Scope and Evidence Control
Defining TISAX scope and Evidence Control ensures automotive sites, systems, and data flows sit within clear assessment boundaries. Therefore, ParkinsonHowe supports precise scoping aligned to OEM expectations, reducing rework. In addition, structured evidence controls ensure security processes are documented. As a result, assessments run efficiently, validation is clearer, and readiness improves across supply chain operations.
Why scope matters in TISAX
TISAX is built on trust. For that trust to exist, assessors and customers need to understand what the assessment includes and what it does not. The TISAX Participant Handbook explains that the assessment scope defines the start and end points of the audit. Any team that handles customer information should include those areas within the scope. As a result, everyone gains clarity from the start.
A poorly defined scope can cause problems. If teams miss locations, systems, or processes, the assessment result may not meet customer expectations. This often leads to scope changes, extra audit work, and delays. ParkinsonHowe helps organisations define a standard TISAX scope, which the automotive industry accepts and which avoids unnecessary complications. Therefore, precise scope definition is essential.
Managing evidence the right way
TISAX assessments rely on evidence. Evidence shows that security controls exist and that teams operate them as intended. This includes policies, procedures, records, and system outputs. The handbook makes clear that teams must provide evidence to support the self-assessment and make it available to the audit provider. Consequently, evidence management plays a central role.
Good evidence control means teams keep documents easy to find, up to date, and clearly linked to TISAX requirements. When teams structure evidence consistently, assessors can complete their work more efficiently. This reduces disruption to day-to-day operations and supports a smoother assessment process. In turn, organisations experience fewer audit delays.
Understanding TISAX Assessment Levels
TISAX uses Assessment Levels (AL) to match the depth of assessment to the level of information risk.
AL1 – Self‑assessment
AL1 is a basic internal check. An auditor only confirms that a self-assessment exists. Auditors do not review the content or test evidence. TISAX does not use AL1 results, and OEMs do not accept them. Teams mainly use AL1 for internal preparation. As a result, most organisations opt for higher levels.
AL2 – Plausibility‑based assessment
AL2 is the most common level for automotive suppliers. The audit provider reviews the self-assessment, checks evidence, and interviews key staff, usually remotely. The team focuses on whether controls exist and appear suitable. Teams use AL2 for confidential information where protection needs are high. Furthermore, AL2 balances thoroughness and efficiency.
AL3 – On‑site verification
Teams use AL3 where information risk is very high, such as for prototype vehicles or strictly confidential data. The auditor verifies controls in depth, including on-site checks, observations, and detailed interviews. AL3 offers the highest level of assurance and covers all lower levels of assessment. Ultimately, AL3 is the gold standard for critical situations.
Linking scope and evidence control
The assessment level applies to the highest protection need within the defined scope. This means that scoping decisions directly affect effort, cost, and audit approach. ParkinsonHowe supports organisations in aligning scope, assessment objectives, and evidence so that the selected level is justified, efficient, and accepted the first time.
A well‑defined scope and controlled evidence set the foundation for a successful TISAX assessment. Combined with the correct assessment level, they allow organisations to demonstrate security clearly and confidently across the automotive supply chain.




