TISAX Audit Preparation

The TISAX Audit Process Step by Step

The TISAX audit follows a structured process in three phases. Each phase has clear objectives and expectations. Knowing the process allows you to prepare specifically and avoid common mistakes.

Phase 1: Document Review (Pre-Audit)

The auditor receives your self-assessment results and associated documentation in advance. They review: policies, guidelines, process descriptions, organization charts, risk analyses, training records and other evidence documents. This phase takes place before the actual audit and typically lasts 1-2 days on the auditor's side. Gaps in documentation are identified upfront.

Tip: Provide the auditor with the documents at least 2 weeks before the audit date. This gives them enough time for the document review and allows them to prepare targeted questions.

Phase 2: Interviews and Inspection

This is the core of the audit. The auditor conducts interviews with responsible persons from various departments: CISO/ISB, IT management, HR, facility management, and business units. They ask questions about the assessment objectives in the VDA ISA catalog and verify whether documented processes are actually practiced.

For AL3 assessments, a physical inspection is added: the auditor visits server rooms, checks access controls, inspects security zones, tests visitor management processes, and takes technical samples (e.g., firewall rules, permissions, patch status). The inspection typically takes half a day to a full day.

Phase 3: Results Report

After completing the audit, the auditor prepares a results report with the assessment of each objective (maturity level 0-5) and an overall evaluation. Possible outcomes:

• Passed: All mandatory requirements achieve at least Maturity Level 3. Labels are published on the ENX Portal.
• Passed with minor non-conformities: Optional requirements have gaps. Labels are still issued, but the deviations are documented.
• Failed (major non-conformities): Mandatory requirements fall below maturity level 3. Remediation period of typically 3-9 months, followed by a re-audit.

Remote vs. On-Site: AL2 and AL3 Compared

The 5 Most Common Audit Preparation Mistakes

Mistake 1: Documentation created just before the audit

The auditor immediately recognizes whether policies and process descriptions are "fresh." Documents without version history, without a review date, and without evidence of communication to employees signal that the documentation was created solely for the audit. This is not sufficient for maturity level 3. Create policies at least 3-6 months before the audit and practice them demonstrably.

Mistake 2: Interview partners not prepared

The auditor speaks not only with the CISO but also with IT admins, facility managers, HR staff, and business units. If they do not know which policies exist or how the incident response process works, it creates a damaging impression. Brief every interview candidate in advance: What questions might come up? Where can they find the relevant documents?

Mistake 3: Evidence not readily available

When the auditor asks about the last backup restore test and you spend 20 minutes searching, that is not a good sign. All evidence should be structured and immediately accessible: training records, audit logs, change tickets, patch reports, risk analyses, review minutes. A GRC tool like Kopexa makes evidence available at the click of a button.

Mistake 4: Physical security underestimated (AL3)

In AL3 audits, the physical inspection often becomes a stumbling block: defective access systems, poorly maintained visitor logs, open server room doors, missing signage for security zones, or unsecured removable media. Conduct an internal walkthrough before the audit and critically review all physical security measures.

Mistake 5: Self-assessment too optimistic

Many organizations rate themselves too positively in the self-assessment. If you rate yourself at maturity level 3 for an assessment objective but the auditor only sees level 1, a large discrepancy arises that costs trust. Be honest and conservative in the self-assessment. It is better to identify and close gaps upfront than to have them exposed during the audit.

Remediation for Deviations

Not every audit is passed on the first attempt. The auditor distinguishes between two types of deviations:

Major non-conformity: A mandatory requirement does not reach maturity level 3. The assessment is considered failed. You receive a remediation period of typically 3-9 months in which you must resolve the deviation. A re-audit then follows, covering only the affected assessment objectives.

Minor non-conformity: An optional requirement does not reach maturity level 3. The assessment can still be considered passed. The deviation is documented and should be resolved by the next recertification.

Tips for Audit Day

• Prepare the room: For on-site audits: provide a quiet meeting room with projector, Wi-Fi, and access to all relevant systems.
• Name a contact person: A central audit coordinator who guides the auditor through the day, coordinates interview partners, and provides evidence.
• Answer honestly: Auditors recognize evasion. If something is missing, say so openly and show that you have a plan to address it.
• Show evidence, don't just describe it: "We do regular backups" is not enough. Show the backup plan, the latest logs, and the last restore test.
• Take notes: Document the auditor's questions and comments. This helps with remediation and the next recertification.
• Stay calm: An audit is not a school exam. The auditor is not an adversary but a professional colleague assessing maturity. Cooperative behavior is evaluated positively.

The complete preparation checklist can be found in our TISAX Checklist. Information about costs and timeline is available on our Costs and Process page.