TISAX Maturity Model: Levels 0-5

The TISAX Maturity Model Explained

The maturity model is the central evaluation instrument in the TISAX assessment. For each assessment objective in the VDA ISA Catalog a maturity level from 0 to 5 is determined. This maturity level reflects how systematically and sustainably a security process is implemented — not whether it exists, but how well it is practiced.

The target level for a successful TISAX assessment is Maturity Level 3 ("Established") for all relevant mandatory requirements. This means: the process is not only in place and documented, but standardized, measured, and integrated into the organizational structure.

The 6 Maturity Levels

Level 0: Incomplete

The process is not present or not implemented. There are no recognizable approaches to fulfilling the requirement. Example: No incident management process defined, no password policy in place, no backup strategy documented. Level 0 on a mandatory requirement is an immediate knockout criterion in the assessment.

Level 1: Performed

The process exists but is carried out ad-hoc and without documentation. Security measures are implemented but not systematically. Responsibilities are unclear, results are not traceable. Example: Backups are performed but without a documented plan, without regular restore tests, and without a designated responsible person.

Level 2: Managed

The process is documented and carried out regularly. There is a written policy, defined responsibilities, and demonstrable implementation. However, the process is not yet standardized and may be practiced differently across departments. Example: Backup policy exists, backups are performed regularly, but restore tests are missing or not documented.

Level 3: Established — the TISAX Target Level

The process is standardized, measured, and continuously improved. It applies uniformly across the organization, is regularly reviewed, and the results feed into improvement measures. There are defined KPIs, regular reviews, and a demonstrable improvement history. Example: Backup policy is uniform company-wide, regular restore tests are documented, results are evaluated, and corrective actions are derived from deviations.

Level 3 is the target. At this maturity level, the auditor expects: documented processes, defined responsibilities, demonstrable implementation, regular reviews, measurable KPIs, and an improvement history. "We do it that way" is not enough — it must be verifiable.

Level 4: Predictable

The process is quantitatively controlled. Detailed metrics enable predictions about process performance. Deviations are statistically analyzed. Example: Backup success rate is measured monthly, trends are analyzed, predictive measures are initiated when trends turn negative. Level 4 is rarely required in TISAX assessments but demonstrates the highest professionalism.

Level 5: Optimizing

The process is continuously optimized. Innovation and best-practice benchmarks are systematically incorporated. The process is proactively developed further, not just reactively improved. Level 5 is rare in practice and is not required by any TISAX assessment — it is the theoretical optimum.

What the Auditor Expects at Each Level

The Typical Gap: From Level 2 to Level 3

Most organizations find themselves at Level 1 to 2 during their initial gap analysis. Processes exist, are partially documented, but are not systematically managed. The jump from Level 2 to Level 3 is the central challenge in TISAX preparation.

What is typically missing at Level 2:

• Regular reviews: Policies exist but are not reviewed and updated annually
• KPIs and metrics: Processes run but there is no measurement of whether they deliver the desired results
• Improvement history: There is no documented trail of "identified → analyzed → improved"
• Company-wide consistency: IT follows the policy, but other departments do things differently
• Demonstrable implementation: "We do it that way" instead of "Here is the evidence that we did it"

Practice Example: Patch Management

Level 1: Patches are installed when the admin has time. No plan, no prioritization, no tracking.

Level 2: There is a patch policy with defined timeframes (e.g., critical patches within 72 hours). An admin is responsible. Patches are installed regularly, but there is no reporting and no exception handling process.

Level 3: Patch policy applies company-wide. Monthly patch reporting to management. Exceptions are documented and approved. Patch compliance rate is measured (KPI: 95% within defined timeframes). Deviations are analyzed and improvement measures are derived. Annual review of the patch policy.

How to Reach Maturity Level 3

The path from Level 2 to Level 3 follows a clear pattern for each assessment objective:

• Standardize: Create a uniform, company-wide policy
• Measure: Define KPIs and collect them regularly
• Review: Check the effectiveness of the measure at least annually
• Improve: Derive and implement improvement measures from reviews and measurements
• Document: Record everything — the auditor needs to see it in black and white

Kopexa supports this process through maturity tracking per assessment objective. You can see at any time which assessment objectives already reach Level 3 and where action is still needed. Combined with the preloaded measures catalog and templates, you get a clear roadmap for audit preparation.