Strike Graph security compliance blog

TISAX vs. ISO 27001

Written by Michelle Strickler | May 17, 2023 7:00:00 AM

If your company is looking to do business with German automakers, you probably already know TISAX is non-negotiable. And, even if TISAX isn’t mandatory for you yet, it’s smart to start looking toward the horizon when US automakers may start demanding the same standard. (TESLA is already using TISAX, so that future may be closer than you think.)

The next step is to understand how TISAX differs from ISO 27001, how the two interact, and whether you need one or both. Read on to get the scoop.

What is TISAX?

TISAX stands for Trusted Information Security Assessment eXchange and is a cybersecurity framework specifically designed for the automotive industry. It was developed by the German Association of the Automotive Industry (the Verband der Automobilindustrie, or VDA) in collaboration with the International Automotive Task Force (IATF) back in early 2017.

This framework is designed to provide a standardized approach to information security assessments for automotive suppliers and service providers. To become TISAX certified, an organization must undergo a security assessment by a qualified TISAX assessor. This assessment evaluates the organization's information security management system (ISMS) against the TISAX requirements.

Once the assessment is complete, the organization is assigned one of three TISAX assessment levels based on the level of sensitivity of the information it handles. Levels of sensitivity include:

  • Basic: Intended for suppliers who only handle non-sensitive information. (Level 1)
  • Medium: Intended for suppliers who handle sensitive information but not information that requires the highest level of protection. (Level 1)
  • High: Intended for suppliers who handle information that requires a high level of protection, such as personal data or intellectual property. (Level 2)
  • Very High: Intended for suppliers who handle the most sensitive information, such as military-grade technology or trade secrets. (Level 3)

What is ISO/IEC 27001:2022?

ISO 27001 is a widely recognized cybersecurity framework that provides a systematic approach to managing and protecting sensitive information. It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is applicable to any type of organization, regardless of size or industry.

The ISO 27001 standard is part of the ISO 27000 series that specifies the requirements for an information security management system (ISMS) and provides a framework for managing the security of sensitive information. It covers topics such as risk management, access control, incident management, and business continuity. The framework is designed to help organizations establish, implement, maintain, and continually improve their ISMS.

To become ISO 27001 certified, your organization must undergo a rigorous certification process that includes a comprehensive assessment of its ISMS. The assessment is conducted by an accredited certification body that evaluates the organization's compliance with the ISO 27001 standard.

So, how are TISAX and ISO 27001 related?

The TISAX framework is based on the ISO 27001 standard. In fact, the majority of TISAX is based on the requirements of Annex A of ISO 27001. However, TISAX includes additional requirements specific to the automotive industry, such as physical security, access control, incident management, and business continuity. 

This means that both TISAX and ISO 27001 are based on the same information security management principles, with both frameworks requiring organizations to do the following:

  • Identify and assess information security risks.
  • Implement appropriate security controls to mitigate those risks.
  • Monitor and review the effectiveness of security controls.
  • Continually improve the ISMS based on the results of the monitoring and reviewing of current security activities.

Overall, both TISAX and ISO 27001 are focused on the protection of sensitive information, including personal data, financial information, and intellectual property. Therefore, they both provide a comprehensive framework for managing information security risks and ensuring the confidentiality, integrity, and availability of such sensitive information.

Additionally, once certified, both certifications are valid for three years.

There are several key differences between TISAX and ISO 27001, especially when it comes to scope. This is largely due to the specific focus of TISAX on the automotive industry. Let’s take a look at these differences now:

Industry-specific focus

TISAX is specifically designed for the automotive industry and focuses on securing the manufacturers’ data throughout the supply chain. On the other hand, ISO 27001 allows the protection of the company’s data or data entrusted to the company and is applicable to any type of organization, regardless of industry.

Approach

TISAX assessments are conducted by qualified TISAX assessors, while ISO 27001 assessments are conducted by accredited certification bodies.

Levels

As we mentioned before, TISAX uses a three-level assessment approach, while ISO 27001 only has one certification level.

Criteria

TISAX includes additional requirements specific to the automotive industry, such as physical security, incident management, business continuity, and access control, while ISO 27001 is a more general framework that covers a broad range of information security topics.

Management

While TISAX’s requirements catalogue is reviewed at least once a year by the VDA, the review cycle of an ISO standard is at least once every five years by all ISO member bodies.

Certification

TISAX assessments are conducted on a case-by-case basis, while ISO 27001 certification requires a more comprehensive certification process.

Cost

TISAX assessments can be more expensive than ISO 27001 assessments due to the specialized knowledge and expertise required for TISAX assessments.

Whether you already have your ISO 27001 and are looking to add TISAX on top or are starting from scratch, Strike Graph’s compliance platform gives you the tools you need to easily achieve and maintain your TISAX label and/or ISO 27001 certification.

Our software supports multiple frameworks, so you can define controls and evidence once and apply them to multiple frameworks — like TISAX and ISO 27001. This flexible approach saves time and money and puts you in a position to easily scale with other security certifications down the road.