TISAX Assessment Levels (AL1–AL3)
TISAX Assessment Levels (AL1, AL2, and AL3) define how information security is assessed across the automotive supply chain. Each level is linked to how sensitive your information is and how much confidence car manufacturers need in it. Choosing the right level early helps avoid delays, extra cost, and rejected assessments.
TISAX works on a risk basis. A higher level is not “better” unless it is needed. The assessment level must match the information you handle and what your customer expects. ParkinsonHowe helps suppliers choose the right level and prepare clear, practical evidence that meets OEM requirements.
Assessment Level 1 (AL1): Self‑assessment
AL1 is a self-assessment only. Your organisation completes the VDA Information Security Assessment (ISA) questionnaire internally. You do not undergo an audit, and no external assessor checks your answers in detail. As a result, AL1 provides a simple starting point for many organisations.
AL1 does not produce a TISAX label and you cannot share it with customers on the ENX platform. For this reason, most vehicle manufacturers do not accept AL1 as proof of information security. Therefore, teams mainly use it as a starting point.
AL1 is useful if you want to:
- Understand your current level of information security.
- Find gaps before moving to AL2 or AL3.
- Prepare a new site or team for TISAX.
Assessment Level 2 (AL2): Remote assessment
AL2 is the most common TISAX level for automotive suppliers. An approved audit provider checks your evidence and processes. Auditors usually conduct the assessment remotely. Consequently, the process is both efficient and thorough.
The assessor reviews your written evidence, such as policies and procedures, and speaks to key staff. This step confirms that you have set up your controls and that they work as you describe. If you pass the assessment, you receive a TISAX label and can share it with customers. Additionally, this label strengthens your credibility with partners.
You normally need AL2 when you handle confidential or sensitive information, but not for highly restricted data. As a result, AL2 is suitable for most suppliers without extremely sensitive projects.
AL2 is typically used for:
- Engineering and design information
- Customer and supplier data
- Most “Info High” TISAX objectives
Assessment Level 3 (AL3): On‑site audit
AL3 is the highest TISAX assessment level. You need AL3 when information risk is very high. Auditors conduct the assessment on site to check all relevant areas. Therefore, AL3 offers the strongest assurance for critical projects.
In addition to reviewing documents and interviewing staff, the assessor physically checks security controls. For example, the auditor may inspect offices, IT systems, access controls, and secure areas. This comprehensive approach ensures nothing is overlooked.
You must choose AL3 if you work with prototype vehicles or very sensitive development data. Customers expect strong proof that you control both digital and physical security. Ultimately, AL3 demonstrates your commitment to top-tier information security.
OEMs and customers usually require AL3 for:
- Prototype and pre‑production work
- Highly confidential vehicle data
- Secure test and development areas
Choosing the correct level
Risk and customer demand drive the correct TISAX level. You do not have a choice about this requirement. ParkinsonHowe works with suppliers to confirm assessment objectives, clarify OEM expectations, and prepare proportionate evidence. As a result, your TISAX assessment is efficient, clear, and accepted the first time.
