WHEN THE THIRD OEM ASKED FOR “AL3 WITH PROTO VEHICLES,” THE EXCEL MODEL COLLAPSED

The program lead had three scopes, six plants, a cloud stack, and a nine‑month deadline.

Evidence sat in shared drives, Jira, email… and people’s heads.

The first AL2 assessment barely passed; the AL3 upgrade was a near disaster.

The turning point wasn’t another consultant. It was treating TISAX tooling as architecture, not admin: an enterprise GRC backbone, automation to harvest evidence, and privacy/vendor tools to cover data and supply‑chain risk.

This article unpacks that architecture so you can avoid learning it the hard way.

---

What you’ll learn

• How TISAX’s ISA catalog, assessment levels and maturity model translate into concrete software requirements
• When to favor enterprise GRC platforms vs dedicated TISAX/automation SaaS – and when you need both
• How tools like CyberArrow, VComply, Sprinto, Drata, Thoropass, OneTrust and Netwrix map onto ISA controls
• Practical patterns for integrating tooling with ENX processes and accredited auditors
• Common pitfalls (scope, prototype controls, data protection, vendor risk) and how to bake them into your tooling decisions

---

1. From Point Tools to a TISAX Compliance Architecture

TISAX at any real scale cannot be run from spreadsheets. The ISA catalog plus ENX processes define what you must do; your tooling stack determines how repeatable and scalable that becomes. High‑performing programs converge on a layered architecture rather than a single product.

At minimum, you need three functional layers:

1. Governance backbone (GRC) – risk, control and scope modeling across frameworks
2. Execution and automation – evidence collection, continuous control monitoring, questionnaire support
3. Specialized privacy / supplier modules – GDPR‑grade data protection and third‑party risk

Enterprise GRC (ServiceNow, MetricStream, Archer, CyberArrow, VComply, AuditBoard) is typically the backbone in large suppliers and OEMs.

Automation SaaS (Sprinto, Drata, Thoropass, 6clicks, Strike Graph, Compliance Aspekte) then does the heavy lifting on tests, integrations and audit‑ready evidence.

Privacy and audit‑trail tools (OneTrust, Transcend, Netwrix, PrivIQ, Wired Relations) plug key ISA data‑protection gaps.

[!IMPORTANT] Key Takeaway
Treat TISAX tooling as an architecture decision: pick a backbone, decide where to automate, and make sure privacy and supplier‑risk capabilities are first‑class citizens, not afterthoughts.

---

2. What TISAX Actually Demands from Your Tools

TISAX is an automotive overlay on ISO 27001 plus GDPR, with ISA catalogs for information security, prototype protection and data protection. Any toolset must be able to model ISA, not just ISO.

At a minimum, your stack must support:

ISA structure & updates

• Import / model ISA Excel (information security, prototype, data protection catalogs)
• Track ENX/VDA updates (e.g., label changes like Confidential/Strictly confidential) without re‑implementing from scratch

Assessment levels & maturity (AL1–AL3, 0–5)

• Represent scopes, objectives and required assessment levels per site
• Capture maturity scores per control; report status vs “3+ everywhere” expectation

Lifecycle across registration–assessment–exchange

• Scope and location hierarchy matching ENX Portal (scope IDs, objectives, sharing levels)
• Self‑assessment workflows, non‑conformity and corrective‑action tracking
• Evidence repositories aligned with ISA sections for auditor consumption

Continuous monitoring and improvement

• Periodic control tests and KPIs (logging, incident response, supplier reviews, BC/DR tests)
• Change‑driven reassessment of risk and control effectiveness

Platforms like CyberArrow, VComply, 6clicks and OneTrust explicitly support custom frameworks and cross‑mapping, making ISA a first‑class object.

Automation tools (Sprinto, Drata) then bind those frameworks to live telemetry.

[!CHECKLIST] Mini‑Checklist – “ISA-Ready” Platform

• Can we load or configure the full ISA catalog, including prototype and data‑protection sections?
• Can we tag risks, controls and evidence by scope, assessment objective and assessment level?
• Can we represent maturity (0–5) and report gaps to target level 3+?

---

3. Enterprise GRC Platforms: Governance Backbone for TISAX

Enterprise and upper mid‑market suppliers usually already run some form of GRC. The question is how to extend it for ISA, not whether to replace it.

Typical roles of enterprise GRC in TISAX

• Model ISA as a framework
  – ServiceNow, MetricStream, Archer, OpenPages, CyberArrow, VComply and AuditBoard all support custom frameworks.

  – ISA domains and control questions become control objects linked to risks, assets and processes.

• Unify multi‑framework risk and control data
  – ISO 27001, TISAX, NIS2, SOX, internal policies all share one control library.

  – A single logical control (e.g., centralized IAM) can be tagged to multiple standards.

• Drive workflows and remediation
  – Issues, exceptions, corrective actions and approvals live in one workflow engine.

  – Dashboards consolidate status by scope and label.

• Integrate with ITSM / security stack
  – ServiceNow GRC can tie TISAX controls directly to CMDB CIs, incidents and changes.

