.

The ISMS parallel here is ISO 27001:2022 and ISO 27001:2013 Annex A combined with the organization’s Statement of Applicability. Just as the SoA records which controls apply and why, the maturity sheet defines what “implemented” means in quantified terms. Organizations that conflate “we have a policy” (Level 2) with “the policy is consistently followed and verified” (Level 3) routinely discover the gap when the auditor arrives.

Sheet 3 — Information Security (IS)

This is the largest and most foundational sheet in the workbook. It covers the full ISMS domain: organizational security, HR security, physical security, IT and network security, incident management, business continuity, cryptography, and supplier/third-party management. The controls are numbered in the VDA’s own scheme (e.g., 1.1.x, 1.2.x, 5.1.x) and each control row contains a requirement description, a column for the maturity self-assessment score, and columns for comments and evidence references.

The IS sheet is effectively a structured overlay on top of ISO/IEC 27001 Annex A (now restructured in the 2022 edition into four themes: Organizational, People, Physical, and Technological). The coverage is not identical — the ISA adds automotive-specific weight to areas like remote access for manufacturing systems, network segmentation between office and OT environments, and patch management for embedded systems. But the conceptual architecture is the same, and an organization holding an ISO 27001 certification will recognize every clause.

For ISMS practitioners, the critical translation exercise is mapping existing controls documentation (policies, procedures, risk treatment plans) to specific ISA control rows. The ISA does not accept “we are ISO 27001 certified” as a passing score; the auditor will still verify implementation evidence row by row. Certification reduces preparation effort but does not substitute for it.

Sheet 4 — Prototype Protection (PP)

The Prototype Protection sheet addresses a risk specific to the automotive industry: pre-production vehicles, components, and data carry enormous competitive value. Photographs of an unreleased platform at a supplier’s facility have ended up in press publications before launch day more than once. This sheet governs the physical and logical protection of prototype parts and vehicles when they are handled by suppliers — covering receiving and storage, access control to prototype areas, handling of prototype data in digital form (CAD files, test results, specification documents), and obligations when prototypes are transported or loaned.

The PP sheet has no direct ISO 27001 Annex A equivalent, though it draws on physical security principles from that standard. Its closest ISMS relatives are the asset classification and handling controls (A.5.9–A.5.13 in ISO 27001:2022) and the physical security perimeter controls (A.7.1–A.7.4). Organizations that handle prototypes but have not explicitly extended their ISMS asset register to cover physical prototype inventory — and their ISMS physical security controls to cover prototype bays specifically — will find gaps here.

The Prototype Protection label is only triggered when an OEM explicitly requires it in the exchange request. Not every supplier will be assessed on this sheet, but those who are should expect the auditor to physically walk the relevant areas.

Sheet 5 — Data Protection (DP)

The Data Protection sheet was substantially expanded in ISA 6.x to reflect the obligations introduced by GDPR for automotive suppliers acting as data processors on behalf of OEMs. It covers the legal basis for personal data processing, ROPA (Records of Processing Activities) maintenance, data subject rights procedures, DPIA (Data Protection Impact Assessment) processes for high-risk processing, technical and organizational measures (TOMs) as required under GDPR Article 32, data breach notification timelines, and SCCs (Standard Contractual Clauses) for international data transfers.

From an ISMS alignment perspective, this sheet crosses a boundary: it is no longer purely an information security matter but a legal compliance matter rooted in Regulation (EU) 2016/679. ISO 27001 does not fully satisfy the DP sheet — ISO/IEC 27701:2019 (the Privacy Information Management System extension to 27001) is the closest standards-based alignment. Organizations that have implemented 27701 or maintained a structured GDPR compliance program will have significant coverage, but the ISA’s DP sheet is more prescriptive and automotive-context-specific than the generic 27701 controls.

The Data Protection label, like the Prototype Protection label, is triggered selectively. Suppliers who process employee or end-customer personal data on behalf of an OEM — telematics data processors are the clearest example — will routinely be required to achieve it.

Sheet 6 — Results / Summary

The final sheet aggregates the per-control scores from the assessment sheets into domain-level and overall maturity summaries. It typically presents a radar or bar visualization of maturity per domain and flags controls scored below the threshold, which constitute findings. Findings are classified as either major (blocking label issuance) or minor (requiring a remediation plan within a defined timeframe, typically 6–12 months).

For audit management purposes, this sheet is the executive communication artifact. It is what a CISO presents to the board when reporting TISAX readiness, and it is what the ASP uses to structure the final assessment report submitted to ENX. In an ISMS context, this sheet’s function mirrors the management review output required under ISO 27001 Clause 9.3 — a documented evidence of the current state of the security posture, with identified nonconformities and corrective action owners.

The Practical Implication

The ISA workbook is not a compliance checklist to be filled in once every three years, even if it is know that this is a common practice among small-medium companies.

It is supposed to be a living snapshot of a security posture. Organizations that treat it as a periodic exercise tend to discover, during reassessment, that improvements logged in the previous cycle were never fully operationalized.

The workbook’s value is highest when it is maintained continuously as a management tool — updated as the threat landscape changes, as new processing activities begin, as infrastructure is modified, and as supply chain relationships evolve.

For companies already operating an ISO 27001-compliant ISMS, the ISA workbook is best understood as the automotive industry’s structured lens on that ISMS: it asks the same fundamental questions about governance, risk, and control, but through the specific context of the VDA’s risk model and the contractual obligations of the automotive supply chain.

Closing the gap between the two is the core of any effective TISAX preparation program.

How about doing everything with AI ?

AI can help, but can’t solve the problem for you. Well, you can try, but the results are … well, I better let you test it yourself.
The problem is that you need to run through the AI all your ISMS (all policies, procedures) and compare its content with the controls in ISA.
But this is not everything: you not only need to map policies to controls, you must also provide the right evidence for them. This is very problematic, since no AI at this point in time is able to comprehend the multitude of types of evidence: logs, pictures, powerpoint presentations, xls documents, etc.

I have not seen this working good so far in several AI-powered solutions on the market.

Btw, those solutions are LLMs trained with a lot of context for the respective certification and they are not made to work just for TISAX. That’s why they don’t work good.