Executive Summary
TISAX awareness training is assessed under a single control, VDA ISA 2.1.3: "to what extent is staff made aware of and trained with respect to the risks arising from the handling of information." Running one session doesn't pass it. The assessor grades the control on a 0–5 maturity scale and looks for level 3, which means a documented program, delivered to everyone, refreshed on a schedule, and provable with records. Below is what your training has to cover, how often it has to run, and exactly what you'll be asked to show.
If I had to name the assumption that costs suppliers the most marks on an otherwise clean TISAX assessment, it's this one: awareness training is the easy control. You send round a slide deck, log a few names, and turn back to the hard technical work. Then the assessor asks for your training concept, your completion records, and your refresh schedule, and the easy control turns into a finding.
Here's the good news. Once you know what's being measured, this is one of the cleaner controls to close. The catalogue is specific about the minimum content and about the evidence, so there's not much room for interpretation. Treat it as "we did a training once" and you'll drop marks you never needed to drop. Build it properly and it's a control you can put to bed early.
What TISAX actually requires for awareness training
TISAX assessments run on the VDA Information Security Assessment (ISA) catalogue, currently version 6.0.3, which has been the mandatory basis for all new assessments since 1 April 2024. Awareness sits in Chapter 2, Human Resources, as control 2.1.3.
The control works at two levels. The must-level is blunt: every employee receives training and awareness activities related to information security. There's no quiet exemption for the people who "don't really touch sensitive data." The requirement is all staff, and assessors read it that way.
The should-level is where the detail lives, and in practice it's the bar a High-protection-need assessment (AL2) holds you to. It sets a minimum scope for the training and requires that the training be refreshed at regular intervals. Ignore the should-level and you're simply not building toward the maturity score the assessor came to find.
It also helps to see 2.1.3 among its neighbours. Chapter 2 covers qualifying people for sensitive roles (2.1.1), binding staff to your security policies through NDAs and employment terms (2.1.2), and regulating mobile and remote work (2.1.4). Awareness is the control that makes the rest of them real. A signed policy commitment doesn't mean much if nobody ever taught the person what the policy expects of them.
Why "we ran a training" scores a 2, not a 3
This is the part suppliers underestimate, so let me be exact about it. ISA scores every applicable control on a maturity scale from 0 to 5. For both AL2 and AL3 assessments, the target is level 3, "established": the process is documented, implemented, and verifiably practiced.
Put that against awareness training and the line gets sharp:
- "We have an awareness training" sits around level 1 to 2. Something exists, but it isn't consistently delivered or evidenced.
- "Every employee completes a defined program on a set schedule, and we can show you who did what and when" is level 3.
That gap is the gap between a pass and a finding. An assessor doesn't grade your intentions. They grade what you can put in front of them, row by row, and a polished deck nobody can prove was delivered scores worse than a plain one with clean records behind it. If you're coming from an ISO 27001 background, this is the same evidence discipline the standard's people controls (A.6.1–6.8) already ask for. TISAX just grades the maturity of it out loud. Our breakdown of where ISO 27001 covers TISAX walks through that overlap in full.
Free Gap Assessment: map your current awareness program against the TISAX label you actually need.
What your awareness program has to cover
The should-level of 2.1.3 hands you a minimum syllabus. At a floor, your training needs to cover:
- Your information security policy, and what it actually asks of each employee day to day.
- How to spot and report a security event: the channel, who to tell, and how fast. People can't report what nobody told them to watch for.
- What to do, and what not to do, when a machine is hit by malware or a ransomware note shows up.
- Account and password basics: no shared logins, sensible password habits, and MFA wherever it applies.
- The physical side: clean desk, visitor handling, badge discipline, and the security-zone rules for their site.
Treat that as the floor, not the ceiling. Two additions earn their place in an automotive context. Phishing deserves its own module, because it's the most common real-world way in and assessors expect to see it covered directly. And people in sensitive functions need role-specific content on top of the baseline: developers handling source code, staff working in prototype-protection areas, anyone processing OEM data as a data processor. ISA 6 also split the old single security label into separate Confidentiality and Availability labels, so if availability is in your scope, your training should reach into incident response and continuity from the employee's point of view too.
One call worth making early: write the training for your people, not for the catalogue. A module that recites ISA control numbers at a machine operator gets clicked through and forgotten. One that shows them the three things that actually go wrong on their floor sticks. And the program people remember is the one that survives an assessor's interview, because the proof of awareness isn't the slide, it's what the employee says when asked.
How often: cadence and refresh
The control asks for refresh "at regular intervals" and pointedly declines to give you a number. That's deliberate, but the cadence that consistently reads as level 3 has three parts:
- At onboarding, before or immediately after a new hire gets access. A starter who's been in the building three months untrained is a gap an assessor can see.
- A full annual refresh for everyone, on a fixed schedule, so the whole workforce cycles through inside a known window.
- Ad-hoc top-ups when a policy changes materially, after a relevant incident, or when a new threat pattern lands. These are what show the program is alive rather than a date in a calendar.
Phishing simulations run on their own rhythm, and quarterly is a common, defensible choice. They earn their place twice over: they generate exactly the kind of dated, per-employee evidence an assessor likes, and they tell you whether the training is actually working instead of just whether it happened.
The evidence an assessor will actually check
Build this part first, because this is the part that gets graded. For 2.1.3, an assessor expects three kinds of evidence:
Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance within 95 days.
- A training concept or awareness program proves the training is designed, not improvised. Good looks like a short documented plan covering scope, topics, audiences, cadence, and ownership.