  – Archer/OpenPages integrate with SIEM, vulnerability management and ticketing.

Where these suites struggle is speed‑to‑value and depth of automation.

ISA modeling, custom fields (scope IDs, labels), and cross‑framework mapping often require expert configuration.

That’s why many programs pair GRC with lighter‑weight automation tooling.

[!TIP] Pro Tip
In a large supplier, define TISAX once in the GRC backbone and feed it with automation platforms, rather than letting each business unit invent its own spreadsheets and evidence stores.

---

4. Automation SaaS: Closing the Evidence and Monitoring Gap

AL2 and AL3 assessments are evidence‑intensive. Without automation, teams drown in screenshots, exports and ad‑hoc SharePoint structures. This is where modern compliance automation platforms earn their keep.

What automation platforms contribute

Automated evidence collection & tests

• Sprinto: continuous validation of system configurations, evidence gap analysis, AI‑driven risk mapping.
• Drata: daily checks, ISO 27001/GDPR libraries, cross‑framework mapping so one control satisfies multiple standards.
• 6clicks: CCM binding controls to real‑time data sources; AI (“Hailey”) mapping existing controls to ISA.
• Compliance Aspekte: ISA‑native templates, maturity scoring, dashboards and tasking for small/mid suppliers.

Questionnaire and OEM‑RFP support

• Sprinto and Trustero AI use AI to pre‑fill security questionnaires and map answers to existing evidence.
• This is extremely valuable when each OEM sends a different spreadsheet.

Time‑to‑label compression

• Automation cuts the pre‑audit scramble.
• Evidence is continuously captured from IAM, cloud, CI/CD, ticketing and HR systems.
• Self‑assessments roll up automatically.

These tools rarely ship “TISAX out of the box,” but their ISO 27001+GDPR automation plus custom frameworks is usually sufficient to operationalize ISA quickly.

[!IMPORTANT] Key Takeaway
Use automation to make ISA live: tests and evidence run on a schedule, not just during the three‑year TISAX cycle. That’s what sustains maturity levels between audits.

---

5. Data Protection & Supplier Risk: The Often‑Missed Dimensions

Two ISA areas are routinely under‑tooled: data protection and supplier relationships. Both are central to TISAX and NIS2, and both benefit from specialized platforms.

Data protection objectives (Data / Special data)

ISA’s data‑protection catalog expects GDPR‑grade capabilities:

• Records of processing, lawful‑basis tracking
• Data subject rights workflows (DSARs)
• Retention/deletion, data discovery and classification
• Breach handling aligned to GDPR timelines

Privacy‑centric tools address this better than generic GRC:

• OneTrust – data mapping, DSAR automation, vendor privacy risk, incident workflows; strong fit where TISAX data objectives and broader privacy regimes coincide.
• Transcend – DSAR automation, consent, deletion/retention, with deep data discovery.
• PrivIQ / Wired Relations – SME‑oriented privacy dashboards and PIAs.
• Netwrix Auditor – detailed user and data‑access audit trails, alerts and reports across hybrid IT.

Integrated with your GRC/automation layer, these tools become the operational backbone for TISAX Data / Special data objectives.

Supplier relationships and third‑party risk

TISAX explicitly requires supplier‑risk assessment and cascading of appropriate protection levels:

• Identify which suppliers process OEM confidential/prototype/personal data
• Decide when TISAX labels (and at what AL) are required
• Track label status, expiry and corrective actions

Relevant capabilities:

• OneTrust TPRM – supplier intake, due diligence workflows, risk scoring, continuous monitoring.
• 6clicks vendor risk – integrated with TISAX/ISO frameworks and CCM.
• GRC suites – vendor‑risk modules or ERM integrations.

[!CHECKLIST] Mini‑Checklist – Data & Supplier Layer

• Do we have a system of record for processing activities and DSARs?
• Can we show auditors which suppliers must be TISAX‑labeled and how we track their status and risk?
• Are TISAX, GDPR and NIS2 controls mapped onto the same supplier and data inventory?

---

6. Pragmatic Selection Criteria and Pitfalls

Given ENX’s neutrality, no tool is “official.” You must choose based on fit, not logos.

Selection criteria that matter in practice

• Framework engine – Can it represent ISA alongside ISO 27001, GDPR, NIS2?
• Integration breadth – IAM, cloud, ticketing, CI/CD, endpoints, physical security, ERP/MES (even if via APIs/custom work).
• Multi‑scope & multi‑entity support – Essential when labels are per‑site and you run multiple scopes and countries.
• CCM capabilities – Ability to automate checks for high‑risk controls (access, logging, backups, vendor status, prototype areas).
• Openness & portability – APIs, export formats, and contract terms that avoid lock‑in; important given ongoing ISA/NIS2 evolution.
• Auditor familiarity – Check with your chosen Audit Provider which tools they see frequently; alignment reduces audit friction.

