The First 90 Days of a TISAX® Project: What Companies Should Actually Do
The first 90 days of a TISAX® project often determine whether implementation moves efficiently or becomes unnecessarily difficult. This guide walks through the practical steps companies should focus on early, from scope definition and gap identification to governance, ownership, and building the foundation for a successful assessment.
The First 90 Days of a TISAX® Project: What Companies Should Actually Do
One of the most common situations companies face starts with a simple email.
A customer asks: "Do you have TISAX®?"
Or perhaps: "TISAX® will be required for future business."
For many organizations, especially suppliers entering automotive security requirements for the first time, the immediate reaction is often uncertainty.
Where do we start?
Do we need software?
Do we hire consultants immediately?
Should IT take ownership?
Do we need to involve leadership already?
The reality is this:
The first 90 days often determine whether a TISAX® project becomes structured and manageable or unnecessarily difficult.
Companies that approach the beginning strategically often move significantly more efficiently later.
Here is what organizations should realistically focus on.
Days 1–14: Understand the Requirement First
One of the biggest early mistakes is immediately jumping into solutions before fully understanding the requirement.
Before creating policies or buying tools, companies should understand:
Who requested TISAX®?
Which customer relationships drive the requirement?
Which information requires protection?
Which assessment objectives may apply?
Which locations could potentially fall into scope?
What business activities support those customer relationships?
This sounds simple, but many companies lose time because they start implementation work before understanding exactly what they are trying to protect.
Another important step: Assign ownership
Someone internally must coordinate:
timelines
communication
evidence planning
stakeholder involvement
decision tracking
TISAX® rarely succeeds when ownership remains unclear.
Days 15–30: Define Scope Before Complexity Arrives
Scoping decisions heavily influence workload, and many organizations accidentally make implementation harder by defining scopes that are far too large initially.
Questions to ask:
Which locations actually support the customer relationship?
Which processes belong inside scope?
Which teams handle sensitive information?
Are prototypes involved?
Are supplier relationships relevant?
Are external service providers involved?
A focused scope often creates a dramatically more manageable project, especially for small and mid-sized companies.
Trying to include everything immediately can quickly overwhelm teams.
Remember, more scope means:
more evidence
more controls
more stakeholders
more documentation
more coordination
Scope carefully.
Days 30–60: Identify Gaps Before Building Solutions
Once the scope becomes clear, companies should begin identifying gaps.
This is often where organizations discover:
"We already do some of this."
Many companies already have controls operating informally.
Examples:
onboarding processes
password requirements
backups
supplier management
access approvals
visitor handling
awareness activities
The challenge is frequently documentation and consistency.
Gap identification areas often include:
Governance
ownership clarity
responsibilities
management involvement
Documentation
policies
procedures
records
approval
Technical Controls
access management
backups
logging
vulnerability management
Physical Security
visitor processes
restricted areas
facility protections
Awareness
employee education
security responsibilities
reporting expectations
The goal during this phase is not perfection, the goal is visibility.
Understand current maturity before implementing major changes.
Days 60–90: Build the Foundation
After understanding the scope and gaps, organizations can begin building a structure.
Focus on foundational elements first.
Examples:
Risk Management
Establish a practical process for:
identifying risks
evaluating risks
assigning ownership
documenting decisions
Ownership Assignment
Clearly define:
Who manages evidence
Who owns technical controls?
Who supports physical security?
Who handles awareness activities?
Who coordinates assessments
Unclear ownership creates delays later.
Policy Development
Prioritize core documentation.
Focus on:
access control
acceptable use
incident management
asset management
supplier expectations
awareness requirements
Do not attempt to create hundreds of pages immediately, build sustainably.
Evidence Organization
One challenge companies underestimate is evidence collection. Assessors generally want objective proof.
Examples:
screenshots
records
approval history
meeting evidence
logs
training completion
reviews
Organizations that organize evidence early often reduce stress significantly later.
Common First 90-Day Mistakes
Companies frequently struggle because they:
Buy Tools Too Early
Technology supports implementation, but technology does not replace governance.
Scope Too Broad
Bigger scope creates bigger workload.
Treat TISAX® As An IT Project
TISAX® touches:
leadership
HR
operations
facilities
engineering
quality
security
Cross-functional coordination matters.
Delay Leadership Involvement
Executive support becomes critical quickly.
Underestimate Documentation
Many controls exist operationally, and formal evidence frequently becomes the challenge.
Final Thoughts
The first 90 days of a TISAX® project are rarely about building perfection; they are about building direction.
Companies that typically move more efficiently:
understand requirements early
scope carefully
identify gaps realistically
establish ownership clearly
organize evidence early
involve leadership appropriately
TISAX® maturity develops over time. The strongest implementations rarely start by trying to do everything.
They start by doing the right things first.
Continue the Work
If you are reviewing operations security, you are often dealing with broader questions around ownership, resources, tooling, and internal priorities.
For organizations still aligning leadership, scope, and budget before deeper implementation, there is a structured TISAX® Starter Kit available.
It is designed to support executive-level planning and readiness discussions.
More details here:
https://payhip.com/b/CQSlY
If you are already in that phase, feel free to reach out directly.