TISAX Roadmap for SMEs in the Automotive Industry

The automotive industry demands the highest information security standards from its suppliers. A TISAX certification (Trusted Information Security Assessment Exchange) is now often a prerequisite for collaboration. TISAX was developed by the German Association of the Automotive Industry (VDA) together with the ENX Association and is fundamentally based on ISO/IEC 27001. This means companies must implement an Information Security Management System (ISMS) in line with ISO 27001 and additionally fulfil industry-specific requirements such as prototype protection and physical security. The VDA ISA requirements catalogue is accordingly structured into the areas of information security, prototype protection, and data protection. Depending on the protection needs of the information processed, different assessment levels (Assessment Level 1-3) become relevant, with Level 3 (very high protection needs) being the minimum standard for many OEMs today.

For small and medium-sized enterprises (SMEs) or first-time suppliers, the path to TISAX certification can seem challenging, particularly with limited personnel resources, older buildings without optimal physical protection, or no prior experience in building an ISMS. The good news is that smaller companies can also meet the TISAX requirements, as the specifications are scalable and are always interpreted by the audit provider taking the company size into account. What matters is a structured approach with clear phases, in which you systematically close gaps and involve all stakeholders early on. Typical stumbling blocks, such as missing documentation, technical island solutions without processes, low security awareness, or lacking project resources, can be overcome through careful planning. It is important to remember that TISAX is not a one-off project but requires a living system that is continuously maintained and improved.

In the following sections, we outline a practice-oriented roadmap in six phases, from preparation to aftercare, to implement a TISAX certification in a structured manner. The guide includes concrete tips, addresses typical industry challenges, and references established standards and partners (e.g. VDA ISA, BSI Baseline Protection, ENX, audit providers such as TUeV, DEKRA, KPMG).

Tip

A strategic, structured approach, ideally accompanied by external ISMS expertise, significantly increases the likelihood of success and strengthens the internal security culture. If needed, seek early support from experienced consultants or networks (e.g. Alliance for Cyber Security, Bitkom guides) rather than fumbling in the dark on your own.

## Phase 1: Preparation & Gap Analysis

The starting point of any certification is a thorough stocktake: Where does the company currently stand in terms of security? What specific requirements are coming our way? In this phase, you lay the foundations for a successful project.

Scope & requirements clarification: First, it must be clear what scope the ISMS should have. Define which locations, business areas, and information types are in scope. Take customer requirements into account: if an OEM demands, for example, handling information with very high protection needs or prototype protection, you must prepare for Assessment Level 3, with correspondingly stringent controls and an on-site audit. If only "high protection needs" without prototypes are required, Level 2 may suffice (audit by service provider, possibly remote). Make this decision early, as it determines the project scope.

Management buy-in & resources: Win over senior management as a sponsor. TISAX requires cross-departmental measures and ongoing resources. Appoint a project leader or Information Security Officer to coordinate the endeavour. Define clear responsibilities (who handles IT topics, who handles building/facility security, who handles training, etc.). Also plan the rough budget and timeframe: how much time is available until the desired certificate? What investments (e.g. for doors, software, consulting) need to be planned?

Conducting a gap analysis: Compare the current state of your security measures with the target requirements from the TISAX/VDA ISA catalogue. A gap analysis along the questionnaire is well suited for this purpose. Go through the questions one by one and document which requirements you already meet and where gaps exist. Typical questions at this stage include: Are there already IT security policies or documentation? Are basic technical protection measures (firewall, antivirus, backup) in place and documented? Are there access rules for buildings? As an aid, you can use the official VDA ISA questionnaire (available via the ENX portal) or employ tools that facilitate this self-assessment. It often makes sense to integrate an ISO 27001 gap analysis at the same time, since TISAX builds on ISO.

Prioritise results: The gap analysis yields a list of missing measures. Assess which gaps are critical (e.g. no access control for the server room, no security policy in place) and which have lower priority. This prioritisation feeds into the action plan (Phase 3).

Tip

Document all findings from the stocktake carefully. Structured documentation is essential. Missing evidence is one of the most common causes of audit problems. If there is little internal experience, consider having a TISAX readiness check carried out by an external expert. A professional gap analysis can uncover blind spots and save time on the road to certification.

## Phase 2: ISMS Development (Defining Scope, Policies, Physical Security)

Based on the preliminary analysis, you now begin building the Information Security Management System (ISMS). Here you lay the organisational and regulatory groundwork to ensure that all security measures are systematically planned, implemented, and monitored.

Creating the ISMS framework: Formulate a top-level security policy (Information Security Policy) that records the management and objectives of the ISMS. Set up an ISMS committee or at least regular coordination meetings involving all relevant areas (IT, HR, Facility, Management). This ensures that security does not remain a purely IT topic but is anchored throughout the entire organisation.

