Last week, a Quality Manager at a mid-sized automotive supplier sent me an email. Her customer had mandated TISAX® certification within six months. She had been given the task. No budget. No resources. Just an expectation that she would "handle it."
This scenario repeats itself dozens of times every week across North America and Europe.
Someone in procurement, quality, or IT gets assigned TISAX®. They research what it requires. They realize this is not a checkbox. And then they face the real challenge: convincing executive leadership that TISAX® is a $75K-$250K governance program requiring 9-15 months of cross-functional effort.
That conversation determines whether the organization succeeds or fails.
If you secure adequate budget and commitment, implementation is manageable. If you don't, you spend 12 months fighting for resources before ultimately failing the assessment or losing the customer contract.
This article explains why that executive briefing matters, what most people get wrong, and how to approach it properly.
Why Most Executive Briefings Fail
Organizations fail TISAX® assessments long before an auditor arrives. They fail during the executive briefing when they secure the wrong level of commitment.
Three failure patterns repeat consistently:
1. The Underestimate
The project lead presents TISAX® as "like ISO 27001 but for automotive." They estimate $30K budget and six months. Executives approve. The organization begins implementation and discovers halfway through that data protection requires 12 additional controls, prototype protection needs facility upgrades, and AL3 assessment means on-site interviews across six departments.
By the time they realize the gap, the deadline has passed.
2. The Overestimate
The project lead researches thoroughly. They present a detailed 18-month implementation plan with $300K budget. Executives reject it as disproportionate to the customer relationship value. The project is shelved. Six months later, the customer terminates the contract for non-compliance.
3. The Misframe
The project lead presents TISAX® as an IT security initiative. IT gets budget. But TISAX® requires HR (background checks, NDAs, training), Facilities (physical security, visitor management), Procurement (supplier agreements), and executive oversight (management review, risk acceptance). Without cross-functional commitment, implementation stalls. Controls exist on paper but not in practice. The audit reveals the gap.
All three patterns originate from the same mistake: the executive briefing did not establish accurate expectations.
What Executives Actually Need to Know
Your executive team does not need to understand VDA ISA control catalogs, maturity level definitions, or Assessment Objective structures. They need to understand five things:
1. What TISAX® Is
TISAX® is not a certification. It is an assessment that verifies your organization operates a mature information security management system. The assessment produces a label shared with customers through a controlled exchange platform. The label is valid for three years but requires continuous governance maintenance.
This one-paragraph explanation prevents the most common misconception: that TISAX® is a one-time project producing a certificate.
2. Why It Matters
Without TISAX®, you cannot receive confidential customer data. That means you cannot participate in new vehicle programs. You cannot bid on new contracts. Existing contracts may include compliance deadlines that trigger termination clauses.
Frame this in revenue terms. If the customer relationship generates $5M annually and TISAX® costs $150K, the return on investment is immediate and obvious.
3. What It Requires
TISAX® requires governance across six departments: Executive leadership, IT, HR, Facilities, Procurement, and Risk Management. Each department has specific obligations that cannot be delegated to a single security team.
Present this as a governance program, not an IT project. Use a simple table showing which departments are responsible for which controls. This prevents the misframe failure pattern.
4. What It Costs
Typical implementations cost $75K-$250K depending on organization size, current maturity, and scope. This includes external consulting (optional but reduces timeline), audit provider fees, technology investments, and internal staff time.
Present a range, not a single number. Explain what drives costs up or down. Reference the organizational readiness assessment to position your estimate within that range.
5. What the Timeline Is
Implementations take 9-15 months from project start to label issuance. This timeline cannot be compressed below 6 months even with external support because evidence accumulation requires controls to operate for 3-6 months before assessment.
If the customer deadline is six months away, that conversation needs to happen immediately. Waiting another month makes the deadline unachievable.
The Two-Meeting Approach
Most people try to accomplish executive buy-in in a single meeting. This rarely works for budgets above $50K. Executives need time to process the information, discuss implications, and align with other strategic priorities.
The two-meeting approach is more effective:
Meeting 1: Information and Assessment (15-30 minutes)
Goal: Establish accurate understanding of what TISAX® requires and preliminary budget estimate.
Format: Executive One-Pager or quick verbal briefing.
Outcome: Executive team understands scope and agrees to formal budget presentation in 1-2 weeks.
This meeting establishes that TISAX® is a serious governance investment, not a routine procurement item. It gives executives time to research independently, discuss internally, and prepare questions.
Meeting 2: Budget Approval (45-60 minutes)
Goal: Secure budget allocation and executive sponsor assignment.
Format: Formal presentation with slides, budget breakdown, timeline, and risk analysis.
Outcome: Approved budget assigned executive sponsor, authorization to begin implementation.
