The Trusted Information Security Assessment Exchange (TISAX) is a recognised benchmark for information security in the automotive sector. The German Association of the Automotive Industry (VDA) developed it. TISAX helps organisations protect sensitive information across complex supply chains.

Accredited audit providers carry out TISAX assessments. They must regularly show both competence and independence. Importantly, assessment results stay confidential. The TISAX platform shares results only with approved participants.

TISAX assessments follow the VDA Information Security Assessment (ISA) catalogue, based on ISO/IEC 27001. From an internal auditor’s perspective, the assessment checks whether the organisation has suitable controls and whether those controls work properly. The framework focuses on protecting sensitive information in line with defined protection needs. These needs fall into eight protection levels. Each level has clear objectives and control requirements.

Level 1: High Protection Needs (Info High)

This level applies when information needs strong protection. Organisations must define, document, and apply controls that protect confidentiality, integrity, and availability.

During an internal audit, we check the documented controls and procedures. Then we confirm that staff understand and follow them. We also review risk registers to ensure key risks are identified and reduced.

Level 2: Very High Protection Needs (Info Very High)

Information at this level requires very strong protection. Organisations must implement robust controls to handle advanced threats.

From an audit perspective, we expect strict access controls, increased monitoring, and regular reviews. Security processes should include testing and clear evidence of improvement.

Level 3: Data Protection in Line with GDPR (Data)

This level applies to organisations acting as data processors under Article 28 of the GDPR.

Internal auditors check that organisations have suitable technical and organisational measures. For example, we review data processing agreements, clear procedures, and controls to protect personal data throughout its lifecycle.

Level 4: Special Categories of Personal Data (Special Data)

Level 4 covers special categories of personal data under Article 9 of the GDPR. At this level, audit review increases.

Internal auditors examine whether organisations have implemented stronger security controls. We focus on access restrictions, consent processes, and secure handling and storage. Organisations must show that they protect data from unauthorised access.

Level 5: Protection of Prototype Parts and Components (Proto Parts)

This level protects intellectual property linked to prototype parts and components.

Internal audit reviews cover physical security, restricted access, and asset tracking. Auditors also check confidentiality controls during development and testing.

Level 6: Protection of Prototype Vehicles (Proto Vehicles)

Prototype vehicles carry high commercial and strategic risk. Therefore, organisations must have strong physical security controls.

These controls include controlled access, monitoring, and documented procedures. Auditors also check how organisations identify and manage risks specific to prototype vehicles and their environments.

Level 7: Handling of Test Vehicles (Test Vehicles)

This level focuses on secure handling of test vehicles.

Internal audit checks transport security, handling procedures, staff authorisation, and incident response. Controls must show that the organisation understands and manages risks related to testing activities.

Level 8: Protection of Prototypes during Events and Film or Photo Shoots (Events and Shoots)

This level applies when prototypes appear at events or in filming and photography.

Internal auditors check that organisations have strong controls to prevent unauthorised disclosure. These controls usually include physical barriers, non-disclosure agreements, controlled access, secure logistics, and clear responsibilities before, during, and after activities.

Conclusion

Understanding each TISAX protection level helps organisations prepare for assessments. It also ensures alignment with industry expectations.

From an internal auditor’s perspective, organisations must maintain clear documentation, ensure controls operate consistently, and manage risks effectively. When these steps are in place, organisations build trust with customers and partners across the automotive sector.

For further information on how we can support your TISAX readiness, please use the link below.