PARKINSONHOWE

TISAX Assessment Levels (AL1–AL3)

TISAX Assessment Levels (AL1–AL3)

TISAX Assessment Levels (AL1, AL2, and AL3) define how information security is assessed across the automotive supply chain. Each level is linked to how sensitive your information is and how much confidence car manufacturers need in it. Choosing the right level early helps avoid delays, extra cost, and rejected assessments.

TISAX works on a risk basis. A higher level is not “better” unless it is needed. The assessment level must match the information you handle and what your customer expects. ParkinsonHowe helps suppliers choose the right level and prepare clear, practical evidence that meets OEM requirements.

Assessment Level 1 (AL1): Self‑assessment

AL1 is a self‑assessment only. Your organisation completes the VDA Information Security Assessment (ISA) questionnaire internally. There is no audit and no detailed check of your answers by an external assessor.

AL1 does not produce a TISAX label and cannot be shared with customers on the ENX platform. For this reason, most vehicle manufacturers do not accept AL1 as proof of information security. It is mainly used as a starting point.

AL1 is useful if you want to:

  • Understand your current level of information security.
  • Find gaps before moving to AL2 or AL3.
  • Prepare a new site or team for TISAX.

Assessment Level 2 (AL2): Remote assessment

AL2 is the most common TISAX level for automotive suppliers. It includes a check by an approved audit provider. The assessment is usually carried out remotely.

The assessor reviews your written evidence, such as policies and procedures, and speaks to key staff. This confirms that your controls are in place and working as described. If successful, you receive a TISAX label that you can share with customers.

AL2 is normally required when handling confidential or sensitive information, but not for highly restricted data.

AL2 is typically used for:

  • Engineering and design information
  • Customer and supplier data
  • Most “Info High” TISAX objectives

Assessment Level 3 (AL3): On‑site audit

AL3 is the highest TISAX assessment level. It is required where information risk is very high. The assessment must take place on site.

In addition to reviewing documents and interviewing staff, the assessor physically checks security controls. This may include offices, IT systems, access controls, and secure areas.

AL3 is mandatory if you work with prototype vehicles or very sensitive development data. Customers expect strong proof that both digital and physical security are well controlled.

AL3 is usually required for:

  • Prototype and pre‑production work
  • Highly confidential vehicle data
  • Secure test and development areas

Choosing the correct level

The correct TISAX level is driven by risk and customer demand. It is not optional. ParkinsonHowe works with suppliers to confirm assessment objectives, clarify OEM expectations, and prepare proportionate evidence. This helps ensure your TISAX assessment is efficient, clear, and accepted the first time.