TISAX and ISO 27001 are both data security certifications, but they have different purposes. TISAX applies to the German auto industry and its suppliers. ISO is a global certification for any company. TISAX stands for Trusted Information Security Assessment Exchange, and ISO is the International Standards Association.
Key Takeaways:
- TISAX focuses on protecting intellectual property for the automotive industry, while ISO 27001 applies to all industries for general information security management.
- TISAX is based on ISO 27001 Annex A, and the two standards are similar in controls for risk management, an Information Security Management System (ISMS), and continuous improvement. TISAX includes additional controls for prototype protection and automotive supply chain security.
- TISAX requires a multi-level assessment process with automotive-specific controls, whereas ISO 27001 has a single certification level focused on general data protection.
- An organization can potentially save 20-30 percent of costs by pursuing both certifications together, leveraging overlapping controls and aligning audit processes.
Differences between TISAX and ISO 27001
There are several key differences between TISAX and ISO 27001, especially when it comes to scope. This is largely due to the specific focus of TISAX on the automotive industry. Let’s take a look at these differences now:
- Industry-specific focus
TISAX is specifically designed for the automotive industry and focuses on securing the manufacturers’ data throughout the supply chain. On the other hand, ISO 27001 specifies how a company can protect its own data or data entrusted to it and is applicable to any type of organization, regardless of industry.
A critical reason for the TISAX standard is the need to protect intellectual property throughout the automotive supply chain. As the 2021 research paper TISAX – optimization of IT risk management in the automotive industry explains, car makers must share design details with partners and vendors. However, sharing leaves companies vulnerable.
“Corporate espionage and data theft are not new to the automobile industry,” the authors state. “The developing digital technology makes it much easier to appropriate huge amounts of information and increases risk to which companies are exposed.”
TISAX outlines prototype protection controls not specified in ISO 27001, such as the following:
- Customer separation and protection against unauthorized access
- Secure storage and handling of documents, parts, and vehicles
- Provisions for the camouflage and security of test vehicles during test drives on public roads
- Security of models used in photoshoots and other marketing projects
- Assessment approach
TISAX assessments are conducted by qualified TISAX assessors contracted by the ENX Association, which manages TISAX. Meanwhile, ISO 27001 audits are conducted by accredited certification bodies independent of ISO.
- Levels of certification
TISAX uses a three-level assessment approach, while ISO 27001 has only one certification level: you either comply or you don’t. As the TISAX Participant Handbook says, TISAX assessment levels correspond to protection levels and range from 1, normal, to 3, very high. Each corresponds to the sensitivity of the data being handled. The higher the assessment level, the greater the assessment complexity.
- TISAX Level 1: This is suitable for suppliers who handle only non-sensitive information or for organizations initiating the certification process. Organizations at this level must demonstrate basic security capabilities, such as access control, secure data storage, and password management. Level 1 involves a self-assessment, which provides a baseline and reveals opportunities to address any non-conformities.
- TISAX Level 2: This is for suppliers who handle moderately sensitive information, such as personal and confidential data. A Level 2 assessment builds on Level 1 and looks for data classification, encryption, and protection systems. Audit work usually includes a plausibility check on your self-assessment and documentation and is conducted remotely.
- TISAX Level 3: This is for suppliers who handle data that requires a high protection level, such as highly confidential data related to military projects and trade secrets, such as prototypes, test parts and vehicles, and even events like photo shots and test drives. Assessment Level 3 assessments build on level 1 and 2 requirements. The audits include a detailed documentation review, on-site checks, and in-person interviews of key security staff.
- Certification criteria
TISAX is based on ISO 27001 but also includes requirements specific to the automotive industry, such as physical security, incident management, business continuity, and access control, while ISO 27001 is a more general framework that covers a broad range of information security topics. In other words, for ISO 27001 certification, you need only meet the requirements. Whereas for TISAX, the audit assesses and grades the maturity of your implementation, which you can define
as the effectiveness of your Information Security Management system (ISMS) to deter and mitigate threats.
“Vendor management guidelines also tend to be stricter with TISAX,” says Micah Spieler, Chief Product Officer at Strike Graph. “Not setting up policies to manage risk in the supply chain can be a ‘gotcha’ in assessments.”
- Certification management
While TISAX’s requirements catalog is reviewed at least once a year by the VDA, the review cycle of an ISO standard is at least once every five years by all ISO member bodies.