Establishing risk management: Start with a formal risk analysis. Systematically identify and assess the risks to your information and systems. Use recognised methods (e.g. based on ISO 27005 or BSI Standard 200-3) to determine the protection needs of your assets. Importantly, include all relevant scenarios, from cyberattacks to the theft of a prototype from the office. The identified risks then drive the selection of appropriate security measures.

Defining protection classes: Establish a scheme for classifying information. In the automotive industry, levels such as "internal", "confidential", and "highly confidential" are typically used. The VDA catalogue distinguishes in particular between normal, high, and very high protection needs, with the latter requiring additional measures. Define how documents, data, and where applicable prototypes are to be labelled and handled accordingly. Work with the specialist departments to determine which information falls into which class. These protection classes then determine, for example, whether certain data may only be processed in specially secured areas.

Organisational rules & policies: Develop or update specific security policies and processes for all relevant areas. These include, for example: policies on access control (who may do what, approval processes), rules on the use of IT systems (password policies, internet usage), a clear desk/clear screen policy (no sensitive information left in the open), incident management processes (e.g. handling security incidents), supplier management (security requirements for service providers), and much more. Align closely with the requirements of the VDA ISA and ISO 27001 Annex A. Best-practice catalogues such as BSI IT Baseline Protection, which provides practical measure recommendations for numerous areas, are also helpful. It is important that the policies are documented in writing and approved by senior management. They form the rules by which your security management operates.

Implementing physical security: A key focus in the automotive industry is protecting premises and prototypes from unauthorised physical access or visibility. Introduce a security zone concept: define areas with higher protection needs (e.g. laboratories, development rooms, server room) and equip them with appropriate controls. Access controls are mandatory, at minimum mechanical (keys, locking system) and for high protection needs preferably electronic (cards, PIN, biometric) with logging. Critical rooms should only be accessible to authorised personnel. Surveillance systems (alarm system, video surveillance within GDPR guidelines) enhance security at night and at infrequently used access points.

Particular attention should be paid to visual protection: in areas where confidential information is visible (e.g. prototypes, design plans on walls, screens), it must be prevented that unauthorised persons can simply look in. Windows and glass surfaces should, where structurally feasible, be fitted with opaque films, blinds, or curtains. If there are older buildings with large windows that cannot be screened off, you should take organisational measures: for example, move sensitive activities to interior rooms, set up privacy screens, or ensure that no secret materials are left in the line of sight after business hours. Document in the risk analysis your reasoning for why, despite structural limitations, an adequate level of protection is achieved (e.g. building is fenced, security service present, low public traffic, etc.). This shows the auditor that you are aware of the protection requirement and have chosen pragmatic alternatives.

Raising employee security awareness: No ISMS works without the people who follow it. Start early with awareness measures: information security training, clear communication of the new policies, and why they matter. Every employee, from developer to receptionist, should know how to handle confidential information and what reporting channels are available in an emergency. Particularly for SMEs without prior experience, it can be helpful to use external training offers (e.g. from the BSI or industry associations). Training and workshops on password security, phishing recognition, handling prototypes, etc. help to build a security culture. Without awareness, technical measures are rendered ineffective.

Tip

### Phase 3: Implementation & Action Plan

After the conceptual phase, it is time for the concrete implementation of the identified measures. From the gap analysis (Phase 1) and the defined ISMS requirements (Phase 2), you derive a catalogue of measures: who does what by when in order to close the gaps?

Creating an action plan: Bring all required steps together in a project plan. Prioritise by risk and effort. Set realistic deadlines and assign responsible persons for each measure. One possible action item could be: "Fit development office windows with privacy film - Responsible: Facility Manager - to be completed by 30 September." Another: "Document and test backup concept - Responsible: IT Manager - by 15 October." Make sure to include organisational measures as well, e.g. "Prepare and distribute training materials for employees."

Closing gaps: Now it is time to work through the planned tasks. Technical measures are usually implemented by IT or external service providers (firewall hardening, network segmentation, introducing encryption, etc.). Organisational steps may include creating missing policy documents (if, for example, no policy on mobile working exists yet, it must be newly written). Physical improvements (additional locks, server room air conditioning, alarm installation) should be commissioned promptly, as delivery times need to be factored in. Keep track of progress, for example through regular project meetings or status reports to senior management.

Do not forget documentation: In parallel with implementation, every implemented control procedure should be documented. Maintain evidence: e.g. logs from IT systems (password policy configured in AD - screenshot filed), photos of newly installed door locks, attendance lists from security training sessions, etc. This evidence will be invaluable in the audit. Audits often fail not because of missing measures but because evidence and documents are not complete. Set up a central (digital) folder in which all policies, process descriptions, risk reports, and evidence documents are stored in a structured manner.

