Schedule a Meeting
Services
Services
Cybersecurity
Compliance
Managed IT
Co-Managed IT
AI Consulting
Healthcare IT
Others
Others
Cloud Computing
VoIP Phone
Data Analytics
Pricing
Pricing
Plans
IT Pricing Estimator
Resources
Resources
Learning Center
Tools
Tools
IT Needs Analyzer
IT Cost Calculator
Downtime Calculator
Noise Calculator
Case Studies
Company
Company
About Us
Events
ITS Process
Careers
Trust Center
Industries We Serve
Industries We Serve
Healthcare
Financial Services
Automotive
Manufacturing
Non Profit
Architecture and Design
All Industries
Partners
Sales: (855) 204-8823
Client Support: (888) 969-3636
Schedule a Meeting

Mercedes Mandates ISO 27001 or TISAX: What Is It? What Does It Cost?

Bottom Line Up Front:

Mercedes-Benz now requires every dealership to meet a recognized security standard such as ISO 27001 or TISAX Level 2 by September 30, 2026. You are free to choose either path, and ITS has built a tool to help you decide which one is the better fit for your dealership.

This article explains:

  • What Mercedes actually requires
  • What ISO 27001 and TISAX Level 2 involve
  • How much compliance will realistically cost
  • The clear plan your dealership should follow
  • How ITS helps dealerships complete the work with confidence

You’ll get simple guidance, complete information, and a direct path forward.

Mercedes

What Mercedes Is Requiring From Every Dealership

Mercedes expects dealerships to implement a qualified information security program, such as ISO 27001 or TISAX Level 2. Their Cyber Security Guideline outlines several controls that must be implemented, monitored, and proven with documented evidence.

Here is what Mercedes expects:

  • Required Security Controls
  • Required Monitoring & Logging
  • Access & Vendor Management Requirements
  • Governance Expectations
  • Required Security Controls

    • Individual user accounts (no shared logins)
    • Multi-factor authentication (MFA) for systems with customer data
    • Encryption of customer data at rest and in transit
    • Secure password and secret storage
    • Strong endpoint protection (EDR or MDR)
    • Working backup systems for business-critical data
    • Documented disaster recovery and application recovery plans

  • Required Monitoring & Logging

    Dealerships must be able to:

    • Monitor access to customer information
    • Detect unauthorized access attempts
    • Log and retain security events
    • Monitor copying, deletion, and modification of customer data
    • Review activity during investigations

    If you do not have continuous monitoring, Mercedes expects an annual penetration test performed by a certified professional (OSCP/OSCE).

  • Access & Vendor Management Requirements

    Dealerships must review and maintain:

    • Employee access to customer data
    • Removal of accounts when employees leave
    • Vendor access and vendor security safeguards
    • Documentation showing reviews actually happen

  • Governance Expectations

    Dealers must maintain:

    • A documented security program (ISMS or similar)
    • A designated security officer role
    • Written policies that match real workflows
    • BYOD, mobile, cloud, and physical security standards
    • The ability to coordinate cyber events with Mercedes

    These requirements apply whether you choose ISO 27001 or TISAX. Evidence will be required in both cases.

ISO 27001 vs TISAX Level 2: What Each Option Means

Mercedes accepts either ISO 27001 or TISAX Level 2. The question becomes which path is more realistic for your dealership.

ISO 27001

ISO 27001 is a global certification that proves you run a formal, documented information security program year-round.

You will need to:

  • Define ISO 27001 scope and boundaries
  • Establish ISMS framework
  • Create risk register
  • Assign security owner and team

TISAX Level 2

TISAX is an automotive-specific assessment used across many OEMs.

At Level 2, you:

  • Complete a detailed self-assessment
  • Provide evidence that controls exist and function
  • Participate in an expert interview
  • Receive a TISAX result you can share with Mercedes

Which one should you choose?

Most dealerships choose TISAX Level 2 because it is a lighter lift.

However, some choose ISO 27001 if they work with partners outside automotive or want a broader certification.

To help dealerships make the right decision, ITS built this tool:

Use the Mercedes Compliance Framework Selector

What Compliance Really Costs

For most dealerships, the cost comes in three main categories: external assessments, remediation, and internal labor. Below is a complete breakdown so you can budget realistically.

