ISO Show

#245 What’s The Difference Between TISAX and ISO 27001?

     

For those in the automotive industry, namely suppliers working with European OEM’s, you’re likely familiar with TISAX but not necessarily with the Standard that many of its requirements originate from.

ISO 27001 is the leading Information Management Standard, and its Annex A forms the basis of TISAX, however there are many differences between the two.

For Automotive suppliers looking to create a more holistic Information Security Management System, it can be beneficial to implement elements of both even if you don’t intend to certify to both.

In this episode, Ian Battersby is joined by Emma Coxhill, isologist at Blackmores, to explore the differences between TISAX and ISO 27001, how existing ISO 27001 compliant management systems can be leveraged for TISAX compliance and the benefits of implementing both Standards for automotive suppliers.

You’ll learn

  • How does TISAX differ from ISO 27001?
  • How does the recertification / annual surveillance for TISAX and ISO 27001 differ?
  • Can a company have TISAX without ISO 27001 and vice versa?
  • How can an existing ISO 27001 certification be leveraged for TISAX?
  • What are the additional benefits of implementing both TISAX & ISO 27001?
  • What is a reasonable timeframe for implementing TISAX?
  • The key role of Internal Audits
  • How can Blackmores support companies in implementing TISAX?

Resources

In this episode, we talk about:

[02:05] Episode Summary – Emma Coxhill joins Ian to dive into the key differences between ISO 27001v Information Security and TISAX, including the benefits of implementing both and how each can be leveraged to assist in the implementation of the other.  

[03:10] What is TISAX? TISAX was developed for the automotive industry by the German Association of the Automotive Industry, VDA, and it’s managed by the ENX Association.

It’s based on the ISO 27001 Annex A controls, and was created for the automotive industry because they were looking to standardise the framework for assessing and sharing information security results between manufacturers and their suppliers.

[04:20] How does TISAX differ from ISO 27001? ISO 27001 is a general Information Security management Standard, it can be applied to any business, whereas TISAX is only applicable to the automotive industry.

ISO 27001 includes a framework of requirements that everyone must implement, whereas TISAX has a more customisable element. With TISAX you can select an applicable level and relevant subject areas for your operations.

The last main difference is the fact that ISO 27001 certification ends in a certificate which can be shared and displayed wherever you want. TISAX in comparison has Labels, which are only available through the ENX portal where you have control over who can access them.

[05:15] How does the recertification / annual surveillance for TISAX and ISO 27001 differ? The good news is that TISAX is a bit more forgiving than ISO when it comes to a recertification cycle.

TISAX does not require an annual Surveillance like ISO 27001, instead once you’ve earned a Label it remains valid for 3 years.

ISO 27001 in comparison requires an annual Surveillance for each year until the 3rd when you have your Recertification Audit.

If you have a significant change to scope part way through your 3 years of TISAX, you will need to have a chat with your auditor to see if extra work is required. This will depend on your level, with higher levels likely to require some additional work and for you to adjust your scope within the ENX portal.

Overall, a TISAX label is less of a burden than traditional Management System Standards like ISO 27001. However, TISAX is a lot more strict and will require more upfront preparation ahead of earning your Label.

[07:30] Are Internal Audits required for TISAX? They are, but the amount and frequency are a lot more flexible than ISO 27001. You can do as many as you like, but at a bare minimum we recommend you conduct internal audits 6 months ahead of your TISAX label expiring to ensure you’re ready for re-certification.

You can of course carry on with annual internal audits to make sure you’re on track.

This can be handy if specific clients ask for further evidence of you following processes in accordance with TISAX requirements.  

[08:35] Can a company have TISAX without ISO 27001 and vice versa? You can! Both are independent Standards, however they do compliment each other.

Organisations that hold both have a competitive advantage, as ISO 27001 applies to all industries and is more widely recognised.

However, if you only operate in the automotive space, TISAX may be sufficient. If you supply to multiple sectors, it’s worth considering implementing both TISAX and ISO 27001.

[09:25] How can an existing ISO 27001 certification be leveraged for TISAX? If you already hold an existing ISO 27001 certification, than you’re already 80% of the way there to TISAX compliance.

