Last month, a $500 million automotive supplier failed their TISAX® assessment. They had spent six months preparing. They had hired consultants. They had all the documentation their audit provider requested. Their policies were ISO 27001-certified. Their CISO was confident.
They failed anyway.
When I asked their CISO what went wrong, he said something I hear constantly: "We had everything they asked for. I don't understand why we didn't pass."
Here's the uncomfortable truth: They had documentation. They didn't have maturity.
And that distinction explains why approximately 60% of organizations fail their first TISAX® assessment—not because they lack knowledge, but because they fundamentally misunderstand what TISAX® actually evaluates.
The Documentation Trap
Most organizations approach TISAX® the same way they approach ISO 27001 certification: write policies, create procedures, document controls, pass the audit.
This works for ISO 27001 because ISO certification validates that you have established an Information Security Management System. The standard asks: "Do you have policies? Are they documented? Are they approved?"
TISAX® asks different questions: "Are those policies implemented? Do your employees follow them? Can you prove operational effectiveness over time? Does your ISMS function independently of individual people?"
This is the maturity model difference. And it's where most organizations stumble.
The Real Reasons Organizations Fail
After working with hundreds of suppliers through TISAX® assessments, I've identified five recurring failure patterns. If you recognize any of these in your organization, consider them red flags.
1. Treating TISAX® as an IT Project
The most common mistake I see is when executive leadership delegates TISAX® to the IT department and expects them to "handle it."
Why this fails: TISAX® is a management system assessment, not a technical audit. It evaluates governance, not just technology. When IT leads without executive sponsorship, they lack the authority to enforce cross-departmental process changes, implement meaningful HR security controls, or ensure physical security measures are operationally embedded.
What auditors see: Policies that exist on paper but aren't enforced. Employees who don't know the procedures. Processes that function only when specific people are present.
Maturity level achieved: 1 (Performed) or 2 (Managed) at best. The target is 3 (Established).
2. Confusing Documentation with Implementation
I recently reviewed a supplier's ISMS documentation. It was impressive: 200+ pages of policies, detailed procedures, control matrices, risk assessments. Everything was beautifully formatted and properly approved.
During the AL3 on-site audit, the auditor asked three employees in different departments: "How do you classify information when you receive it from customers?"
All three gave different answers. None matched the documented procedure.
Why this fails: Having a policy doesn't mean the organization operates according to that policy. TISAX® assessments, particularly at AL3, validate operational reality through interviews, observations, and evidence sampling.
What auditors see: A gap between what's written and what's practiced. This is an immediate red flag for maturity level assessment.
The fix: Operationalize before you document. If your process isn't already happening, writing it down doesn't make it real.
3. Misunderstanding Maturity Level 3
Many organizations think maturity level 3 means "we do this consistently." That's incomplete.
Maturity level 3 (Established) means:
- The process is defined and documented
- The process is consistently performed across the organization
- The process is managed within the overall ISMS framework
- The process produces repeatable results
- The process is sustained through monitoring and continuous improvement
- The process functions independently of specific individuals
That last point is critical. If your backup process only works when your IT manager is present, you haven't achieved level 3. If access reviews happen only when your compliance officer remembers, you haven't achieved level 3.
Why this fails: Organizations demonstrate procedures during audits but can't show sustained evidence over time.
What auditors look for: Logs spanning 6-12 months. Multiple instances of process execution. Evidence that the process continues regardless of personnel changes.
4. Improper Scope Definition
Scope problems manifest in two ways:
Too narrow: A supplier scoped only their R&D department because that's where they handle OEM data. The auditor discovered that HR also processes personal data of R&D employees and facilities manages physical security for the R&D building. Both departments were out of scope and therefore not assessed. The customer rejected the label.
Too broad: A supplier included all global sites in one assessment to "get it over with." Different locations had different maturity levels. The assessment took three weeks, identified 47 non-conformities, and failed.
Why this fails: TISAX® labels are location-based and scope-specific. Each scope must be complete, meaningful, and aligned with customer expectations.
The fix: Start with customer requirements. What data do you handle for them? Where is it processed? Who has access? Scope to that reality, not to organizational convenience.
5. Audit Preparation Theater
This is the most frustrating pattern I encounter: organizations that mobilize only during the two weeks before an audit.
They conduct a "documentation review week." They have emergency meetings. They brief employees on "what to say to auditors." They generate evidence logs retroactively. They treat the assessment like an exam they can cram for.