A. External Assessment Costs

Image ALT Tag

ISO 27001

  • Certification audits (Stage 1 + Stage 2): $10,000–$50,000+
  • Annual surveillance audits: multiple thousands per year
  • Optional readiness reviews: additional costs
Image ALT Tag

TISAX Level 2

  • ENX registration: $475 per location per scope
  • Very large programs: about $5,850 per year
  • Accredited assessor review/interview: $5,000–$20,000+
  • Annual penetration test (if required): low five figures
cost-a

B. Remediation and Preparation Costs

This is where dealerships spend the most time and money. Typical ranges:

Dealership Type Remediation Range
Single rooftop, modern IT $25,000–$50,000+
Multi rooftop, legacy systems $50,000–$100,000+
Large group with fragmented IT $100,000+
cost-r

Common Remediation Areas

Removing shared logins

Enforcing MFA across all critical systems

Fixing and testing backups and disaster recovery

Setting up logging and monitoring (SIEM)

Deploying Data Loss Prevention (DLP)

Updating policies and procedures

Organizing all required evidence

Cleaning up vendor access

Training staff

C. Internal Time and Leadership Involvement

Expect to spend time on:

  • Policy review
  • Decision-making
  • Evidence collection
  • Audit and assessment meetings
  • Coordination across departments
This should be planned in advance to avoid delays.
time

The Clear Plan Your Dealership Should Follow

This 7-step plan keeps you on track for the September 30, 2026 deadline and helps avoid costly rework or failed assessments.

  • Step 1

  • Step 2

  • Step 3

  • Step 4

  • Step 5

  • Step 6

  • Step 7

Talk With Your Compliance Partner

Clarify which framework (ISO or TISAX) makes sense for your dealership.

Confirm your scope and any expectations beyond the written guideline.

partner

Get a Full Gap Analysis

A proper gap analysis should evaluate you against both:

  • Mercedes’ Cyber Security Guideline
  • Your chosen framework (ISO or TISAX)

Output should include:

  • A list of what you already meet
  • A list of gaps
  • Evidence you must collect
  • High-priority risks that will block your assessment

analysis

Build a Realistic Timeline

Most dealerships need 8–12 months to reach readiness.

Your plan should outline:

  • What needs to be done immediately
  • What must be completed before the assessment
  • What can be handled after you pass
timeline

Build Your Budget

Your budget should include:

  • Assessment and audit costs
  • Tools (MFA, backups, logging, DLP, EDR/MDR)
  • Professional services for remediation
  • Governance and policy development
  • Internal time

This prevents unpleasant surprises later.

budget

Execute the Remediation Plan

Prioritize the issues Mercedes cares about most:

  • MFA everywhere
  • No shared logins
  • Cleanup of vendor access
  • Working backups and DR testing
  • Logging and monitoring
  • Updated policies
  • Evidence collection

This is the core of the project.

plan (2)

Schedule Your Auditor or Assessor Early

Auditors and TISAX assessors often fill up months in advance.

Your partner should help you choose the right one and organize your evidence so the review goes smoothly.

audit

Maintain Compliance Year-Round

Once you pass, you must maintain:

  • Access reviews
  • Vendor reviews
  • Backup and DR tests
  • Log monitoring
  • Policy updates
  • Staff training

Compliance is ongoing—not a one-time event.

yeazr

How ITS Helps Dealerships Succeed

ITS has more than 20 years supporting dealerships with cybersecurity, compliance, and technology. We understand dealership operations, DMS systems, vendor environments, and OEM expectations.

ITS helps you:

  • Interpret requirements
  • Determine the right framework
  • Perform a detailed gap analysis
  • Build a realistic timeline and budget
  • Remediate gaps in the right order
  • Organize and prepare your evidence
  • Navigate the assessment or audit process

Our focus is to make compliance practical, clear, and achievable for busy dealerships.

its-help

Ready to Choose Your Path?

Use ITS’ Mercedes Compliance Framework Selector to see whether ISO 27001 or TISAX Level 2 is the better fit for your dealership:

If you want help completing the steps above or need guidance interpreting your Mercedes requirements, ITS can walk you through every part of the process.