TISAX® deep dive: the three assessment levels
Depending on the TISAX assessment objectives, the TISAX regulations (TISAX manual) prescribe various assessment procedure types, the so-called assessment levels.
There are a total of 3 different assessment levels, labelled AL1, AL2 and AL3, and a special form called AL2.5.
In this CIS article series, we are focussing on the topic of TISAX® and highlighting the assessment levels. You can find a basic introduction, e.g. on the benefits and assessment, here.
Assessment Level 1 (AL 1)
Assessments at assessment level AL1 are generally only used for internal self-assessment purposes. At this level, the external auditors/assessors merely confirm that a complete self-assessment has been carried out. The content of the client’s self-assessment is not reviewed. No further evidence is required.
The results of tests with assessment level 1 have a low confidence level. Therefore, no TISAX labels can be obtained at this assessment level.
With the TISAX standard, contrary to the procedure known from the ISO standardisation world, no certificates are issued as proof of assessment, but so-called TISAX labels are issued exclusively on the TISAX platform. This means that the customer does not receive a document or print-out. The results may not be communicated outside the platform.
Assessment Level 2 (AL 2)
Assessment Level 2 audits essentially consist of a plausibility check of the self-assessment of the company to be audited, i.e. the content of the VDA ISA completed by the company and the evidence provided. The procedure is concluded at assessment level AL2 with an interview with the person responsible for information security. AL2 procedures are usually carried out remotely in the form of a web conference. If there are reasons why the customer wishes to have the assessment conducted on site, e.g. because evidence should not be provided off-site, the interview can be conducted in person on site.
Assessment level 2.5 (AL 2)
This assessment level is a special variant of the AL2 procedure. Instead of the plausibility check of the AL2 level, a complete check of all control requirements takes place at this assessment level in the form of a web conference, i.e. full-remote. In contrast to the AL3 procedure, all on-site activities are omitted in this test mode. Formally speaking, an inspection in accordance with AL2.5 is assessed as AL2.
The dependence of the assessment levels on the TISAX assessment objectives is shown in the following table (own illustration according to TISAX manual ENX / Table 5: Assignment of TISAX assessment objectives to the assessment levels):
| No. | TISAX test target | Assessment level (AL) | |||
| 1. | Info high | AL 2 | |||
| 2 | Info very high | AL 3 | |||
| 3 | Confidential | AL2 | |||
| 4. | Strictly confidential | AL 3 | |||
| 5 | High availability | AL 2 | |||
| 6 | Very high availability | AL 3 | |||
| 7. | Proto parts | AL 3 | |||
| 8 | Proto vehicles | AL 3 | |||
| 9 | Test vehicles | AL 3 | |||
| 10 | Proto event | AL 3 | |||
| 11 | Data | AL 2 | |||
| 12 | Special data | AL 3 | |||
Author
Wolfgang Glowatzki
Lead Expert Information Security | Lead Auditor TISAX AL2 and AL3 | Lead Auditor ISO 27001
You have questions or would like to find out more
CIS – Certification & Information Security Services GmbH is the number 1 in Austria when it comes to certifications in the areas of information security, business continuity or data protection. Since 2021, CIS has been authorised to carry out audits in accordance with the TISAX® standard. Thanks to a wealth of expertise gained through cooperation in the European and international market and a broad network of specialist auditors, customer and service orientation are our top priorities. Click here to go directly to TISAX® Assessment.
More news
