Lesson 1, Topic 1
In Progress

Assessment Plan

Not only do the controls described above help to maintain or even improve the ISMS, but a self-assessment is also the best way to carry out a control of the entire company and to check whether the ISMS is really lived and understood. For this purpose we offer you the document “Audit Program“, in which you can document your planned audits.

Tip: A plan could look like this:

  • Up to 9 weeks before the TISAX Assessment – Preparation and structure of content
  • Up to 6 weeks before the TISAX Assessment inform employees about the planning
  • Approx. 4 – 5 weeks before the TISAX Assessment – Last complete execution of the self-assessment (dress rehearsal)
  • at the latest 1 weeks before the TISAX Assessment – If necessary, implement last improvements to reach the desired maturity level of 3.
  • At least 2 weeks before the assessment – Conduct the Management Review
  • Up to 1 week before the assessment – communicate the rules of conduct for the TISAX assessment to the employees (preparation for interviews etc.)

Tip: In order to have more than one audit in your audit plan, you can also split up different departments and have, for example, five audits, because you audit five departments instead of just one large audit.

The document “Audit Procedure” is available for the self-assessment process and should explain why regulations have been made and what quality expectations are placed on the implementation. In other words, the importance of the procedure should be explained. Good reasons for this are the control, maintenance and improvement of your information security level. Additionally use the VDA ISA catalogue to check all controls.

General questions arise:

  • What is all affected by the TISAX exam?
  • Which internal person or which audit service providers should perform the audit?
  • What type of test is being performed?
  • What costs are involved?
  • What does the formal agreement of an audit look like?

The answer to the question of what is affected by the TISAX test is quite simple, since the scope and test target selected by you is checked here.

The person conducting the assessment should always be objective and neutral. Therefore, you may not, for example, choose the previously selected consultant as your audit service provider. The self-assessment should provide sufficient objectivity regarding the ISMS, but also sufficient specialist knowledge, such as IT knowledge. Try to make a real evaluation here, because a nice evaluation does not give you an advantage. You should pay attention to the following points with the testing service providers:

  • Is there impartiality or is there a conflict of interest?
  • When is the testing service provider available?
  • How far away is the testing service provider, as travel costs should be considered?
  • Do you trust the testing service provider, after all, he gets a deep insight into your company?
  • What languages does the testing service provider speak?

What types of testing are available?
There are the following three different types:

  • Initial inspection
    • Herewith the TISAX test process begins
  • Review of the corrective action plan
    • If necessary, several times until all errors are corrected, you leave the verification process or the period of 9 months has expired
    • Determining whether the measures comply with the TISA objectives
  • Review
    • If necessary, several times until all errors are corrected, you leave the verification process or the period of 9 months has expired
    • Determining whether all gaps have been filled

What costs are involved?
This question depends on many factors, such as inspection service providers, travel costs, scope, number of locations, etc.
For the registration of your scope you pay on the ENX Association page an amount of 405€ per site for the ABC model. The PBC model has an annual fee of 5000€ to add as many scopes and locations as you like.
Depending on the test service provider, price ranges of 1200 – 1800€ per test day are then possible. To which is then usually added a lump sum, which depends on the scope and locations. For a calculation you are welcome to contact us.