Skip to main content
← All frameworks
TISAX AL2 / AL3 Automation

TISAX Assessment Level 2, achieved with zero non-conformities.

CISGuard automates the technical Annex A controls that TISAX assessors validate, generating the continuous evidence VDA ISA requires for AL2 and AL3 certification.

Germany / European AutomotiveAutomotive (OEMs, Tier-1, Tier-2 suppliers)
Quick Facts

TISAX at a glance, for fast retrieval.

Atomic factual claims auditors and search engines can cite verbatim.

Source standard
VDA ISA: Information Security Assessment
Underlying framework
ISO/IEC 27001 ISMS
Assessment levels
AL1 (self) / AL2 (remote) / AL3 (on-site)
OEM requirement
AL2 standard; AL3 for high-confidentiality data
Assessment cycle
Every 3 years; surveillance review annually
Customer outcome
AL2 achievable from 23 non-conformities to zero
Overview

What is TISAX?

TISAX (Trusted Information Security Assessment Exchange) is the German automotive industry's shared assessment framework, governed by the German Association of the Automotive Industry (VDA) and operated by ENX Association. TISAX assessments validate information security maturity using the VDA ISA (Information Security Assessment) questionnaire, which derives from ISO 27001 ISMS. Assessment Levels are AL1 (self-assessment), AL2 (remote audit with evidence review), and AL3 (on-site audit for high-confidentiality data). OEMs (Volkswagen, BMW, Mercedes-Benz, Stellantis, Bosch) require TISAX certification (typically AL2) from their Tier-1 and Tier-2 suppliers. Failure to achieve TISAX threatens contract renewal.

Control Mapping

VDA ISA controls CISGuard automates.

Each CIS control is tagged with its corresponding framework reference. A single scan produces per-framework coverage reports.

  • Section 1: Information Security Policies (ISO A.5)
    Controls
    A.5.10, A.5.15, A.5.16, A.5.17
    Mapped by
    CIS access control + asset management benchmarks
  • Section 6: System and Application Security (ISO A.8)
    Controls
    A.8.2, A.8.5, A.8.7, A.8.8, A.8.9, A.8.20
    Mapped by
    Full CIS benchmark scanning + drift detection
  • Section 7: Cryptography (ISO A.8.24)
    Controls
    A.8.24
    Mapped by
    CIS Cryptography benchmarks
  • Section 8: Operations (ISO A.8.15, A.8.16)
    Controls
    A.8.15, A.8.16, A.8.28
    Mapped by
    CIS Audit Policy + Logging benchmarks
  • Section 9: Communications Security (ISO A.8.20)
    Controls
    A.8.20, A.8.21, A.8.22
    Mapped by
    CIS Network Security benchmarks
How It Works

How CISGuard automates TISAX evidence.

TISAX assessors validate the VDA ISA questionnaire against evidence of operating ISO 27001 ISMS controls. The technical controls in Sections 6-9 are configuration-based and most often the source of audit non-conformities. CISGuard automates these through continuous CIS benchmark scanning and provides the operational evidence assessors expect for AL2 and AL3 assessments. A Tier-1 automotive supplier in Stuttgart used CISGuard to move from 23 TISAX non-conformities to zero, achieving AL2 within their OEM's contractually-required 6-month window and retaining contracts with Volkswagen, BMW, and Daimler.

Auditor Evidence

Evidence artifacts CISGuard generates.

Auditor-grade outputs in PDF/CSV. No spreadsheets, no screenshots, no manual cross-referencing.

  • TISAX Framework Coverage Report mapping CIS controls to VDA ISA questionnaire sections
  • ISO 27001 Annex A control satisfaction evidence (the underlying framework)
  • Continuous monitoring posture across all manufacturing facility endpoints
  • Per-site multi-tenant dashboards (Munich, Stuttgart, Bavaria, Saxony, etc.)
  • German-language executive reports for VDA submission
  • Exception register for documented manufacturing-system deviations
Customer case study

German Tier-1 Automotive: 23 Non-Conformities to Zero TISAX AL2

Read case study →
Frequently Asked

TISAX questions, answered directly.

How does CISGuard help achieve TISAX Assessment Level 2 (AL2)?

AL2 requires evidence of operating ISO 27001 ISMS controls reviewed remotely by an assessor. CISGuard automates the technical Annex A controls in VDA ISA Sections 6-9 and provides the continuous evidence assessors validate. A Tier-1 automotive supplier moved from 23 non-conformities to zero AL2 non-conformities using CISGuard within a 6-month OEM-mandated window.

Does CISGuard support TISAX AL3 (high-confidentiality)?

Yes. AL3 adds on-site audit and stricter evidence requirements for high-confidentiality data (e.g., prototype vehicle designs, IP). CISGuard's air-gapped deployment option supports AL3 environments where development networks are isolated. The evidence depth (per-asset hardening with timestamps) exceeds AL3 documentation requirements.

Can CISGuard be deployed across multiple manufacturing sites with isolated networks?

Yes. Multi-site deployment uses a central server with regional relay agents for sites with limited WAN bandwidth or air-gapped requirements. Each facility's scan data can be isolated for jurisdictional purposes, while the group CISO retains a consolidated dashboard. Per-facility dashboards support plant-manager scoping.

Does CISGuard produce German-language reports for VDA?

CISGuard's primary report language is English (the operational language of most TISAX assessors). For executive-level VDA submissions requiring German, customers typically use CSV exports as source data for German-language summaries. The technical evidence (control IDs, configurations) is accepted in English.

Will my contracted OEM accept CISGuard evidence for TISAX surveillance audits?

Yes. TISAX surveillance reviews (between full 3-year assessments) increasingly require continuous evidence rather than annual snapshots. CISGuard's posture trend across the audit period satisfies this. OEMs validate compliance through the ENX TISAX exchange portal; CISGuard evidence enters as part of the supplier's ISMS documentation.

Related Frameworks

Continue exploring CISGuard coverage.

Global

ISO 27001

CISGuard maps 36 ISO/IEC 27001:2022 Annex A controls to CIS benchmark scans, automating the technical evidence that certification audits demand and continuous-monitoring requirements imply.

Read more →
United States

NIST 800-53

CISGuard automates 50 NIST 800-53 Rev. 5 controls across 20 control families directly from CIS benchmark scans, the foundation for FedRAMP, FISMA, CMMC, and federal compliance programs.

Read more →
European Union

NIS2

CISGuard automates the cybersecurity risk-management measures NIS2 Article 21 requires of EU Essential and Important Entities, with continuous evidence the national supervisory authorities expect.

Read more →
European Union

DORA

CISGuard automates the ICT risk management technical controls DORA mandates for EU financial entities: system hardening, continuous monitoring, drift detection, and third-party risk reviews.

Read more →

Ready for TISAX readiness?

Our compliance engineers have helped organizations achieve regulatory readiness in as little as one business day.

Request Executive Briefingsales@cisguard.ae →