TISAX Level 2 Remediation for a Tier-1 Automotive Supplier: From 23 Findings to Certified

The initial TISAX assessment covered the VDA ISA 6.0 questionnaire across all five domains: Information Security, Prototype Protection, Data Protection, Cybersecurity, and Connectivity/Interfaces. The 23 findings broke down as four critical (must-fix before re-assessment), eleven major (high-priority remediation), and eight minor (improvement recommendations).

The four critical findings were: (1) no documented and tested information security incident response procedure; (2) administrative access to cloud-hosted engineering systems not protected by multi-factor authentication; (3) no formal third-party information security assessment process for sub-suppliers handling OEM prototype data; and (4) encryption at rest not enforced on the file shares containing CAD/CAM data classified as 'confidential' by the OEM.

Apex Cloud Consulting was engaged within two weeks of the assessment results being shared. Our first action was a structured triage workshop with the client's IT manager, CISO (a part-time role held by the Head of IT), and the operations director who owned the supply contract relationship. We prioritized the four critical findings for immediate action and sequenced the major findings across a 20-week remediation roadmap.

The incident response gap was addressed first because it was both the highest-risk finding and, in practice, the fastest to close. We used an adapted version of ISO/IEC 27035 as the framework, tailored to PrecisionDrive's size and IT staffing. The resulting procedure covered detection and reporting, triage, escalation, communication to affected OEM customers, and post-incident review. A tabletop exercise was conducted six weeks after the procedure went live to validate it — the exercise identified two process gaps (escalation contact list was incomplete; the procedure assumed 24/7 IT coverage that didn't exist), both corrected before the re-assessment.

The MFA gap on cloud systems was technically straightforward but organizationally complex. PrecisionDrive's engineering team used Microsoft 365 and Azure DevOps for CAD file management and version control. Enabling Conditional Access policies for administrative roles took two weeks of configuration and testing. The harder work was identifying 34 service accounts that were being used for interactive administrative access — a practice that bypassed MFA enforcement. Each account was replaced with a properly managed service principal with least-privilege permissions.

Encryption at rest for the CAD/CAM file shares was implemented using Azure Storage Service Encryption with customer-managed keys stored in Azure Key Vault. The migration of existing files to encrypted storage was completed in a rolling fashion over three weekends to avoid disrupting the engineering teams.

The third-party information security finding was the most operationally complex of the four criticals. PrecisionDrive used eleven sub-suppliers who had access to OEM-classified prototype data — stamping suppliers, tooling partners, and a calibration laboratory. None of these relationships had a formal information security assessment on file.

We designed a tiered assessment approach scaled to PrecisionDrive's resources. Sub-suppliers with direct access to OEM-classified CAD data (four suppliers) received a full VDA ISA-based questionnaire review and a one-day on-site assessment. Sub-suppliers with access limited to specification documents (five suppliers) received a shorter self-assessment questionnaire backed by a contractual security addendum. Two suppliers were assessed as out-of-scope after a data flow review confirmed they had no access to OEM-classified information.

Three of the four deep-assessed sub-suppliers required remediation actions before they could be accepted. In two cases, the issues were procedural (no signed NDAs with the OEM's data classification requirements, no documented access revocation process). In one case, the supplier had a genuine technical gap — an unencrypted file transfer workflow — that required a configuration change on their end. Apex Cloud Consulting supported that supplier's technical remediation directly, acting as an extension of PrecisionDrive's project team.

The eleven major findings covered a wide range of VDA ISA domains. The most significant were: no formal asset inventory covering information assets (not just hardware); patch management SLA not defined or monitored for externally facing systems; and the absence of a Business Continuity Plan section addressing IT recovery for production-critical systems.

The asset inventory was rebuilt using a combination of Azure Resource Manager exports (for cloud assets), Microsoft Defender for Endpoint (for managed endpoints), and a manual survey of OT systems on the production floor. The resulting register covered 847 assets across 14 asset classes, with data classification assigned to each based on the information it stored or processed.

Patch management was brought into scope by implementing a monthly patching window, documented SLAs (critical vulnerabilities: 5 business days; high: 30 days; medium: 90 days), and a dashboard in Microsoft Defender Vulnerability Management that gave the CISO real-time visibility into compliance. The BCP work was phased: a core IT recovery plan covering the eight production-critical systems was completed in time for the re-assessment; the broader organizational BCP was scoped as a follow-on project.

The TISAX re-assessment was conducted by the same ENX-accredited audit body 24 weeks after the initial assessment results were received — two weeks inside the OEM's six-month deadline. The assessment covered all 23 original findings plus a standard review of the full VDA ISA questionnaire.

The result: zero critical findings, zero major findings, four minor observations (none of which were present in the original assessment — they reflected the auditors identifying new improvement opportunities in areas the remediation program had strengthened). TISAX Level 2 certification was issued 11 days after the re-assessment, and PrecisionDrive shared the result with their OEM customer through the ENX portal the same day.

The supply contract was confirmed. The OEM's procurement team subsequently asked whether PrecisionDrive would be interested in participating in a supplier development program for TISAX prototype protection — an indication that the remediation had shifted the relationship from compliance obligation to competitive differentiator.

PrecisionDrive has since retained Apex Cloud Consulting on a quarterly review basis to maintain their TISAX posture ahead of the three-year reassessment cycle.