What Will the Auditor
Ask Your Team?
A complete department-by-department audit preparation guide. Interactive checklists, examiner questions, and insider context for every function that will face an ENX auditor.
Audit Preparation Tracker — check items off as you go. Progress saves in your browser session.
- ISMS policy document reviewed and approved by top managementVDA ISA 6.0 · IS-01
- Asset register maintained and classified by information sensitivityVDA ISA 6.0 · AM-01
- Access control policy documented with role-based access principlesVDA ISA 6.0 · IAM-01
- Privileged access management (PAM) solution deployed and documentedVDA ISA 6.0 · IAM-03
- MFA enforced on all remote access and critical systemsVDA ISA 6.0 · IAM-04
- User access reviews completed and documented (min. annual)VDA ISA 6.0 · IAM-05
- Joiner/mover/leaver process documented and testedVDA ISA 6.0 · IAM-06
- Network segmentation diagram current and prototype network isolatedVDA ISA 6.0 · NW-01
- Encryption enforced for prototype data at rest and in transitVDA ISA 6.0 · CR-01
- Vulnerability management process with tracked remediation SLAsVDA ISA 6.0 · VM-01
- Patch management policy with documented critical/high timelinesVDA ISA 6.0 · VM-02
- Incident response plan documented, tested, and version-controlledVDA ISA 6.0 · IR-01
- Security event logging enabled on all critical systems (SIEM or equivalent)VDA ISA 6.0 · LOG-01
- Backup procedures tested and recovery time objectives documentedVDA ISA 6.0 · BC-01
- Mobile device management (MDM) policy and enforcement activeVDA ISA 6.0 · MOB-01
- Cloud service security controls documented and provider assessedVDA ISA 6.0 · CLD-01
- Data loss prevention (DLP) controls active on prototype data flowsVDA ISA 6.0 · DLP-01
- Penetration test conducted within last 12 months with findings trackedVDA ISA 6.0 · PT-01
- Secure software development lifecycle (SSDLC) policy in placeVDA ISA 6.0 · DEV-01
- Remote wipe capability confirmed for all devices with TISAX-scope accessVDA ISA 6.0 · MOB-03
- ISMS internal audit completed with documented findings and closuresVDA ISA 6.0 · IA-01
- Management review meeting held with signed minutes and action logVDA ISA 6.0 · MR-01
- Risk register reviewed within last 6 months with treatment decisionsVDA ISA 6.0 · RM-02
- Cryptographic key management policy documented and enforcedVDA ISA 6.0 · CR-03
IT is the highest-scrutiny department in any TISAX® AL3 assessment. The ENX auditor will spend more time here than anywhere else — and the questions are designed to probe not just whether controls exist, but whether the people responsible for them can explain, evidence, and demonstrate them in real time.
The single most common failure mode we observe in IT departments is the gap between what the policy document says and what the system actually does. An access control policy that specifies quarterly user reviews, combined with a system where reviews haven’t happened in 14 months, is not just a finding — it is a finding that triggers deeper scrutiny of everything else.
The second most probed area is network architecture. For AL3 prototype protection scope, the auditor will want to see that data classified at the highest sensitivity level cannot travel across general-purpose network segments without detection or prevention controls.
- Security awareness training programme documented with defined curriculumVDA ISA 6.0 · HRS-01
- 100% staff training completion records available per individualVDA ISA 6.0 · HRS-02
- Role-specific training for staff handling prototype/confidential dataVDA ISA 6.0 · HRS-03
- Confidentiality / NDA agreements signed by all staff before data accessVDA ISA 6.0 · HRS-04
- Pre-employment screening process documented (background checks where applicable)VDA ISA 6.0 · HRS-05
- Onboarding checklist includes IS responsibilities and policy acknowledgementVDA ISA 6.0 · HRS-06
- Off-boarding process revokes access within defined timeframe (same day for leavers)VDA ISA 6.0 · HRS-07
- Return of assets (devices, access cards) documented on departureVDA ISA 6.0 · HRS-08
- Disciplinary process for IS policy violations defined and communicatedVDA ISA 6.0 · HRS-09
- Contractor/temp staff IS obligations documented and enforcedVDA ISA 6.0 · HRS-10
- IS awareness refresher training delivered at least annuallyVDA ISA 6.0 · HRS-11
- Phishing simulation or awareness test results documentedVDA ISA 6.0 · HRS-12
- Remote working security guidelines communicated and signed by staffVDA ISA 6.0 · HRS-13
- CISO or IS officer role formally assigned with documented responsibilitiesVDA ISA 6.0 · ORG-03
HR departments are consistently where TISAX® auditors find the most documentation failures. Not because security controls are missing — but because the paper trail that proves those controls were applied to specific individuals is incomplete.
