TISAX Checklist: 10 Steps to Your Label

TISAX Checklist: 10 Steps to Your Label

The path to a TISAX label can seem complex at first glance: ENX registration, VDA ISA catalog, maturity levels, audit providers, audit. This checklist breaks the process down into ten concrete steps that you work through one by one. Each step builds on the previous one, so you always know where you stand and what comes next.

Step 1: Define Scope

Before you start, you need to define the scope of your TISAX assessment: Which sites are affected? Which labels are required? The scope determines the entire effort — a scope that is too broad costs unnecessarily, while one that is too narrow risks the OEM not accepting the assessment.

Check the contracts with your OEM partners: they typically specify exactly which labels are required. Also clarify which sites fall within scope — only those where OEM data is processed, or all of them? With multiple sites, each can be assessed separately, which reduces effort per site but increases total costs.

Step 2: Determine Assessment Level

Based on the required labels and data classification, you determine the Assessment Level (AL2 or AL3). AL2 is sufficient for most suppliers with "high" confidentiality. AL3 is mandatory for prototype protection and "very high" confidentiality. When in doubt: ask the OEM. A wrong estimate and a later level change will cost you double.

Step 3: ENX Portal Registration

Register your company on the ENX Portal. There you define the scope (sites, labels, assessment level) and select an audit provider. Registration is subject to a fee — the ENX registration fee amounts to several thousand euros depending on scope and company size. After registration, you receive an assessment order that forms the basis for the further process.

Step 4: Select Audit Provider

Choose an ENX-accredited audit provider. You can find accredited providers directly on the ENX Portal. Selection criteria: experience in your industry (automotive, IT, services), availability (wait times can be 4-8 weeks), daily rates, and language skills (for international sites). Get at least two quotes and compare daily rates and estimated audit duration.

Step 5: Conduct Gap Analysis

The gap analysis is the most important preparation step. Work through the VDA ISA catalog systematically and assess your current status for each assessment objective. Document the maturity level (0-5) and identify all objectives that fall below the target maturity level 3.

Kopexa makes the gap analysis efficient: The VDA ISA catalog is preloaded, supplemented by a measures catalog with concrete implementation guidance for each assessment objective. You assess maturity levels directly in the platform and immediately receive an overview of all gaps — prioritized by criticality.

Step 6: Build or Extend Your ISMS

TISAX requires a functioning Information Security Management System (ISMS). If you are already ISO 27001 certified, you have a solid foundation — approximately 60-70% of TISAX requirements are already covered. Without an existing ISMS, you need to build one: security policy, risk analysis, control measures, and continuous improvement. Kopexa provides templates that you can use as a starting point.

Step 7: Create Policies and Guidelines

Create or update the policies required by the VDA ISA: information security policy, access control policy, password policy, backup policy, incident response plan, change management process, data protection policy, and supplier evaluation process. Each policy must be approved by management and communicated to employees. Kopexa provides templates for all relevant policies that you can adapt to your organizational reality.

Step 8: Conduct Training

Plan a security awareness program for all employees with access to sensitive information. Topics: handling confidential data, phishing recognition, password security, clean desk policy, reporting channels for security incidents. For prototype protection: additional training on handling prototypes, photography bans, and NDA requirements. Document all training sessions with attendance lists and content — the auditor requires this evidence.

Step 9: Perform Self-Assessment

Work through the VDA ISA catalog completely and document for each assessment objective: the achieved maturity level, the associated evidence, the responsible person, and any planned improvement measures. The self-assessment is simultaneously your audit preparation — the auditor works through the same catalog and verifies your assessments. With Kopexa, you complete the self-assessment directly in the platform, including evidence upload and maturity tracking.

Step 10: Audit and Label Issuance

The auditor conducts the assessment — remotely for AL2, on-site for AL3. The process: opening meeting, document review, interviews, physical inspection if applicable, sampling, and closing meeting. If you pass: your TISAX label is published on the ENX Portal and is visible to all participating OEMs. Validity: 3 years. In case of non-conformities: remediation period (typically 3-9 months), followed by a re-audit. Detailed tips can be found on our audit preparation page.

Typical Timeline

Detailed cost information for each step can be found on our TISAX Costs and Process page.