Why this fails: AL3 assessments involve unplanned interviews. Auditors can talk to anyone, at any time. If your security awareness only extends to the people in the audit briefing, this becomes immediately obvious.
What auditors detect: Recent log entries. Employees who give rehearsed answers but can't explain actual practice. Documentation creation timestamps that cluster around the audit date.
The reality: Governance maturity can't be faked. Either your ISMS operates daily, or it doesn't.
Red Flags During Preparation
If you see these warning signs during TISAX® preparation, address them immediately:
🚩 "We'll update the ISMS documentation after the audit" – This is backward. If your practices aren't documented and operational now, you're not ready for assessment.
🚩 "Only the compliance team knows how to answer audit questions" – This indicates the ISMS isn't operationally embedded. Employees should know security procedures because they use them daily, not because they were briefed.
🚩 "We need to generate evidence logs" – Evidence should exist because processes execute routinely. If you're creating evidence specifically for the audit, you don't have maturity level 3.
🚩 "IT will handle the auditor questions" – TISAX® covers HR security, physical security, vendor management, business continuity, and data protection. IT can't answer for all of these domains.
🚩 "We're not sure which Assessment Objectives apply" – This should be clarified with your customer before you register for assessment. Scope uncertainty creates audit failures.
How to Actually Pass Your First Assessment
Here's what organizations that pass on their first attempt do differently:
Start with honest gap analysis. Don't assess against what you think TISAX® requires. Use the VDA ISA 6 catalog. Score each control's maturity level honestly. Target level 3 across applicable controls.
Build operational maturity first. Implement processes. Let them run for 6-12 months. Collect evidence naturally. Then assess whether you're ready.
Involve all stakeholders. TISAX® requires coordination across IT, HR, facilities, procurement, and management. Ensure each department owns their controls.
Understand your Assessment Objectives. Know exactly which labels your customer requires. Scope precisely to those requirements.
Choose the right Assessment Level. AL2 is appropriate for many relationships. AL3 is mandatory for high-protection needs or when the customer requires on-site validation. Don't over-scope unnecessarily.
Treat the ENX platform as a governance tool. Your TISAX® label is strategic asset. Understand how label sharing works, what your notification obligations are, and how scope changes affect validity.
Align with existing frameworks. If you already have ISO 27001 or NIST CSF implementations, build on that foundation rather than starting from scratch. TISAX® isn't a separate ISMS—it's a maturity validation of your existing ISMS.
The Bottom Line
Organizations don't fail TISAX® because the assessment is unreasonably difficult. They fail because they approach it as a documentation exercise instead of a governance maturity validation.
The difference between organizations that pass and organizations that fail isn't knowledge. It's implementation discipline.
If your organization is preparing for TISAX® assessment, ask yourself this question:
"If the auditor showed up tomorrow, unannounced, and interviewed random employees about security procedures—would they know what to say? Not because they were briefed, but because they actually follow those procedures every day?"
If the answer is yes, you're ready.
If the answer is no, you have more work to do—and documentation isn't the solution.
Ready to Build Real TISAX® Maturity?
TISAX® Made Easier provides the complete implementation roadmap that transforms compliance from a checkbox exercise into operational governance.
Inside, you'll find:
- ✓ The complete VDA ISA 6 framework explained
- ✓ Maturity level 3 achievement strategies for every control area
- ✓ AL2 and AL3 audit preparation guidance
- ✓ Evidence structuring templates
- ✓ Scope definition methodologies
- ✓ ENX platform management strategies
- ✓ Integration frameworks for ISO 27001 and NIST
Plus exclusive bonuses for the first 100 readers: Evidence Package Template, AL3 Interview Preparation Guide, and Maturity Scorecard covering 25 critical ISA 6 controls.
About the Author
Michael Kirsch is a certified TISAX® trainer (TÜV SÜD Academy) and Expert Advisor to the European Commission. With over 20 years of experience across BMW AG, KPMG, and Novartis, he has guided hundreds of automotive suppliers through successful TISAX® assessments. As Managing Director of MLYK Consulting and Board Member at ISEGRIM X AG, he specializes in helping U.S.-based suppliers bridge European security frameworks with American market expectations.
Certifications: ISO 27001, ISO 42001, IEC 62443, ISO 21434, ISO 31000
Comments ()