TISAX Audit: Process, Questionnaire, and What Auditors Really Test

Key takeaways:

• A TISAX audit consists of two stages: document review (Stage 1) and interview plus on-site inspection (Stage 2). The auditor follows the VDA ISA questionnaire, since April 2024 exclusively in version 6.0 – and assesses not only whether processes are documented, but also whether they are demonstrably implemented.
• Costs consist of three blocks: ENX registration (405 Euros per location), audit fees (approx. 3,500 Euros for Assessment Level 2, approx. 6,000–7,000 Euros for Level 3), and internal preparation effort. The latter is the largest cost block – and directly depends on how up-to-date the IT documentation is.
• Those who can present current, verifiable data for every auditor's question during the audit will pass. Incomplete or outdated IT asset documentation is one of the most common reasons for rework loops – and thus for delays in getting the label.

More than half of all initial TISAX audits fail not due to a missing ISMS manual, but due to outdated or incomplete IT asset data. The auditor specifically asks: Which systems have access to confidential information? What are the current patch levels? Who has which permissions – and when were these last reviewed? Since April 2024, VDA ISA Version 6.0 has been the sole audit basis. This article explains how a TISAX audit works, what it costs, and how the IT documentation must be structured to avoid rework loops during the assessment.

What is a TISAX audit – and who is authorized to conduct it?

TISAX (Trusted Information Security Assessment Exchange) is the standardized audit procedure for information security in the automotive industry. As a TISAX standard, it was developed by the German Association of the Automotive Industry (VDA) and the ENX Association, and replaces the previous proliferation of OEM-specific individual audits. A successful assessment is made visible to approved business partners via the ENX portal – audited once, usable multiple times.

A TISAX audit may only be conducted by ENX-accredited audit providers. The list of approved auditors is available directly via the ENX portal accessible. The auditor does not assess the company as a whole, but rather a clearly defined scope: which locations, which processes, and which types of information are included.

The result is not a certificate in the traditional sense, but a TISAX label published on the ENX portal. It is valid for three years – after which the process begins again, however, with significantly reduced effort, as the ISMS is already in place.

How does a TISAX audit work – step by step?

The process follows a fixed scheme prescribed by ENX in the TISAX Participant Handbook. With good preparation, four to six months pass from registration to the published label. Those who need to build up the ISMS still need to build up, should expect six to twelve months.

Step 1: Registration on the ENX Portal

The starting point is registration on the ENX Portal – Registration for TISAX Participants: Define scope, select audit objectives, commission audit service provider. The registration fee is a one-time payment of 405 Euros per location for three years. This step takes approximately one week.

Step 2: Clarify Scope and Assessment Level

Together with the OEM and the audit service provider, the applicable TISAX level and the modules to be audited are determined. This decision determines the entire subsequent effort – and consequently, the costs. If the scope is too broad, you'll pay unnecessarily. Two to three weeks of coordination is realistic.

Step 3: Gap Analysis and ISMS Setup

This is the most extensive part. The company assesses its current situation against the VDA ISA questionnaire, identifies gaps, and addresses them. This includes security policies, asset inventory, authorization concepts, emergency plans, and training records. Depending on the maturity level, this step takes three to nine months. Companies that already have automated documentation of their IT infrastructure significantly shorten this phase – because the asset inventory doesn't have to be compiled manually.

Step 4: The Two-Stage Audit

The actual audit proceeds in two stages. In Stage 1, the auditor reviews all submitted documents – ISMS manual, risk assessment, policies, asset lists, and authorization concepts. Missing or outdated documents are already considered a finding at this stage, even before a single interview has taken place.

In Stage 2, interviews are conducted with IT management, the ISMS manager, HR, and the data protection officer. The answers from various stakeholders must be consistent – the auditor deliberately questions multiple parties on the same topic. For Assessment Level 3, an on-site inspection is also included: server room, offices, and physical security facilities.

Step 5: Results, Remediation, and Publication

After the audit, the company receives its results. For findings – meaning controls that do not achieve maturity level 3 – there is a remediation phase. The label is only published on the ENX portal once the gaps have been closed and documented.

What does the auditor check – what topics does the VDA ISA questionnaire cover?

The auditor follows the ISA questionnaire, which has been in version 6.0 since April 2024. This version was published by VDA and ENX in October 2023 and replaces ISA 5.1 for all new engagements. The specific TISAX requirements – divided by audit objective, maturity level, and assessment level – are described in more detail in the cluster article on TISAX preparation.

The catalog is divided into several thematic blocks. The central audit areas for IT managers are information security management (ISMS policy, risk assessment), asset management (complete recording and classification of all information-processing systems), and access control – meaning who has access to which systems, based on what principle, and when this was last reviewed.

Additionally, there's patch management (current software versions, documented update processes), physical security (server rooms, access logs), incident management (detection, documentation, escalation of security incidents), and business continuity: Is there an IT emergency plan based on real asset data?

For each control question, the auditor assesses the maturity level on a scale from 0 to 5. Every relevant control must achieve at least maturity level 3 – meaning: established, followed, and demonstrably tested. Well-implemented processes often fail precisely here if the evidence is missing.

Compared to the previous version, ISA 6.0 also includes typical auditor questions and examples of evidence directly in the catalog for many controls – a step forward that makes preparation more concrete. ENX provides the current catalog for download.

How does the auditor assess the maturity level?

A point often underestimated in practice: The maturity level standard is more demanding than it sounds. Maturity level 3 does not mean "we have a policy," but rather "we have a policy that is followed in daily operations, and we can prove it." The auditor verifies this through interviews and by sampling documents.