- Certification process
TISAX assessments are tailored to the organization's specific protection needs, focusing on the sensitivity of the data handled and the organization's role in the automotive supply chain. In contrast, ISO 27001 certification follows a standardized process that evaluates the organization’s ISMS within its defined scope, which the organization determines. While ISO 27001 audits are comprehensive but scoped, TISAX requires mandatory assessments for Levels 2 and 3, with the audit scope directly shaped by the required protection measures specific to the automotive industry. As the TISAX Handbook says, “Every part of your organization that handles your partner’s confidential information is part of the assessment scope.”
How TISAX overlaps with ISO 27001
TISAX overlaps with ISO 27001 in controls for risk management, ISMS, confidentiality, certification length, and continuous improvement. The standards overlap because TISAX is based on ISO 27001 Annex A. If you're compliant with TISAX, you're largely compliant with 27001.
- Risk management: A company must identify risks and implement controls to manage them.
- ISMS (Information Security Management System): A documented ISMS is obligatory.
- Security controls: Organizations must keep constant vigilance over the effectiveness of security controls.
- CIA (confidentiality, integrity, and availability): Sensitive data must remain confidential, intact and available to the appropriate users when it’s required.
- Certification validity: Both certifications are valid for three years, although ISO 27001 requires annual audits.
- Continuous improvement: An organization must strive for continuous improvement of ISMS policies and practices.
General summary of how TISAX and ISO 27001 overlap
This table summarizes the areas of overlap between TISAX and ISO 27001.
|
Risk-based approach
|
Both standards are based on risk assessment and management. ISO 27001 incorporates a formal assessment and TISAX includes automotive-focused risk controls.
|
|
Common controls
|
TISAX is based on ISO 27001:2022 Annex A and includes common controls.
|
|
Continuous improvement
|
ISO 27001 promotes continuous improvement through regular audits and PDCA cycle. TISAX through regular reassessment to ensure a strong security posture and ascertain a system’s maturity level.
|
|
CIA
|
Data confidentiality, integrity, and accessibility are essential elements for ISMS governed by either standard.
|
|
Third-party and supplier risk management
|
Both standards emphasize secure data sharing in supply chains and partner relationships.
|
|
Documentation and record keeping
|
Both frameworks require detailed documentation of information security policies, procedures, and practices.
|
|
Audit requirements
|
TISAX and ISO 27001 require regular audits.
|
|
Certification validity
|
Both certifications are valid for three years.
|
|
Requirements
|
- TISAX and ISO 27001 require companies to stand up and regularly review an information security management system (ISMS).
- Both standards emphasize the importance of access control measures.
- The standards prioritize incident management processes to manage and mitigate security threats and events.
|
How TISAX and ISO 27001 controls overlap
Download mapping of TISAX and ISO 27001 controls
How TISAX and ISO 27001 evidence overlaps
Download mapping of TISAX and ISO 27001 evidence
How to choose between TISAX and ISO 27001
When choosing between TISAX and ISO 27001, consider how much you deal with the car industry. If you deal with a range of business types, ISO 27001 better fits your data security needs.
Consider the following factors when selecting a security standard:
- Industry relevance: TISAX originated in the automotive industry, but ISO 27001 suits various organizations of any size.
- Scope: TISAX protects automotive information throughout the supply chain, while ISO 27001 addresses broader information security issues.
- Requirements of clients and partners: If you are a German or European automotive OEM or supplier, you likely need a TISAX certification. However, TISAX may also become a requirement soon for U.S. automakers.
- Geographic location: You may need TISAX certification if you operate in regions where TISAX is more recognized, such as Europe. However, a company located outside Europe that works with European manufacturers also might require certification.
- Internal resources: ISO 27001 requires fundamental security measures, such as documented data security policies, procedures, and practices, access control mechanisms, and incident response and disaster recovery plans. The TISAX framework requires additional internal resources to secure the supply chain, including prototype protection procedures, data privacy protection measures, and secure communication and data exchange systems.
Stephen Ferrell, CISA, CRISC, and Chief Strategy Officer at Strike Graph, gives this advice to companies:
"While evaluating security standards, focus on your core business relationships and trajectory. ISO 27001 provides a comprehensive security framework that adapts across industries, while TISAX addresses specific automotive requirements. The key is matching your certification to your primary business sector and client demands."
When should a company get both TISAX and ISO 27001 certifications?
A company should get both TISAX and ISO 27001 certifications when it works with automotive companies. These companies usually require their supply chain to show a high level of commitment to general data security and specific automotive concerns.
|
Condition
|
TISAX
|
ISO 27001
|
|
Your company is part of the automotive supply chain, especially from a German automaker.
|
✅
|
✅
|
|
You have global clients with mixed compliance needs.
|
✅
|
✅
|
|
You deal with sensitive data across various sectors.
|
Not needed unless you’re in automotive
|
✅
|
|
You want to increase trust with a wide variety of stakeholders.
|
Not needed unless you’re in automotive
|
✅
|
"When companies need both certifications, it's typically because they serve the automotive sector alongside other industries,” Ferrell says. “ISO 27001 provides the broad security foundation demanded across sectors, while TISAX specifically satisfies automotive supply chain requirements. Having both does create the potential for new opportunities outside automotive - you can serve both automotive and non-automotive clients effectively."