Common pitfalls

• Over‑investing in a heavyweight GRC suite for a single AL2 scope when a TISAX‑specific SaaS would suffice
• Assuming ISO 27001 templates alone cover prototype and test‑vehicle controls (they don’t)
• Ignoring ENX concepts (scope IDs, sharing levels, assessment status codes) in the data model, then manually reconciling later
• Underestimating vendor risk: tooling vendors themselves sit squarely inside your TISAX supply chain

[!TIP] Pro Tip
Prototype ISA modeling in 1–2 candidate tools before procurement: load a subset of controls, map risks and evidence, then walk an auditor through it and capture feedback.

---

The Counter-Intuitive Lesson Most People Miss

Most teams assume the fastest way to a label is to “keep TISAX small” – a narrow scope, minimal tooling, minimal change. For AL2 on a single site, that can work once. Over a three‑year cycle and multiple OEMs, it usually backfires.

The counter‑intuitive reality: a slightly larger, better integrated compliance architecture often leads to less work and lower risk.

Reasons:

• Modeling ISA centrally in GRC and automation tools means each new scope or OEM request reuses 80–90% of the same controls, evidence and workflows.
• Investing early in data‑protection and vendor‑risk modules avoids emergency projects when the first major OEM insists on Data/Special data objectives or proof of supplier oversight.
• Continuous control monitoring surfaces issues when they are small; fixing them opportunistically is cheaper than three‑year “big bang” remediations before reassessment.

In other words, consciously designing for multi‑framework, multi‑scope reuse may feel like “extra” work up front, but it is usually the only sustainable pattern for suppliers who plan to stay in the automotive game.

[!IMPORTANT] Key Takeaway
Don’t optimize for the first label; optimize for the third – across more scopes, more OEMs and a tighter regulatory environment.

---

Key Terms mini-glossary

• TISAX – Trusted Information Security Assessment Exchange, an automotive information‑security assessment and result‑sharing scheme governed by ENX.
• ENX Portal – The ENX‑operated platform where participants register, define scopes, select auditors and share TISAX results.
• VDA ISA – VDA Information Security Assessment catalog; the Excel‑based control set underlying all TISAX assessments.
• Assessment Level (AL1–AL3) – TISAX audit depth levels: self‑assessment (AL1), remote plausibility check (AL2), on‑site high‑rigor audit (AL3).
• Assessment Objective – A TISAX label profile (e.g., Confidential, Strictly confidential, Prototype parts, Data Protection) mapped to specific ISA controls and minimum AL.
• ISA Catalogs – Three ISA domains: information security, prototype protection and data protection.
• Continuous Control Monitoring (CCM) – Automated collection and evaluation of data to confirm that controls remain effective over time.
• GRC Platform – Governance, Risk and Compliance software used to model frameworks, risks, controls, tests and issues enterprise‑wide.
• Compliance Automation Platform – SaaS focused on automated evidence collection, continuous testing and audit readiness across frameworks.
• Audit Provider – ENX‑accredited TISAX audit provider responsible for performing AL2/AL3 assessments and submitting results.

---

FAQ

Q1: Does ENX require or endorse any specific TISAX software?
No. ENX provides the ISA catalog, Participant Handbook and Portal, and accredits auditors, but explicitly does not endorse commercial tools. Any stack is acceptable if you meet ISA requirements in practice.

Q2: If we already have ISO 27001, do we still need new tools for TISAX?
Often you can extend existing ISO‑27001‑oriented GRC tooling, but you must add ISA‑specific structure (prototype/data protection catalogs, assessment objectives, maturity) and usually more automation to handle TISAX’s evidence load.

Q3: Can automation platforms alone replace an enterprise GRC suite?
For smaller or single‑framework suppliers, yes: tools like Sprinto, Drata, 6clicks, IX or Compliance Aspekte can cover governance and execution. Large, multi‑framework groups usually benefit from a GRC backbone plus automation.

Q4: How do these tools integrate with the ENX Portal?
There is no generic, public API. Most organizations mirror ENX scopes and IDs inside their tools and manually synchronize labels, reports and status; some build bespoke integrations for status and metadata.

Q5: Which areas are hardest to model in tools?
Prototype protection (garages, test tracks, events) and complex production availability. Generic frameworks don’t “understand” these; you must tailor ISA controls, workflows and evidence structures explicitly.

Q6: How should we involve auditors in tooling choices?
Engage your intended Audit Provider early, demo your planned tooling model for ISA and ask what structures and exports work best for their assessments. This reduces friction and rework later.

---

Conclusion

In the opening story, the TISAX program nearly failed not because the team misunderstood ISA, but because they tried to run AL3 across multiple scopes with improvised tooling.

Once they treated software as a deliberate compliance architecture – GRC backbone, automation layer, privacy/supplier modules, all aligned with ENX concepts – audit prep stopped being a crisis project and became an operational rhythm.

For experienced security and compliance leaders, that is the real opportunity: use TISAX as the forcing function to modernize how frameworks, evidence and supplier risk are managed.

Done well, the same stack that wins and keeps your TISAX labels will also carry ISO 27001, GDPR, NIS2 and whatever the next OEM requirement brings.