Managing scarce resources: SMEs in particular often face the challenge that employees must build the ISMS "on the side." Therefore, prioritise strictly: which measures have the greatest impact on security and the audit result? Focus on those first. Less critical points can, where justified, be deferred, but be careful: "must" requirements from the TISAX catalogue cannot be left open. If you cannot manage everything in parallel due to staffing constraints, consider external help for implementing certain packages (e.g. an external IT security specialist for penetration testing or a contractor for alarm system installation).

Dealing with exceptions: Should there be points that you cannot fulfil 100% despite all efforts (for example due to structural reasons), document a protection needs assessment. Describe why, in your view, the risk is manageable and what compensating measures you have taken. Example: "No biometric access system in place - risk accepted, as the entrance area is permanently staffed and video surveillance is in place, visitor registration is done manually." A good auditor will understand that small companies need pragmatic solutions, as long as the overall level of protection is adequate.

Tip: Keep the audit perspective in mind. Even in this phase, put yourself in the auditor's shoes. For every requirement in the TISAX catalogue, ask yourself: how can I prove to the auditor that we fulfil this? Maintain an internal checklist with target/actual evidence. This ensures that nothing falls through the cracks at the end.

Phase 4: Internal Audits - Dress Rehearsal Before the Real Thing

Before you start the official assessment process, an internal audit is essential. This internal review serves as a dress rehearsal to uncover weaknesses while there is still time to make improvements.

Setting up the audit team: Designate internal auditors, ideally people who are not directly reviewing their own work. In a small company, this could be a manager from a different area, or you could commission an external auditor on a consulting basis to critically examine your ISMS. Independence and objectivity are key.

Conducting the review: Follow the VDA ISA questionnaire and work through it systematically. Check whether all requirements have been implemented and are effective. Examples: Does every security policy also have a concrete process, and is it known? Do the access controls work in practice (test: can an unauthorised person get into the building)? Are backups actually created and verified in accordance with the policy? Feel free to simulate small tests, such as a phishing test with employees or a practice alarm, to check responses.

Identifying weaknesses: Record all deviations and observations. Typical findings from internal audits include, for example: an employee is unaware of a rule, document X is outdated, a planned technical patch is still pending, or physical deficiencies (e.g. fire extinguisher missing). Prioritise these findings by criticality.

Initiating corrective actions: For each finding, countermeasures should be implemented before the external audit. The internal audit essentially gives you a to-do list for the final stretch. Minor gaps (e.g. a missing "No Entry" sign on the lab door) can be closed quickly. Larger problems (e.g. incomplete documentation of the network topology) may need to be corrected with overtime or external help. If necessary, you can also decide to postpone the official audit until critical deficiencies have been resolved. That is far better than failing.

Audit documentation: Summarise the internal audit in a report. This internal audit report also serves as evidence that you have met the ISO 27001/TISAX requirement for an internal audit. It does not need to be submitted to the external auditor but documents your continuous improvement.

Tip

Use checklists. Many consultancies or publications (e.g. from Bitkom or DataGuard) offer audit checklists for TISAX. Such lists help ensure no audit criteria are overlooked. The TISAX Participant Handbook (ENX Participant Handbook) also provides a good overview of what to expect in the assessment. A structured internal review increases the likelihood that the external audit will be successful on the first attempt.

## Phase 5: External Assessment by Accredited Auditors

Now the actual TISAX assessment is at hand. It is conducted by an accredited audit service provider that you are free to choose. The ENX Association approves several providers, including TUeV, DEKRA, DQS, KPMG, Bureau Veritas, and others. It is important that the service provider is authorised to carry out TISAX assessments (accredited by ENX), which is the case for the above-mentioned providers.

Selecting and commissioning an audit provider: Research a suitable audit provider. Criteria may include: experience in your industry, availability within your desired timeframe, pricing, language of the auditor, etc. Make contact early, as good auditors' calendars are sometimes fully booked. Plan for a lead time of several months if needed. After registering on the TISAX portal, you can officially commission the desired audit provider.

Audit planning (kick-off): The audit service provider will agree an audit plan with you. This clarifies when and where the audit will take place, which locations are included, and which documents the auditor would like to see in advance. For Assessment Level 2, the audit may be conducted partly remotely (document review). For Level 3, expect more extensive on-site visits: the auditor will inspect your premises to satisfy themselves of the physical security and implementation.