This meeting addresses objections systematically. Use the FAQ document to prepare for common questions: Can we do this internally? Can we reduce the budget? Can we accelerate the timeline? Why can't ISO 27001 certification suffice?
Common Objections and How to Address Them
During the budget approval meeting, expect these questions:
"Can't we do this internally without consultants?"
Answer: Yes, technically. But internal-only implementations take 15-18 months instead of 9-12, and first-time assessment failure rates are significantly higher. External advisory support compresses the learning curve and reduces risk. The external costs are offset by faster time-to-label and higher first-pass success rates.
"We already have ISO 27001. Isn't that enough?"
Answer: No. ISO 27001 verifies that an ISMS exists and is documented. TISAX® verifies that the ISMS operates at maturity level 3. Additionally, TISAX® includes automotive-specific controls for prototype protection and expanded data protection requirements that have no ISO equivalent. However, existing ISO 27001 certification reduces preparation time by 30-40%.
"Can we accelerate this to 3-6 months?"
Answer: Only if you already have a mature ISMS operating at Level 3. Evidence accumulation cannot be compressed. AL3 assessments require 3-6 months of operational records proving controls work in practice. Controls that have operated for only 4-6 weeks produce thin evidence that auditors flag as insufficient. If the customer deadline is unrealistic, that conversation needs to happen now, not six months from now when you fail the assessment.
What Happens After Approval
Once you secure budget approval and executive sponsorship, the real work begins:
• Detailed gap analysis against all applicable ISA 6 controls
• ISMS documentation development (policies, procedures, templates)
• Control implementation across all departments
• Evidence accumulation over 3-6 months
• Internal audit to verify maturity levels
• External assessment by ENX-accredited audit provider
But without that initial executive buy-in, none of this happens. The project stalls in planning. The deadline passes. The customer relationship is damaged or lost.
A Practical Solution
I wrote this article because I see this pattern repeatedly: capable organizations failing TISAX® not because they lack technical skills, but because they approach the executive briefing unprepared.
Most people assigned TISAX® are not communication specialists. They are technical professionals — quality managers, IT leads, compliance officers — who suddenly need to brief C-level executives on governance investment.
Building that briefing from scratch is time-consuming and risky. You research TISAX® requirements, estimate costs, structure arguments, anticipate objections, and prepare presentation materials. This takes 20-30 hours of work before you even schedule the meeting.
I built the TISAX® Starter Kit to solve this problem.
What the Starter Kit Includes
Seven professional documents designed to compress executive briefing preparation from weeks to hours:
• Executive One-Pager: 2-page quick briefing for 15-minute meetings
• TISAX Explained: 6-page comprehensive foundation guide covering Assessment Objectives, maturity model, and labels
• PowerPoint Briefing Script: 15-slide presentation with complete speaker notes
• FAQ Document: Addresses 9 common executive objections with detailed responses
• Budget Calculator: Excel tool with automatic formulas calculating external and internal costs
• Organizational Impact Workbook: Excel assessment covering 6 functional areas with automatic readiness scoring
• README Guide: Step-by-step usage instructions organized by role and timeline
These materials are based on real executive briefings I have delivered or advised on for organizations ranging from 50-employee suppliers to global Tier-1 manufacturers.
How to Use It
Day 1 (1-2 hours): Read TISAX Explained. Complete the Organizational Impact Workbook. Use the Budget Calculator to generate cost estimates.
Day 2 (2-4 hours): Customize the Executive One-Pager or PowerPoint Briefing Script with your organization's specifics. Review the FAQ to prepare for objection handling.
Day 3: Present to executives. Secure budget approval.
The kit does not replace executive commitment or governance discipline. It provides the communication framework that helps you secure both.
Final Thoughts
TISAX® implementation is a 9-15 month governance program. But success or failure is often determined in the first week — during the executive briefing that establishes expectations, secures resources, and assigns accountability.
Get that briefing right, and implementation becomes a structured project with adequate support. Get it wrong, and you spend 12 months fighting for resources before failing the assessment or losing the customer.
If you are preparing that briefing now, invest the time to do it properly. The alternative is far more expensive.
→ Get the TISAX® Starter Kit at tisax-made-easier.web.app/starter-kit
About the Author
Michael Kirsch is an information security strategist with over 20 years of experience in the automotive and technology sectors. He serves as Managing Director at MLYK Consulting, Expert Advisor to the European Commission, and TISAX® Trainer at TÜV SÜD Academy.
Author of TISAX® Made Easier (2026), Michael has advised suppliers and OEMs across North America and Europe on building audit-ready, strategically aligned security management systems under VDA ISA 6.
Contact: contact@mlyk.com | www.mlyk.com | LinkedIn: Michael Kirsch
Comments ()