Spieler adds: “Not having either label can be a deal breaker for business opportunities. So, the effort to certify is worth it because you can maintain your contracts and sell to other automotive opportunities. There’s the esoteric ‘trust’ angle for both of these — you can build increased trust, which has a positive impact on your business in terms of new revenue and retention of revenue.”
How to add TISAX if you have ISO 27001 certification
You have a head start if you have ISO 27001 since TISAX is based on it. But there’s still a lot of work to be done. You’ll determine your TISAX level, conduct a gap analysis, and implement your changes. Then, you’ll choose an assessor and undergo your audit.
“If a company is used to the straightforward compliance levels in ISO 27001, the TISAX levels can be a stumbling block,” says Spieler. “You need to take care to review the TISAX assessment objectives early on in your certification journey to see how they align with your business. Otherwise, you run the risk of under-scoping or over-scoping your compliance efforts.“
Learn more in our article about TISAX assessment levels.
Here’s a quick overview of the steps to add TISAX if you have if you already have ISO 27001 certification:
- Determine your TISAX level and your approach to certification: Do you have in-house expertise, or would you benefit from using compliance experts like Strike Graph?
- Conduct a gap analysis: If you already have ISO 27001 certification, you likely have a firm security foundation. But consider what additional measures your ISMS requires to conform with TISAX.
- Implement changes: Before you can proceed with the TISAX application, you must address any non-conformities in your security system.
- Complete the TISAX self-assessment questionnaire: Confirm your ISMS’s conformity with TISAX by completing the Information Security Assessment.
- Select an approved auditor: ENX offers a list of approved auditors with deep knowledge of TISAX requirements.
- Undergo the TISAX audit: The auditor reviews your self-assessment and responds with any suggestions to address gaps. After you make amendments, the auditor verifies the changes and then conducts the assessment.
- Address gaps in audit findings: The auditor might respond with a corrective action plan that notes non-conformities. It’s up to you to make improvements, which the auditor verifies. It might take several rounds to get it all right.
- Receive your TISAX label: Upon completing the audit, you receive your TISAX label.
How to do TISAX and ISO 27001 at the same time
Achieving TISAX and ISO 27001 certifications together can save money and time with a well-organized approach. Compliance professionals like Strike Graph can help guide you if you don’t have the expertise in-house.
Here are the steps to do TISAX and ISO 27001 at the same time:
- Conduct a combined gap analysis: Identify overlapping controls between TISAX and ISO 27001. ISO 27001’s ISMS framework and Annex A provide a strong foundation for TISAX compliance.
- Define certification scopes: For ISO 27001, define the organization-wide ISMS scope. For TISAX, focus on processes involving sensitive automotive data, such as prototypes and designs.
- Map overlapping controls: Use a control matrix to reuse documentation and evidence. Shared areas include risk management, access control, and incident response. Efficient mapping can save significant effort. But knowing the overlaps isn’t enough. You need a strategic approach to take advantage of them.
- Align audit timelines: Schedule ISO 27001 and TISAX audits close together to optimize your resources and lessen redundancy.
- Implement TISAX-specific controls: Add controls for prototype protection, supply chain security, and data privacy, which TISAX requires beyond ISO 27001. Careful planning helps tailor these controls effectively.
- Leverage compliance tools: Platforms supporting multiple frameworks can centralize documentation and streamline audits, making it easier to manage both certifications.
- Train staff for dual compliance: Provide training on shared principles and TISAX-specific requirements. Clear, targeted training ensures your team understands both standards.
- Audit and maintain compliance: Regularly review and update your ISMS. Continuous improvement helps maintain both certifications.
Time savings by doing TISAX and ISO 27001 at the same time
Although TISAX and ISO 27001 are separate audits, you can save time by reusing your ISO 27001 controls and documentation for the TISAX audit. Keep in mind that the ISO 27001 standard was last revised in 2022. If you have an existing certification under ISO 27001, you are within the 18- to 36-month timespan to transition your certification to the upgraded standard.
- How long does it take to do TISAX?
A TISAX certification takes 6-12 months to complete. The process includes preparation, self-assessment time, a 2-day to 3-day on-site inspection, and time to correct non-conformities. The final assessment must be completed within nine months of the start date.
- How long does it take to do ISO 27001?