A typical pattern from practice: The authorization concept is documented, but the last review was 14 months ago. Formally, the document exists – but it still doesn't meet maturity level 3 because regular reviews are missing. The same applies to training records: it's not enough to have conducted a training session once. The auditor asks whether new employees have also been trained and if this is documented.

This pattern extends across all audit areas: Processes must be lived and evidenced – not just exist on paper. Anyone who has internalized this understands why up-to-date data during an audit is not a bonus, but a fundamental prerequisite.

How much does a TISAX audit cost?

The costs are divided into three blocks, which carry different weights.

Registration with ENX: 405 Euros one-time per location for three years. The smallest item.

Audit fees: Depend on the assessment level and company size. For an SME with up to 100 employees, the pure audit fees for Assessment Level 2 are around 3,500 Euros, and for Level 3, around 6,000 to 7,000 Euros. Additional audit objectives, such as prototype protection, typically cost an extra 1,000 to 2,000 Euros. (Based on: ENX daily rates 2024, Source: secjur.com)

Preparation effort: This is the largest and most difficult block to plan. Anyone building an ISMS from scratch should expect several person-months of internal effort or comparable consulting costs. Those who already have up-to-date, structured IT documentation significantly reduce this effort – because asset inventories, authorization overviews, and network plans do not have to be built from scratch.

Recertification after three years typically costs 60 to 70 percent of the initial costs. Those who start planning at least six months before expiration remain continuously visible in the ENX portal – and thus also meet the requirements for ongoing TISAX compliance with their OEM partners. The eponymous article explains in detail why TISAX has become a mandatory requirement specifically for the automotive industry and which companies are affected.

What has changed in 2024 – what does VDA ISA 6.0 mean?

For all TISAX assessments commissioned from April 1, 2024, only ISA Version 6.0 applies. Those who prepared based on ISA 5.1 must address the gaps to the new version.

Key changes: The requirement structure is clearer, with concrete examples and typical auditor questions directly integrated into the catalog. The ISA catalog is based on TISAX ISO 27001 in terms of content – those who already operate an ISMS according to this standard have a measurable advantage when setting up TISAX preparation. The label system has fundamentally changed – the previous labels "Info High" and "Info Very High" have been dropped. There are now four new labels that strictly separate confidentiality and availability; the central categories are now called "Confidential" and "Availability". Furthermore, ISA 6.0 emphasizes more strongly that measures must not only exist but also be demonstrably implemented and lived.

Companies with assessments based on ISA 5.x retain their labels until their regular expiration. There is no longer a transition option for new commissions.

In practice, this means: Anyone starting TISAX preparation today will work exclusively based on ISA 6.0. Those who had built their scope and gap analysis on the old version must check where the new version expects different or additional evidence. This particularly affects the label system, where the classification has fundamentally changed.

How do you specifically prepare for the TISAX audit?

The preparation phase is the real work. The actual audit takes one to three days – the preparation takes months. Those who proceed systematically divide it into four steps:

Step 1 – Define the scope: Which locations and processes are truly affected? A scope that is too broad costs effort and money. Coordinate with the OEM what is actually required.

Step 2 – Conduct a gap analysis: Compare the VDA ISA questionnaire point by point against your current situation. For each control, honestly assess the current maturity level and what is missing.

Step 3 – Establish documentation: This is where it becomes clear whether the preparatory work was solid. IT asset inventory, authorization concepts, policies, emergency plan – everything must be verifiable. An automatically maintained asset inventory is significantly more reliable than a manually managed list.

Step 4 – Internal dry runs: Before the actual audit, practice the most important questions internally. Are the answers from IT management, the ISMS officer, and HR consistent? Is there immediate, appropriate evidence for every question?

Those who wish to learn more about the background and specific requirements can find more in the article on TISAX certification.

TISAX Audit Checklist: What needs to be available before the assessment?

Effective preparation covers at least these points:

• Current IT asset inventory (all systems processing confidential information)
• Documented authorization concept with proof of regular review
• ISMS policy and risk assessment document
• Current patch levels for all relevant systems – traceable and dated
• Documentation of physical security measures (access points, server rooms)
• Evidence of employee training on information security
• IT emergency plan based on actual asset data
• Process description for incident management and escalation

Anyone attempting to populate this list manually almost always runs into the same issue: the currency of the asset data. A spreadsheet that hasn't been updated for three months is already a finding in an audit – because a lack of up-to-dateness indicates a deficient process.

Why IT documentation determines audit success or remediation

Auditors don't ask for declarations of intent; they ask for evidence. If the asset inventory is incomplete, the foundations for risk analysis, authorization concepts, and emergency planning are missing – these are three of the most critical audit areas in the ISA catalog.

IT managers who automate their infrastructure documentation have a structural advantage during audits: they can provide up-to-date reports for every auditor's question, without spending days on manual preparation. Docusnap inventories Windows, Linux, and VMware environments agentlessly, generating reports that map patch levels, authorizations, and network structures in an auditable format. The advantage is not just in time savings – but in the fact that the data during the audit actually reflects the current state of the infrastructure and not the state from three months ago.

The crucial difference between a passed and a remediated audit rarely lies in a missing ISMS manual. It almost always depends on whether the IT data presented during the audit is actually reliable. Anyone who starts manually compiling inventory lists shortly before the assessment will realize: the gaps that emerge are not trivial. Systems that no one remembers anymore, permissions, permissions that haven't been cleaned up since employees left, undocumented patch levels – these are precisely the findings that lead to remediation cycles.

More on how IT managers structure their IT audit preparation with automated documentation is explained in the article on IT audit software.