Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
German ComplianceTISAX (Automotive)

Assessment Levels (AL1-AL3)

25 min
theory
+40 XP

Learning Objectives

  • Understand TISAX Assessment Levels
  • Learn the differences between AL1, AL2, and AL3
  • Determine required assessment level

Assessment Levels (AL1 - AL3)

TISAX defines three distinct Assessment Levels (AL) to determine the depth and rigor of the verification process. The required level depends on the sensitivity of the data being handled and the specific requirements of the OEM partner.

Assessment Level 1 (AL1)

Assessment Level 1 represents a pure self-assessment conducted by the organization without any external verification. The organization evaluates its own security posture against the VDA ISA criteria. Because there is no independent auditor involvement, AL1 results have low credibility and are generally not accepted by OEMs as proof of compliance for handling sensitive data. It serves primarily as an internal benchmarking tool.

Assessment Level 2 (AL2)

Assessment Level 2 involves a plausibility check performed by an independent audit provider. The auditor reviews the organization's self-assessment and verifies the evidence through remote interviews and document reviews. This level is typically required for standard suppliers who handle internal or confidential information but not highly sensitive prototypes or secret data. The process focuses on verifying that the documented controls are plausible and consistent with the organization's description.

Assessment Level 3 (AL3)

Assessment Level 3 requires a comprehensive on-site audit. Auditors physically visit the organization's location to verify controls in person, observe processes, and interview staff. This rigorous level is mandatory for organizations handling data categorized as "Secret" or "Top Secret," such as prototype vehicles or highly sensitive development data. The audit spans several days and provides the highest level of assurance.

Determining the Required Level

The necessary Assessment Level is dictated by the protection needs of the information exchanged. Standard internal information may require AL2, while protection of prototypes always demands AL3. Each automotive partner specifies the required level in their supplier agreements.

Costs and Effort

The effort and cost scale significantly with the level. AL2 assessments typically involve one to two audit days, while AL3 assessments can require two to five days depending on the scope and location. Preparation typically requires six to twelve months of dedicated effort to implement the necessary controls before the assessment can be successfully passed.

Answer the Questions0 / 3 completed

📚 KnowledgeQuestion 1

Which level involves a pure self-assessment?

Answer exact match required
📚 KnowledgeQuestion 2

Which level requires an on-site audit?

Answer exact match required
📚 KnowledgeQuestion 3

What determines the required level?

Answer exact match required
Answer all questions correctly to unlock the next lesson
Previous
Answer all questions to continue