The auditor’s methodology for HR is straightforward: they will pick a random sample of employees (typically 5-10 names), and for each one, they will ask to see the training record, the signed NDA, the onboarding IS acknowledgement, and the access provisioning record. If any one of those is missing for any individual, it is a finding.
- Physical access control system deployed at all entry points to sensitive areasVDA ISA 6.0 · PHY-01
- Access logs retained and reviewed regularly (AL3: weekly minimum)VDA ISA 6.0 · PHY-02
- Prototype protection zone (high-security area) defined and demarcatedVDA ISA 6.0 · PHY-03 · AL3
- CCTV coverage of all sensitive areas with minimum 30-day retentionVDA ISA 6.0 · PHY-04 · AL3
- Intrusion detection/alarm system installed and tested (test records available)VDA ISA 6.0 · PHY-05
- Visitor management process: registration, escort rules, NDA before entryVDA ISA 6.0 · PHY-06
- Visitor log maintained and retained (minimum 3 months)VDA ISA 6.0 · PHY-07
- Camera/photography prohibition enforced in prototype areas with visible signageVDA ISA 6.0 · PHY-08 · AL3
- Clean desk and clear screen policy communicated and enforcedVDA ISA 6.0 · PHY-09
- Secure document destruction (cross-cut shredding) process in placeVDA ISA 6.0 · PHY-10
- Server room / data centre access restricted and separately loggedVDA ISA 6.0 · PHY-11
- Environmental controls (UPS, fire suppression, cooling) documented and testedVDA ISA 6.0 · PHY-12
- Access card/badge deactivation on same day as departure confirmedVDA ISA 6.0 · PHY-13
- Perimeter security assessment completed and documentedVDA ISA 6.0 · PHY-14
- Hardware disposal and data sanitisation procedure documented with recordsVDA ISA 6.0 · PHY-15
- Physical security walkthrough completed in last 6 months with findings logVDA ISA 6.0 · PHY-16
For TISAX® AL3 with prototype protection scope, the physical security assessment is often the most viscerally revealing part of the audit. The auditor will walk the site. They will look at doors, read access logs, test that cameras cover what the documentation says they cover, and check that no-photography signage is visible from every angle in restricted zones.
AL3 prototype protection requires a defined high-security zone — a physical space where prototype information is handled — with access restricted to named, authorised individuals. The access control system must produce a log that is actively reviewed, not just retained.
- Information security policy approved and signed by top managementVDA ISA 6.0 · ORG-01
- IS roles and responsibilities formally assigned (org chart or RACI)VDA ISA 6.0 · ORG-02
- Management review of ISMS held within last 12 months with signed minutesVDA ISA 6.0 · MR-01
- IS budget allocation evidenced (dedicated resources for ISMS maintenance)VDA ISA 6.0 · ORG-04
- Risk management policy defined with risk acceptance criteriaVDA ISA 6.0 · RM-01
- Risk register reviewed, risks treated or accepted with management sign-offVDA ISA 6.0 · RM-02
- Statement of Applicability (SoA) completed and approvedVDA ISA 6.0 · SoA
- Business continuity / disaster recovery plan approved by managementVDA ISA 6.0 · BC-01
- Continual improvement process documented with examples of improvements madeVDA ISA 6.0 · CI-01
- IS objectives set, measured, and reported to managementVDA ISA 6.0 · OBJ-01
- Internal audit programme planned and completed with findings reported upwardVDA ISA 6.0 · IA-01
- Corrective action process for non-conformities documented and evidencedVDA ISA 6.0 · CA-01
Management interviews are structured to probe one thing above all else: whether information security governance is real or performative. The auditor will ask a senior manager to describe the ISMS in their own words, explain who owns security decisions, and describe what happened after the last internal audit.
The questions are not technical. They are governance questions. But the answers reveal everything about whether the ISMS is a living system or a document filing exercise.
- Data classification scheme applied to all engineering/prototype dataVDA ISA 6.0 · AM-02
- Prototype data inventory maintained (what exists, where stored, who has access)VDA ISA 6.0 · PP-01
- Need-to-know principle enforced: only authorised engineers access prototype filesVDA ISA 6.0 · PP-02
- CAD/PLM system access restricted to approved users with audit trailVDA ISA 6.0 · PP-03
- Prototype file transfer restricted to approved secure channels onlyVDA ISA 6.0 · PP-04
- USB/removable media policy enforced in engineering workstationsVDA ISA 6.0 · PP-05
- Screen lock/timeout enforced on all workstations in engineering areasVDA ISA 6.0 · PP-06
- Test vehicles and physical prototypes covered/secured when not in useVDA ISA 6.0 · PP-07 · AL3
- OEM-provided prototype data handled under specific OEM data handling rulesVDA ISA 6.0 · PP-08
- Simulation/test data (crash results, performance data) classified and protectedVDA ISA 6.0 · PP-09
- Engineering staff aware of and trained on prototype protection rulesVDA ISA 6.0 · PP-10
- Version control system with access audit trail in use for all design filesVDA ISA 6.0 · PP-11
- Third-party design contractors’ access to prototype data contractually controlledVDA ISA 6.0 · PP-12
- Secure deletion process for obsolete prototype data documentedVDA ISA 6.0 · PP-13
- Print/plot controls for prototype drawings (numbered copies, log of distribution)VDA ISA 6.0 · PP-14
Engineers rarely think of themselves as a security risk. But from an auditor’s perspective, the engineering workstation is where the highest-value data lives — and often where the least disciplined security behaviour occurs. TISAX® AL3 prototype protection requirements were written specifically for this environment.
