TISAX Recertification After 3 Years

What Happens After 3 Years?

TISAX labels have a validity of 3 years. After expiration, they are marked as expired on the ENX portal and are no longer visible to OEMs as valid. Without a valid label, you lose proof of compliance toward your automotive partners — and risk both existing and new contracts.

Recertification (re-assessment) is not an entirely new assessment but builds on the initial assessment. Nevertheless, you should take preparation seriously: The auditor checks not only whether your security level has been maintained but also whether you can demonstrate continuous improvement.

Re-Assessment vs. Initial Assessment

The re-assessment differs from the initial assessment in several ways:

The auditor will pay particular attention to whether you have implemented improvement measures since the initial assessment, whether minor non-conformities have been resolved, and whether the ISMS is truly being lived. A stagnant ISMS without improvement can lead to problems during the re-assessment.

Scope Changes During Recertification

A lot can change in three years. Recertification is the right time to adjust the scope:

• New sites: If you have opened new sites since the initial assessment that process OEM data, these must be added to the scope
• New labels: OEMs may require new labels (e.g., Availability, available since 2023). These may require additional assessment objectives
• Scope expansion: New business areas, new OEM customers, or new data types can expand the scope
• Scope reduction: Sites closed? OEM contract ended? The scope can also be reduced, which lowers costs

Report scope changes to the audit provider and the ENX portal early. Surprises on the audit day are expensive.

Costs and Effort

Recertification typically costs 60-70% of the initial costs, since the ISMS is already in place and only changes are assessed:

• ENX registration fee (due again)
• Audit costs (typically 1-3 days instead of 2-5 days)
• Internal preparation effort (4-8 weeks instead of 3-6 months)
• Possible consulting costs for scope adjustments or VDA ISA version changes

Detailed cost breakdowns by company size are available on our TISAX costs and process page.

VDA ISA Version Changes

The VDA ISA catalog is regularly updated. If a new ISA version is released between your initial assessment and recertification, you must be assessed against the new version. This means:

• New objectives: Version changes can introduce new assessment objectives (such as the availability modules in ISA 6.x)
• Changed requirements: Existing assessment objectives can be tightened or restructured
• Transition periods: There is typically a transition period (usually 12 months) during which both versions are accepted
• Migration: Kopexa automatically updates the pre-loaded ISA catalog and shows you via cross-mapping which new requirements have been added

Continuous Improvement: Minimize Recertification Effort

The biggest mistake during recertification: doing nothing for 2.5 years and then catching up on everything in 6 months. Those who continuously work on their ISMS significantly reduce the recertification effort:

• Regular internal audits: Conduct internal audits against the VDA ISA catalog at least annually. This helps you identify gaps early and avoid unpleasant surprises during the re-assessment.
• Track maturity continuously: Kopexa enables maturity tracking per assessment objective. You can see at any time whether your security level is being maintained or whether individual objectives are falling below level 3.
• Review policies regularly: Review and update all policies at least annually. The auditor checks review dates and expects current documents.
• Conduct ongoing training: Annual security awareness training for all employees. Train new employees immediately. Document evidence comprehensively.
• Document improvements: Document every ISMS improvement — the auditor expects a demonstrable improvement history during the re-assessment.
• Proactively track version changes: Monitor VDA announcements for new ISA versions and begin migration early. This avoids time pressure during recertification.

Timeline for Recertification

• 12 months before expiration: Start planning, allocate budget, review scope changes
• 6 months before expiration: Contact audit provider and reserve a date (consider lead times)
• 3-4 months before expiration: Conduct delta analysis, address VDA ISA version changes
• 1-2 months before expiration: Update self-assessment, finalize documentation
• Audit: Conduct re-assessment, renew labels

Plan recertification so that the new label seamlessly follows the old one. A gap on the ENX portal can cause OEMs to pause the collaboration.

The complete preparation checklist is available in our TISAX checklist. Tips for optimal preparation for audit day are available on our audit preparation page.