TISAX Requirements per VDA ISA

TISAX Requirements: What Gets Audited?

TISAX requirements are based on the VDA ISA questionnaire (Information Security Assessment), currently in version 6.x. The catalog is structured into nine chapters covering all relevant areas of information security — from IT security and physical security to compliance and data protection.

Each chapter contains audit objectives with specific questions that you must answer in the self-assessment and demonstrate during the audit. For each audit objective, a maturity level from 0 to 5 is determined. For a successful assessment, you must achieve at least maturity level 3 ("Established") for all relevant audit objectives.

The 9 Chapters of the VDA ISA at a Glance

Chapter 1: Information Security Policies

This chapter assesses whether you have a documented information security policy that is approved and communicated by management. The auditor expects a clear security strategy, defined responsibilities, regular policy reviews, and demonstrable communication to all employees. Without a solid policy foundation, there is no basis for all subsequent chapters.

Chapter 2: Organization of Information Security

This chapter focuses on the organizational embedding of information security. It assesses the organizational structure (Who is responsible?), management involvement, collaboration with external partners, and segregation of duties. The auditor wants to see that information security is not a side topic but is anchored in the organizational structure.

Chapter 3: HR Security (Personnel Security)

Personnel security covers measures before, during, and after employment. It assesses background checks, confidentiality agreements, training programs and processes when employees leave (revocation of access rights, return of work equipment). Particularly important: demonstrable security awareness training for all employees with access to sensitive information.

Chapter 4: Physical Security

Physical security is especially critical in AL3 assessments, as an on-site inspection takes place. It assesses access controls (card systems, locks, airlocks), visitor management, security zones, protection of server rooms, camera surveillance, and handling of removable media. For prototype protection, additional requirements apply for restricted zones and visual shielding.

Chapter 5: Access Control and Cryptography

This chapter assesses logical access control to IT systems and data. It covers authorization concepts (need-to-know principle), password policies, multi-factor authentication, privileged access management, and regular access reviews. In the area of cryptography, encryption standards (at rest and in transit), key management, and certificate management are assessed.

Chapter 6: Operations Security

Operations Security covers technical operations: change management, capacity planning, malware protection, backup strategies, logging and monitoring, vulnerability management, and patch management. The auditor verifies that documented processes exist and are demonstrably implemented. A particularly common stumbling block: missing or incomplete patch management.

Chapter 7: Incident Management

This chapter assesses whether a documented incident response process exists: detection, reporting, analysis, remediation, and lessons learned. The auditor expects defined escalation paths, responsibilities, reporting templates, and evidence of conducted exercises or actual incidents. Without a demonstrable incident management process, achieving maturity level 3 is nearly impossible.

Chapter 8: Business Continuity Management (BCM)

BCM assesses emergency preparedness: business impact analyses, emergency plans, recovery procedures (disaster recovery), defined RTO/RPO values, and regular emergency exercises. Especially relevant for the new availability labels since 2023, but also a mandatory chapter for all other labels.

Chapter 9: Compliance

The compliance chapter assesses adherence to legal and contractual requirements: data protection (GDPR compliance), copyright, regulatory requirements, license management, and regular compliance verification through internal audits. Here, TISAX overlaps significantly with ISO 27001 and GDPR requirements.

Audit Depth per Assessment Level

The content requirements are identical for AL2 and AL3 — the VDA ISA catalog does not differentiate by assessment level. The difference lies in the audit depth:

• AL2 (Remote): The auditor reviews documentation and conducts interviews. Physical security measures are evaluated based on documents, photos, and screen sharing. Spot checks are limited.
• AL3 (On-Site): The auditor reviews everything as in AL2, but additionally conducts a physical inspection, takes technical spot checks (e.g., firewall configurations, permissions), verifies access controls in person, and evaluates the physical implementation of security measures.

For a detailed examination of the questionnaire, including the differences between MUST and SHOULD requirements, read our page on the VDA ISA Catalog.

How to Prepare Systematically

The nine chapters can feel overwhelming — especially for organizations that do not yet have an ISMS. A structured approach helps:

• Define scope: Which locations, which labels, which assessment level?
• Gap analysis: Go through each ISA section and document the current state. Kopexa provides a preloaded controls catalog that immediately shows you where you stand.
• Prioritize: MUST requirements first, then SHOULD requirements. Gaps with the largest maturity level delta have the highest priority.
• Implement and provide evidence: Implement measures and document them thoroughly. Without evidence, there is no recognition in the audit.

The complete step-by-step guide can be found in our TISAX Checklist.