Conducting the audit: A TISAX audit is similar in process and rigour to an ISO 27001 certification. It is often carried out in two steps: a Stage 1 (preliminary audit), which primarily reviews the documentation, and a Stage 2 (main audit), which examines the practical implementation in full detail. Depending on the size of the company, this can take one to several days. The auditor conducts interviews with key personnel (management, ISMS manager, IT manager, HR manager, etc.), reviews documents and records, and inspects critical areas. Expect spot checks, for example whether an employee complies with the clean desk policy or whether server rooms are actually locked. Importantly, be open and cooperative. If the auditor asks questions or wants to see additional evidence, provide it as promptly as possible. Minor ambiguities can often be clarified in conversation, as long as fundamental trust in your ISMS is established.

Result and report: At the end, the auditor communicates in a closing meeting whether the assessment was passed or whether deviations were found. Minor nonconformities are not unusual, for example an isolated training record is missing or a door was inadvertently left open during the walkthrough. Such points can usually be rectified within a defined deadline. For this, you prepare a corrective action plan, which the auditor will review. In the case of major findings, a follow-up audit may be necessary. Once all requirements are met, the service provider finalises the TISAX report and you receive the TISAX labels corresponding to your achieved assessment level (e.g. information security high and, where applicable, prototype protection). These results are stored on the ENX platform and can be shared with your business partners from there. Unlike ISO 27001, there is no traditional certificate to hang on the wall; instead, there is a report and an entry on the TISAX portal.

Tip

Choose an experienced audit provider that is familiar with both ISO 27001 and TISAX. The chemistry should be right, as a collaborative audit relationship makes the process easier. Do not hesitate to ask for references in the automotive industry. Not every audit organisation is accredited for TISAX, so look for the official listing with ENX. Choosing the right certification body is crucial for an efficient audit process.

## Phase 6: Aftercare & Continuous Improvement

Done: you have passed the TISAX certification (or rather the TISAX assessment). But after the audit is before the audit: TISAX and ISO 27001 require that information security is continuously lived and improved. This phase is about embedding the ISMS in daily operations and keeping it up to date for the future.

Implementing corrective actions: If the auditor identified deviations in Phase 5, the follow-up work comes first. Close all open items within the prescribed deadline and send the evidence to the audit service provider. Only then will you receive or retain the TISAX label. These lessons learned from the audit are valuable: they show where your system can still be optimised.

Operating the ISMS in daily life: Integrate the security processes into your daily routine. Conduct regular security audits, at least annual internal audits to verify the effectiveness of the measures. Management reviews (annual reports to top management on the status of information security) are also advisable and required under ISO 27001. Adapt your risk management continuously: new threats (e.g. new malware trends, home office scenarios) or changes in the company (new IT systems, organisational changes) must feed into the risk analysis and, where necessary, lead to new measures.

Continuing employee training: Security awareness is not a one-time pill. Plan ongoing awareness measures, e.g. annual refresher training, phishing simulations, security newsletters. New employees must have the security culture conveyed to them directly during onboarding. Show that the topic remains a leadership priority and that successes (or indeed incidents) are communicated transparently.

Preparing for re-certification: A TISAX assessment is generally valid for three years, similar to an ISO certificate. Keep the expiry date in mind and begin preparing for re-certification at least 6-12 months before the validity expires. Since you have an established ISMS, the effort for re-certification is usually lower, provided you have maintained your system. Between main audits, surveillance audits may also take place (common annually for ISO 27001; voluntary for TISAX, though some partners may require status updates). Be prepared to demonstrate the high standard at any time.

Continuous improvement: Use the experience to proactively address weaknesses. For example, introduce regular management meetings on information security where new measures are agreed upon. Also stay technologically up to date: the automotive security landscape continues to evolve (keyword NIS2 directive for suppliers, cloud security, etc.). An ISMS should grow with the company.

Tip

Make compliance a habit. Whoever establishes information security as an integral part of the corporate culture saves costs in the long run and minimises risks. Celebrate your certification, but above all see it as proof of trust for your customers and partners. With a lived security culture, future audits become almost routine, and your company benefits sustainably from better security standards and reputation.

## Conclusion

Implementing a TISAX certification in a structured manner may be a challenge for SMEs in particular, but with a clear roadmap the path becomes manageable. Preparation, systematic ISMS development, consistent implementation, assessment, and continuous improvement form the steps to success. Companies that follow this path benefit not only from a label but from sustainably higher information security, strengthened customer trust, and a competitive advantage in the industry.

It is important to see the whole endeavour as a project for organisational development, not as a tiresome obligation. Invest in expertise (both internal and external), follow established standards (ISO 27001, BSI Baseline Protection), and do not shy away from accepting help from experienced partners, whether consultancies for ISMS development or recognised audit service providers for certification. With the right strategy, TISAX becomes not a hurdle but a success factor that positions your company for the future. Best of luck on your path to TISAX certification!