TISAX® and ISO 27001: Differences and Similarities

TISAX und ISO 27001
TISAX und ISO 27001

In this blog post, we want to compare TISAX® with ISO27001, dive deep into both standards and summarize the results for you. We won’t only talk about differences, but also mention similarities and synergies between the two standards. Here is a comprehensive comparison between TISAX® and ISO 27001.

What are the main differences between TISAX® and ISO 27001?

Although TISAX® originally was derived from ISO 27001, the two standards are completely independent of each other. There are also no dependencies regarding the application, requirements, audits, and certifications. In other words, if you have TISAX® or ISO 27001, one doesn’t replace another.

Having that in mind, we have compiled a list of differences as a summary. However, in the further part of this post, we will go into details of each item:

  • ISO 27001 is a certification, while TISAX® is a label.
  • ISO 27001 is international, but TISAX® is not yet international.
  • TISAX® is used in the Automotive Industry, whereas ISO 27001 can be applied to all industries.
  • In TISAX®, the whole company is being assessed. In ISO 27001 functions, production lines can be assessed individually.
  • TISAX® Catalogue requires the maturity levels of each and every control, ISO 27001 doesn’t measure the maturity levels.
  • Re-auditing structure is different. TISAX® Re-Audit is after 3 years, ISO 27001 on the other hand has it on a yearly basis.
  • As TISAX® is automotive-specific, it includes details like Prototype Protection, Data Protection (which is way stricter than ISO 27001 especially when Assessment Level 3 is desired)
  • TISAX® has 9 months from the beginning to implement all the major and minor discrepancies.
  • TISAX® has a limited choice for Auditors in comparison to ISO 27001.
  • In order to simplify the differences, we have divided them into 2 groups; structural and technical differences.

In order to simplify the differences, we have divided them into 2 groups; structural and technical differences.

Structural Differences

Structural differences are the differences regarding the process, context, and definition of the audits. As mentioned above, ISO 27001 is a certification for Information Security. However, TISAX® is given as a label. Companies that have TISAX® are listed in the ENX Portal. This is to serve the purpose of TISAX®. If you want to learn more about this, here is a suggested Blog Post.

Furthermore, ISO, hence the name, is an international standard. On the other hand, TISAX® is a requirement from VDA, which is mainly German. Nevertheless, we believe that TISAX® is growing to be the European Information Security Standard for the Automotive Industry. Let’s wait and see. Moving on, TISAX® is an industry-specific label, whereas ISO 27001 can be applied to all industries. In addition to that, ISO 27001 can be applied to a production unit or department. For TISAX however, the whole company -with the option to choose locations- needs to be audited.

Finally, the re-auditing structure is different. ISO 27001 requires a yearly audit, whereas TISAX® re-certification is after 3 years.

Technical Differences

ISO 27001 has 114 controls, which are used as the basis of the assessment. However, those controls don’t have a maturity level measured. In TISAX® maturity levels are defined and used as criteria for the achievement of the label. There are 6 maturity levels in TISAX®, from 0 to 5. An average of 3 is required to have the label. On the other hand, for some controls, maturity levels need to be a minimum of 2. Therefore, TISAX® is way more concrete when it comes to implementation as it has to measure the maturity levels.

As TISAX® is an automotive industry standard, it includes Prototype protection. The data protection section of the TISAX® is way more comprehensive and restricted than ISO 27001, especially for Assessment Level 3.

One more technical difference is that, from the day of the first audit, TISAX® has 9 months deadline for implementing the measures defined in the audit. If those measures are not implemented within the 9 months, the application phase for the Label has to restart. Below is the TISAX® project timeline.

Tisax Consultancy Services

When it comes to choosing the Auditing company, TISAX® has a way-limited set of options in comparison with ISO When it comes to choosing the Auditing company, TISAX® has a way-limited set of options in comparison with ISO 27001. As of January 2023, TISAX® has only 14 Auditing bodies worldwide. Having said that, we are done with the differences. Let’s focus on the similarities between TISAX® and ISO 27001 💃

Similarities Between TISAX® and ISO 27001

First of all, TISAX® is derived from ISO 27001. The control catalog of TISAX® is rooted in Annex A of ISO 27001. Therefore, we can easily say that the main idea and aim are pretty similar. Secondly, regardless of which audit the company successfully passes, the information security levels will be almost identical. In this sense, both labels are there to make sure a high information security standard is set.

If you are familiar with the ISO PDCA (Plan, Do, Check, Act) circle, TISAX® also requires a Continuous Improvement Process, where the aims are almost similar. We believe that a Continuous Improvement Process is crucial not only for information security but also for the other processes of the company.

Do TISAX® and ISO 27001 replace each other?

No. Definitely not. TISAX® and ISO 27001 are not mutually exclusive. Therefore, depending on your company’s needs, industry, and goals you can choose between two labels. Can’t you have both at the same time? Yes, you can. More on this is below.

Let’s assume that your company is working exclusively with the automotive industry. Then the TISAX® label might make more sense. If, however, you want to have a certification that’s known worldwide, then ISO 27001 can be a better option.

Does it make sense to have two certificates at the same time?

The answer is, it depends 🙂 Yes, I know it’s not a proper answer. But if you are exclusively delivering services or producing goods for the automotive industry, then TISAX® alone might serve your purposes. Having both will not hurt, as having one before the other will ease the total pain of audits. In this case, we suggest having the TISAX® label before ISO27001.

Wrapping-up

ISO 27001 has 114 controls, and TISAX® for information security has approx. 70. Therefore, one can easily claim that both standards are quite similar. Moreover, those controls from TISAX® are derived from ISO 27001. Depending on your company’s needs, goals, and industry you can choose between two labels. In the best case, you can have both.

You’re not sure where to start or which one to choose? We are here to help you. You can get in touch with us here.

TISAX® ist eine eingetragene Marke der ENX Association. Die 360 Digitale Transformation steht in keiner geschäftlichen Beziehung zur ENX. Mit der Nennung der Marke TISAX® ist keine Aussage des Markeninhabers zur Geeignetheit der hier beworbenen Leistungen verbunden. TISAX® Assessments, zur Erlangung von Labels, werden nur von den auf der Homepage der ENX genannten Prüfdienstleistern durchgeführt.

About the Author

TISAX® and ISO 27001

Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.