- Training records prove it was actually delivered, and to whom. Good looks like per-employee completion logs with dates, covering 100% of staff in scope.
- Schedule and frequency records prove it recurs on a defined interval. Good looks like a calendar or LMS export showing onboarding, annual, and trigger-based runs.
The failure pattern we see most is strong content and thin records. A genuinely good program with no way to prove who completed it cannot reach level 3, because half the definition of "established" is verifiably practiced. If your training runs through an LMS, the completion export does most of this work for you. If it runs through a meeting room and a sign-in sheet, scan the sheet and date it. The record is the deliverable here. The training is just the thing that produces it.
A practical prep timeline
Starting from nothing, this control is realistically four to six weeks of work, and most of that is documentation and rollout rather than design.
Weeks 1–2 — define. Write the one-page training concept. Pick your topics against the 2.1.3 minimum, plus phishing and any role-specific modules. Set the cadence. Put a name against ownership.
Weeks 2–4 — build and deliver. Assemble or buy the content, then run the first full delivery to everyone in scope. If you have an LMS, load it there so the records keep themselves. If you don't, start a clean attendance log on day one rather than reconstructing it later.
Weeks 4–6 — evidence and test. Pull the completion records and confirm 100% coverage. Run a first phishing simulation. File the schedule. Then a five-minute test: if an assessor asked you to show your awareness training and prove everyone did it, could you, right now? If the answer is yes, 2.1.3 is sitting at level 3.
None of this happens in isolation. Awareness is one control among the 45 in the Information Security module, but it's one of the few you can fully close early, which makes it a useful confidence-builder while the heavier technical controls are still moving. For the wider view of what an automotive supplier is walking into, see our guide to automotive supplier TISAX requirements and the changes VDA ISA 6 introduced.
Common mistakes we see
When we review a supplier's posture before a TISAX assessment, awareness training throws up the same short list nearly every time:
- Training the office and forgetting the floor. Production, logistics, and contractors are in scope too, and "all staff" means all staff.
- Strong content, no records. The deck is fine; nobody can prove who watched it. This is the single most common reason a good program still scores a 2.
- One and done. A single onboarding session with no annual refresh fails the "regular intervals" wording on its face.
- Skipping phishing, when it's the threat an assessor most expects to see addressed head-on.
- Buying a generic course and never tailoring it to automotive or to the actual roles, so retention is low and the interview answers come out vague.
None of these needs a war story to make the point. They're structural, and they all trace back to treating awareness as a box to tick instead of a control to evidence.
How ITIS-Secure helps
Our preparation work picks up where this article stops. We help you write the training concept, scope the content against control 2.1.3 and the labels your OEM actually requires, set a cadence you can defend, and stand up the evidence trail so the control lands at level 3 on the first assessment rather than the second. Whether you're scoping TISAX preparation for the first time or you already hold ISO 27001 and need to close the automotive-specific gap, we'll show you where the work is and where it isn't.
Book your free gap assessment and we'll map your current awareness program against your target TISAX labels and hand you a clear, honest plan for 2.1.3 and the controls around it.
No commitment required • GDPR compliant • Strategy confirmed via secure link
Frequently asked questions
What is TISAX awareness training?
It's the information security training and awareness you provide to employees to satisfy VDA ISA control 2.1.3 in a TISAX assessment. At a minimum it covers your security policy, how to report security events, malware response, account and password handling, and physical security, all refreshed at regular intervals and backed by records.
Which TISAX control covers security awareness training?
VDA ISA control 2.1.3, in Chapter 2 (Human Resources) of the ISA 6.0.3 catalogue: "to what extent is staff made aware of and trained with respect to the risks arising from the handling of information." It's graded on the 0–5 maturity scale, with level 3 as the target for AL2 and AL3.
How often does TISAX awareness training need to happen?
The control asks for refresh "at regular intervals" without naming a figure. In practice, the cadence that reads as established is training at onboarding, a full annual refresh for all staff, and ad-hoc top-ups when policies change or after an incident. Phishing simulations are commonly run quarterly.
What evidence does a TISAX assessor want for awareness training?
Three things: a documented training concept or awareness program, per-employee training records showing who completed which modules and when, and records of the training schedule and frequency. Content with no completion records is the most common reason this control scores below level 3.
Do all employees need TISAX awareness training, or only IT staff?
All employees in scope, including production, logistics, and often contractors. The must-level of 2.1.3 makes no exception for non-technical roles. Sensitive functions such as developers, prototype areas, and OEM data processors should get additional role-specific content on top of the baseline.
Is a TISAX foundation course the same as awareness training?
No. A TISAX foundation or assessment course, run by bodies like TÜV SÜD, SGS, or BSI, teaches a few people how the TISAX process works. Awareness training under 2.1.3 is the recurring, company-wide program you deliver to all staff. You might want both, but only the second one is the control being assessed.
This article is general information about TISAX and the VDA ISA catalogue, not legal or certification advice. Your OEM's exchange request, the current VDA ISA 6.0.3 catalogue, and your own protection-need and risk context determine exactly which controls and evidence apply to you.
TISAX® is a registered trademark of ENX Association. VDA® is a registered trademark of Verband der Automobilindustrie e.V. ITIS-Secure is an independent preparation firm; assessments and labels are issued through the ENX/TISAX process.

About Iulian Bozdoghina
Lead Auditor and Consultant
"Iulian Bozdoghina is a veteran cybersecurity strategist with over 15 years of experience in securing automotive supply chains and critical infrastructure. He specializes in TISAX®, ISO 27001, and the emerging NIS2/DORA regulatory landscape."