As TISAX is based off of ISO 27001’s Annex A controls, a lot of the requirements cross over, so you will already have most of the foundations in place to cover TISAX. It will just be the more automotive specific requirements that will require some additional work. These requirements include considerations for:

  • Data Protection
  • Prototype protection
  • Assets
  • 3rd Party Suppliers

The amount of additional work will also depend on the TISAX Level you’re aiming for, with Level 3 being the most demanding for these specific requirements.

[10:55] What are the additional benefits of implementing both TISAX & ISO 27001? Benefits include:

Robust Information Security – Having both TISAX and ISO 27001 forms a strong and versatile information security infrastructure that will cover all of your operations.

Easy Integration – These two Standards complement each other, and can easily be integrated. If you already have ISO 27001 in place, you have already completed a majority of the framework and will be familiar with what’s required to earn and keep both your ISO certificate and TISAX Label.

Customer Trust and Long-Term Resilience – TISAX is desired, if not an outright requirement for European based OEM’s to work with suppliers. They require this because TISAX is a trusted Standard, a Label displays your commitment to information security within the automotive industry. It also helps to put you in a better position to both safeguard data as well as respond in the event of a data / security incident.

Wider market access – If you supply to more than just the automotive industry, than having ISO 27001 in place will grant you access to the wider market that will recognise that Standard over TISAX.

[12:05] What is a reasonable timeframe for implementing TISAX? This will depend on a number of factors including the type of organisation, the number of sites, resources available etc.

The key thing to note is that this is note a 2 week project, it will take a number of months to get everything in place for your external assessment. A good measure of if you’re ready is if you can score at least more than 2.71 on your self-assessment, and have completed a few internal audits to double check.

If you already have ISO 27001 in place, than you’re looking at between 3 – 6 months.

If you do not have ISO 27001 in place than you’re looking at 6 months minimum. For Level 2, you will need proof that ,you have everything in place, it’s all been communicated and the relevant individuals have been trained.

Level 3 requires everything to be in place and operating for a certain amount of time, typically around 3 months is ideal to start building a library of evidence ahead of your external assessment.

Emma’s top tip: Be honest in your self-assessment. It’s there to be a benchmark, and you need to reflect on the reality of your position if you’re to accurately assess what Level you are ready to be assessed against.

[14:20] Core elements for success: As with any Standard, ISO or otherwise, TISAX will require leadership commitment in order to be successful. The requirements of TISAX need to come from the top down, just like with ISO 27001.

The Leadership ultimately drive TISAX’s success, by ensuring the relevant resources are in place, and involved individuals have the necessary time to implement and maintain the Label.

For those within the Automotive Sector, TISAX is becoming an absolute requirement. It’s being pushed as a tender requirement, so you may lose out on business if you opt to not earn a Label.

[16:35] The key role of Internal Audits: As mentioned earlier, Internal Audits are a key part of the process for both TISAX and ISO 27001. It acts as a business health check to ensure you’re on the right path.

They can help identify areas which may be non-conforming or simply highlight opportunities for improvement.

For TISAX, there is not outright requirement for 3rd party audits ahead of your assessment, however we would recommend them as a fresh pair of eyes can reveal things you may have overlooked. An external auditor will also be more unbias and can provide an honest review and feedback as to what TISAX Level you are ready for.  

[18:25] How can Blackmores support you with TISAX Implementation?: We can provide as little or as much support as needed. This can include a fully guided implementation where we assist you through each step.

This can apply to both TISAX and ISO 27001 if you wish to certify to both Standards.

Other options include:

  • Assisting with your TISAX self-assessment (aka a Gap Analysis)
  • Conducting a Maturity Assessment
  • Conducting internal audits
  • On-site support during your TISAX assessment audit

We are happy to provide whatever level of support you need. Blackmores do not provide a tick-box exercise, we pride ourselves on ensuring an implemented system works for you.

[21:10] Upcoming TISAX Webinar – Join us on the 18th March 2026 at 2pm for a webinar where we’ll dive into TISAX further and provide practical guidance on how to complete the VDA Self-Assessment.

Attendees will also get access to some freebies. So don’t delay, register your place here today.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO Download

Download the ISO Standards Blueprint

A step-by-step checklist for getting ISO certified

Resources

Visit the isologyhub website

Share this Podcast:

Subscribe to keep up-to-date with our latest episodes:

SoundCloud Spotify iTunes Stitcher Stitcher YouTube Amazon Music