ISO 27001 certification takes from 3 months to one year to complete, depending on the company's size. Preparation takes about 4 months and the audit another 2-3 months. However, previous experience with ISO 9001 makes the process easier.
- How long does it take to do both TISAX and ISO 27001?
It can take 6-18 months to do both ISO 27001 and TISAX certification. If your company is already ISO 27001-certified, the process might be faster. A new ISO 27001 implementation takes longer because it comprehensively assesses all your ISMS.
Cost savings by doing TISAX and ISO 27001 at the same time
Companies can potentially save 20-30 percent of costs by preparing for TISAX and ISO 27001 at the same time. Here’s the breakdown:
- How much does it cost to do TISAX?
TISAX certification typically costs between $5,000 and $15,000 USD, depending on factors like company size and assessment scope. This includes registration fees, auditor expenses, and costs for implementing the required security measures specific to the automotive industry.
- How much does it cost to do ISO 27001?
ISO 27001 certification usually ranges from $10,000 to $30,000 USD for small to medium-sized companies. Expenses cover purchasing the standard, training staff, potential consultant fees, internal resource allocation, and auditor fees for the certification audit.
- How much does it cost to do both?
Pursuing both TISAX and ISO 27001 simultaneously can reduce total costs by leveraging overlapping requirements, potentially saving 20-30%. Combined expenses might range from $15,000 to $35,000 USD as shared efforts in implementation and auditing streamline the certification process.
How Strike Graph streamlines ISO 27001 and TSAX
Whether you already have your ISO 27001 and are looking to add TISAX or are starting from scratch, Strike Graph’s compliance platform gives you the tools you need to prepare for, easily achieve, and maintain your TISAX label and/or ISO 27001 certification.
Our software supports multiple frameworks, so you can define controls and satisfy evidence once across multiple frameworks — like TISAX and ISO 27001. This flexible approach saves time and money and puts you in a position to easily scale with other security certifications down the road.
“You can track the overlap between the two frameworks by mapping controls to criteria in both frameworks,” explains Spieler. “You can also streamline evidence collection using the fine-grained settings in Strike Graph. These settings help you scan evidence requirements, so you know what additional evidence you must add for variations in each framework. The big benefit? Everything is organized together for ease of use in the audit and monitoring afterward in operations.”
If you want to learn how the controls and evidence for TISAX and ISO 27001 map specifically for your organization, set up a time to chat with a Strike Graph compliance expert.
TISAX and ISO 27001 FAQs
Is ISO 27001 certification also beneficial for companies in the automotive industry?
ISO 27001 certification is beneficial for car-related companies. It boosts security to protect networked cars from cyber threats. The standard's controls help guard driver personal data and connected-car safety systems.
Why would I need TISAX if I already have ISO 27001 compliance?
You need TISAX even if you already have ISO 27001 compliance because it specifies extra controls for sharing sensitive data, such as prototypes and part designs. ISO 27001 forms a broad security foundation on which TISAX builds.
Is TISAX easier than ISO 27001?
TISAX is easier than ISO 27001 because it focuses on only those controls needed in the automotive supply chain. ISO 27001 provides controls with a broader scope, and audits examine structures in greater depth.
Do US companies need TISAX?
US companies need TISAX certification if they work with German or other car OEMs. Your contract may insist that you conform to TISAX. It is key for working together and securely sharing intellectual property and other sensitive data.
Is ISO 27001 certification required to obtain TISAX certification?
ISO 27001 certification is not required to obtain TISAX certification. TISAX is an independent standard focused on the car industry. However, the framework builds on the broader requirements of ISO 27001. Companies may benefit from certifying in both standards.
How often do I need to renew my TISAX and ISO 27001 certifications?
You need to renew your TISAX and ISO 27001 certifications every three years. You must begin the recertification process before your previous certificate expires. ISO 27001 requires annual review audits.
Can I use the same ISMS for both TISAX and ISO 27001?
You can use the same ISMS for both TISAX and ISO 27001. Many controls overlap, such as controls for risk assessment, access control, and data protection. You may need more controls to meet the automotive-specific requirements of TISAX.
Is TISAX worth it?
TISAX is worth it to improve your data security framework. This can boost your competitive advantage in the car and truck industry with TISAX-specific controls. The audit prep improves the efficiency of all your information security processes.
Is ISO 27001 worth it?
ISO 27001 certification is worth it for companies that process and control sensitive data. It shows a commitment to continuous improvement of security processes. It thereby enhances your reputation. Compliance is essential for doing business in some sectors.
.jpg?width=1448&height=726&name=Screen%20Shot%202023-02-09%20at%202.57.5-min%20(1).jpg)