An auditor conducting an on-site AL3 assessment will ask to sit at an engineering workstation and observe. They will look at whether the screen locks automatically, whether a USB stick can be plugged in freely, and whether the most recent design file they can see in the recent documents list is the kind of information that should require a password to access.
- Legal and regulatory requirements register maintained and reviewedVDA ISA 6.0 · LR-01
- GDPR data protection obligations mapped to TISAX data protection scopeVDA ISA 6.0 · DP-01
- Data processing agreements (DPAs) in place with all data processorsVDA ISA 6.0 · DP-02
- Records of processing activities (RoPA) maintained and currentVDA ISA 6.0 · DP-03
- OEM confidentiality obligations from contracts mapped to internal IS controlsVDA ISA 6.0 · LR-02
- Data breach notification procedure documented (72-hour GDPR window)VDA ISA 6.0 · DP-04
- Data retention and deletion schedules defined and enforcedVDA ISA 6.0 · DP-05
- IP and confidentiality clauses in all supplier and partner contractsVDA ISA 6.0 · LR-03
- Export control obligations reviewed and relevant classifications documentedVDA ISA 6.0 · LR-04
- Intellectual property protection policy documented and communicatedVDA ISA 6.0 · LR-05
- Privacy notices in place and aligned with actual data processing activitiesVDA ISA 6.0 · DP-06
- Cross-border data transfer mechanisms documented (SCCs, adequacy decisions)VDA ISA 6.0 · DP-07
- Data Protection Impact Assessment (DPIA) process in place for high-risk processingVDA ISA 6.0 · DP-08
The TISAX® Data Protection module is assessed separately from the core information security requirements, but it uses many of the same evidence types. For Legal teams, the key insight is that VDA ISA asks for evidence of compliance, not just the existence of policies — and the auditor will test whether the documented processes are reflected in actual contracts, processing records, and breach response procedures.
Companies that completed GDPR compliance exercises in 2018-2019 often find that their RoPA and DPA documentation has drifted from current reality. The TISAX® audit is an opportunity — and a requirement — to close that gap.
- Supplier register maintained identifying all third parties with TISAX-scope data accessVDA ISA 6.0 · SCM-01
- Security questionnaire or IS assessment completed for each in-scope supplierVDA ISA 6.0 · SCM-02
- Data protection annexe included in all contracts with in-scope suppliersVDA ISA 6.0 · SCM-03
- Right-to-audit clause in supplier contracts involving sensitive dataVDA ISA 6.0 · SCM-04
- Sub-contractor data access controlled and contractually restrictedVDA ISA 6.0 · SCM-05
- Cloud and SaaS provider security assessments completed and on fileVDA ISA 6.0 · SCM-06
- Supplier IS assessment refresh schedule defined (typically annual)VDA ISA 6.0 · SCM-07
- Onboarding process for new suppliers includes IS requirement communicationVDA ISA 6.0 · SCM-08
- Supplier IS incidents reported to you within defined SLA (clause in contract)VDA ISA 6.0 · SCM-09
- Data destruction/return obligations on contract termination documentedVDA ISA 6.0 · SCM-10
- Third-party access to your systems logged, reviewed, and time-limitedVDA ISA 6.0 · SCM-11
- Supplier risk tiering documented (higher risk = more rigorous assessment)VDA ISA 6.0 · SCM-12
The third-party supplier finding is the most consistently underestimated area in TISAX® AL3 preparation. Procurement teams are focused on price, quality, and delivery. The idea that they need to maintain a security assessment programme for every supplier who touches prototype data is a significant operational shift.
But from the auditor’s perspective, it is non-negotiable. VDA ISA 6.0 Section 7 is explicit: if a supplier processes information on your behalf that falls within the TISAX® scope, you must have assessed their security posture and contractually bound them to appropriate standards. Both elements — assessment evidence and contractual clause — must be present.
Ready to get certified?
Book your free gap assessment today. Our experts will map your current posture against your target framework and give you a clear, honest roadmap to certification.
No commitment required • GDPR compliant • Strategy confirmed via secure link