Information security in the automotive industry
TISAX® deep dive: the three assessment levels
Depending on the TISAX assessment objectives, the TISAX regulations (TISAX manual) prescribe different assessment procedure types, the so-called assessment levels.
There are a total of 3 different assessment levels, designated AL1, AL2 and AL3, and a special form called AL2.5.
In this CIS article series, we focus on the topic of TISAX® and highlight the three assessment levels. You can find a basic introduction, e.g. on benefits and assessment, here.
Assessment-Level 1 (AL 1)
Audits at assessment level AL1 are generally only used for internal self-assessment purposes. At this level, the external auditors/assessors merely confirm that a complete self-assessment has been carried out. The content of the customer's self-assessment is not reviewed. No further evidence is required.
The results of assessments with assessment level 1 have a low confidence level. Therefore, no TISAX labels can be obtained at this assessment level.
With the TISAX standard, contrary to the procedure known from the ISO standardization world, no certificates are issued as proof of assessment, but so-called TISAX labels are issued exclusively on the TISAX platform. This means that the customer does not receive a document or print-out. The results may not be communicated outside the platform.
Assessment-Level 2 (AL 2)
Assessments at assessment level 2 essentially consist of a plausibility check of the self-assessment of the company to be audited, i.e. the content of the VDA ISA completed by the company and the evidence provided. The procedure is concluded at assessment level AL2 with an interview with the person responsible for information security. AL2 procedures are usually carried out remotely in the form of a web conference. If there are reasons why the customer wishes to have the assessment conducted on site, e.g. because evidence should not be provided off-site, the interview can be conducted in person on site.
Assessment level 2.5 (AL 2)
This assessment level is a special variant of the AL2 procedure. Instead of the plausibility check of the AL2 level, this assessment level involves a complete check of all control requirements in form of a web conference, i.e. full-remote. In contrast to the AL3 procedure, all on-site activities are omitted in this test mode. Formally speaking, an assessment according to AL2.5 is assessed as AL2.
The dependence of the assessment levels on the TISAX assessment objectives is shown in the following table (own representation according to TISAX manual ENX / Table 5: Assignment of TISAX assessment objectives to the assessment levels):
| Nr. | TISAX-Prüfziel | Assessment-Level (AL) | |||
| 1. | Info high | AL 2 | |||
| 2. | Info very high | AL 3 | |||
| 3. | Confidential | AL2 | |||
| 4. | Strictly confidential | AL 3 | |||
| 5. | High availability | AL 2 | |||
| 6. | Very high availability | AL 3 | |||
| 7. | Proto parts | AL 3 | |||
| 8. | Proto vehicles | AL 3 | |||
| 9. | Test vehicles | AL 3 | |||
| 10. | Proto event | AL 3 | |||
| 11. | Data | AL 2 | |||
| 12. | Special data | AL 3 | |||
Do you have any questions or would you like to find out more?
CIS Certification & Information Security Services GmbH is the leading service provider in Austria when it comes to certifications in the field of information security, business continuity and data protection. Since 2021, CIS has been authorized to conduct audits according to the TISAX® standard. Thanks to a lot of concentrated know-how through cooperation on the European and international market and a broad network of specialist auditors, customer and service orientation are our top priorities. Click here to go directly to the TISAX® Assessment. We look forward to hearing from you!
your contact person
Team
Mr. Wolfgang Glowatzki
Lead Expert Information Security | Lead Auditor TISAX® AL2 und AL3 | Lead Auditor ISO 27001
