TISAX® Assessment Level 2: Why the Cheapest Option Is Not Always the Most Cost-Effective

The Common Assumption About Assessment Level 2

When automotive suppliers first explore TISAX® assessment options, Assessment Level 2 (AL2) tends to appear as the logical starting point. External assessment fees are lower than those for higher levels. It's done remotely, so there's no need to travel, and on paper, the path to a TISAX® label looks shorter and less expensive.

However, organizations that plan their TISAX® journey based on assessment fees alone often encounter a more complex reality. The total effort involved in obtaining and maintaining a TISAX® label depends on factors well beyond what appears on the auditor's invoice.

It's crucial for automotive suppliers to understand the full picture before committing to an assessment level.

What Assessment Level 2 Actually Requires

TISAX® Assessment Level 2 is a plausibility assessment. The assessor's task is to evaluate whether the organization's self-assessment plausibly describes a functioning Information Security Management System (ISMS) that conforms to the ISA catalog requirements.

Unlike Assessment Level 3, AL2 does not include an on-site verification of implemented controls. The assessment is conducted primarily on the basis of the organization's written self-assessment and supporting documentation.

This has a critical implication: the quality of the self-assessment determines the success of the process.

For AL2, the assessor must be able to understand how each control objective is fulfilled based on the written description in the ISA catalog alone. Evidence documents serve to support those explanations — they do not replace them. If the self-assessment text is unclear, inconsistent, or insufficiently detailed, no amount of additional documentation can compensate. In such cases, revisions and further review cycles become necessary, extending both timelines and internal effort.

Why Internal Effort Is Frequently Underestimated

Assessment fees are visible. Internal effort is not — and this is where many organizations are caught off guard.

Preparing a plausible self-assessment requires a detailed, documented understanding of how information security controls work across the organization. This typically involves input from:

• Information Security and IT departments
• Human Resources and Facility Management
• Compliance and Legal functions
• Executive Management

The time required depends heavily on the expertise and diligence of the person responsible for documenting the controls in the ISA catalog. Organizations with a well-established ISMS and personnel familiar with TISAX® requirements can often complete the process efficiently. In contrast, organizations with a less mature ISMS typically face significantly greater effort in gathering the necessary information and describing the underlying processes and controls in a clear and comprehensible manner. Based on assessment experience, well-prepared organizations typically invest approximately 24 hours in preparing a plausible self-assessment. Less-prepared organizations can require 48 hours or more — and additional review iterations requested during the plausibility check can increase this further.

AL2 Versus AL2.5: A More Balanced Look at Total Effort

The assumption that a lower assessment level automatically means a lower total investment does not always hold.

When comparing AL2 and AL2.5 on total effort — including both the organization's internal preparation and the assessor's review work — the picture looks different from what assessment fees alone suggest:

AL2.5 involves a greater depth of assessment and a more active role of the auditor, which results in higher external costs. However, the reduced internal preparation burden can make AL2.5 a genuinely more efficient option for organizations that lack the documentation discipline or staffing resources to navigate a high-quality AL2 self-assessment efficiently.

Neither option is inherently preferable. The appropriate choice depends on the organization's specific circumstances, rather than on which option appears less expensive in the assessment proposal.

The Risk of Changing Requirements

Many organizations begin their TISAX® journey with a clear, specific requirement from a single customer: obtain a label at Assessment Level 2. At that moment, AL2 appears to be the only sensible choice.

The automotive ecosystem, however, is dynamic. New customer relationships, expanded project scope, or changed information classifications can create the need for higher assessment levels — sometimes within the same validity period. Scenarios that frequently arise include:

• Handling of Strictly Confidential information
• Requirements involving Very High Availability
• Scope expansions covering prototype protection
• Additional OEM-specific requirements

No organization can predict all future requirements with certainty. But considering potential business developments at the planning stage — rather than reacting to them later — can help avoid unnecessary duplication of effort.

Understanding the True Cost of Upgrading from AL2

For organizations that start at AL2 and later need AL3, the upgrade path is not as straightforward as it might appear.

Because AL2 focuses on plausibility rather than on-site control verification, the methodological overlap between AL2 and AL3 is limited. An upgrade from AL2 to AL3 is generally comparable in effort to conducting an initial AL3 assessment from scratch. For a single location, this can mean approximately 24 hours of assessment effort — essentially a full re-start.

By contrast, organizations that begin at AL2.5 may be eligible for a differential assessment when moving to AL3. Depending on scope and labels, this can substantially reduce the assessment effort for the upgrade.

This does not mean AL2 is the wrong starting point. But for organizations with any realistic likelihood of needing AL3 in the future, the economics of starting at a higher level deserve careful consideration.

When AL2 Is the Right Choice

Despite the factors outlined above, Assessment Level 2 is an appropriate and effective choice for many organizations. It can be particularly well-suited when:

• The organization already maintains a well-documented ISMS
• Relevant personnel have solid experience with TISAX® requirements and terminology
• A high-quality self-assessment can be prepared with minimal iteration
• There is no foreseeable requirement to upgrade to AL3 during the current assessment cycle

Under these conditions, AL2 can deliver a sound route to a TISAX® label while keeping external assessment costs contained.

Key Questions to Guide Your Assessment Level Decision

Rather than starting from assessment fees, organizations benefit from working through the following considerations:

1. How mature is our existing ISMS documentation? Can clear and comprehensible control descriptions be readily derived from the documented processes?
2. Do we have the internal resources to lead a thorough self-assessment process without creating bottlenecks?
3. What labels do our current customers require? Are any of these at AL3 today or potentially in the near future?
4. Are we expanding into new customer relationships that may have different or higher TISAX® expectations?
5. What is our realistic upgrade path? If AL3 becomes necessary, what would that transition cost us from each starting point?

Answering these questions regarding TISAX® assessment levels with input from the Information Security, IT, and business teams provides a far more reliable basis for decision-making than simply comparing assessment fees.

Looking Beyond Assessment Fees

Assessment Level 2 is frequently assumed to be the most economical route to a TISAX® label. For organizations with strong documentation practices and no foreseeable need for higher assessment levels, this assumption may well be correct.

For others, however, the true costs of AL2 — measured in internal preparation effort, review iterations, and potential upgrade expenses — can exceed the apparent savings on assessment fees.

The most cost-effective assessment level is not necessarily the one with the lowest entry price. It is the one that delivers the right balance of effort, assurance, and flexibility for your organization's specific situation.