TISAX and ISO/IEC 27001 are the two information security frameworks most frequently allied among the major frameworks. Within the automotives, mobility, transportation, and the wider manufacturing industry, these are also the most frequently demanded in by automotive OEMs. Both require a mature Information Security Management System (ISMS), and their requirements substantially overlap because TISAX’s VDA ISA catalogue uses ISO 27001 as its primary reference standard. But they serve different purposes, use different audit mechanics, and produce different proofs of compliance. If you are a supplier deciding where to invest, understanding the distinction is the difference between meeting OEM requirements on the first try and wasting anywhere from six months to upwards of a year’s worth of money and effort on the wrong certification.
This guide breaks down the differences in scope, controls, costs, and audit process — and shows you how to choose the right path for your organization.
TISAX vs ISO 27001 at a Glance
If you only read one section, read this one.
The table below captures the 10 most material differences between the two frameworks.
| Dimension |
TISAX |
ISO 27001 |
|
Industry scope |
Automotive-specific |
All industries, general purpose |
|
Governing body |
ENX Association (operated on behalf of the VDA), based out of Europe (Germany and France) |
ISO / IEC, international in scope. Auditors are governed by national level accreditation bodies |
|
Foundation |
VDA ISA catalogue (v6.0, aligned with ISO 27001 Annex A, 80 controls) |
ISO/IEC 27001:2022, Annex A (93 controls) |
|
Assessment rigor tiers |
AL1, AL2, AL3 (three protection levels). *AL1 is self-assessment only. |
Binary — pass or fail. No tiering. |
|
Proof of compliance |
A “label” shared on the ENX portal |
A certificate (publicly displayable) |
|
Auditor eligibility |
ENX-approved assessors only (14 accredited providers worldwide, e.g., TÜV SÜD, DEKRA, DNV, DQS) |
Any accredited certification body |
|
Validity |
3 years, no annual surveillance audits |
3 years, annual surveillance audits required in 2nd and 3rd year. |
|
Unique modules |
Prototype protection, GDPR-specific data protection |
None beyond Annex A |
|
Result sharing |
Portal-only to authorized OEM participants |
Freely advertisable |
|
Require assessment result |
Level 3 (“Established”), or higher across all controls |
Effective implementation (no maturity scoring) |
In summary, ISO 27001 proves your organization runs a sound, general-purpose ISMS. TISAX proves the same and that you meet automotive-specific requirements that OEMs will actually check before awarding contracts.
What Each Standard Covers
ISO 27001: The Global Information Security Standard
ISO/IEC 27001:2022 is the international benchmark for information security management. It defines how to build, operate, and continually improve an ISMS. The standard itself specifies management-system requirements (context, leadership, planning, support, operation, evaluation, improvement), while Annex A lists the 93 controls grouped into four themes: organizational, people, physical, and technological.
Because ISO 27001 is industry-agnostic, a bank, a SaaS provider, and a hospital can all pursue the same certification. The trade-off is depth: it is broad by design and does not prescribe industry-specific controls.
TISAX: The Automotive-Specific Assessment
TISAX (Trusted Information Security Assessment Exchange) is operated by the ENX Association on behalf of the VDA, which is the German automakers’ trade body. It uses the VDA ISA catalogue (currently at version 6.0, as of April 2026) as its assessment basis. ISA 6.0 adds stronger emphasis on operational technology (OT), business continuity, operational continuity, and supply chain security, reflecting automotive-industry trends. It also added maps to NIST CSF 2.0
TISAX assessments can cover three modules depending on scope:
- Information Security: the core ISMS controls, closely mirroring ISO 27001 Annex A
- Prototype Protection: physical, digital, and procedural safeguards for pre-production vehicles and components
- Data Protection: EU GDPR-aligned controls when processing personal data on behalf of automotive partners
Unlike ISO 27001, TISAX assessments result in a label, a credential shared with OEMs that request it within the closed ecosystem of the ENX exchange network, rather than a public certificate.
How Much Do TISAX and ISO 27001 Overlap?
If you already hold ISO 27001, you have a substantial head-start. VDA ISA 6.0 explicitly uses ISO 27001 as its primary reference standard, with shared coverage across risk management, access control, supplier relationships, documentation, and continuous improvement. The VDA ISA catalogue itself includes a "Reference to other standards" column that maps requirements to known standards; while it most frequently references ISO 27001 controls, it also incorporates mappings to other standards like NIST and BSI.
The table below summarizes where ISO 27001 Annex A themes align with VDA ISA 6.0 sections.
| ISO 27001:2022 ANNEX A THEME |
CORRESPONDING VDA ISA 6.0 AREA |
OVERLAP |
|
Organizational controls (A.5) |
Information security policies, governance, supplier relationships |
High |
|
People controls (A.6) |
HR security, awareness |
High |
|
Physical controls (A.7) |
Physical & environmental security |
High |
|
Technological controls (A.8) |
Access control, cryptography, operations, network security |
High |
|
N/A (not directly covered)* |
Prototype protection |
TISAX-only |
|
Partially covered** |
Data protection / GDPR module |
TISAX extends |
|
Supplier relationships (A.5.19–A.5.23) |
Supply chain security (deepened in ISA 6.0) |
TISAX goes deeper |
|
*It should be noted ISO 27001 controls can, of course, be applied to management of what TISAX defines as prototypes. In that case, prototypes (whether digital or physical), will also have to be defined as assets and then usual ISO 27001 controls will apply. |
||
The portion that does not overlap is where extra effort is likely required: prototype protection, the GDPR-specific data protection module, and deeper supplier-security expectations.
A Deeper Dive into Key Differences Deep Dive
1. Industry Scope and Mandate
ISO 27001 has typically been pursued voluntarily as a market signal of security maturity. TISAX is typically a contractual prerequisite for suppliers to participating OEMs — Volkswagen, BMW, Mercedes-Benz, and an expanding list of global OEMs including Ford and GM. Without a TISAX label, suppliers are often excluded from qualifying for relevant contracts.
However, as part of tighter supply chain controls ISO 27001 (or SOC 2 Type II, where relevant), is also increasingly seen as a minimum requirement for potential vendors and suppliers.
Thus, while ISO 27001 is industry agnostic and widely accepted, and is increasingly being made into a “strong preference” (if not an outright requirement) by many purchasers, a TISAX label often is a base requirement for suppliers and vendors seeking to do business with automobile OEMs, and in particular by European manufacturers.
2. Assessment Levels vs Binary Certification
ISO 27001 is pass/fail with no tiering as to the rigor of the audit. TISAX has three Assessment Levels — AL1 (self-assessment, no label issued), AL2 (remote assessment by an auditor), and AL3 (on-site assessment by the auditor). This requirement is driven by the sensitivity of the OEM data you handle and the demands of the OEM. Prototype or high-R&D work usually trends towards AL3.
3. Audit Approach and Bodies
ISO 27001 audits can be performed by any accredited certification body. Auditors can be located at the IAF (International Accreditation Forum)’s CertSearch database.
TISAX assessments must be conducted by ENX-approved audit providers presented on the official ENX website. Note that the auditor pools do not fully overlap between ISO 27001 auditors and TISAX auditors.
4. Label vs Certificate — The Business Implications
This is more than naming. You can publish it on your website, include it in RFP responses, and display the logo on email footers. It exists inside the ENX portal and is shared only with OEMs who request access to your results. That means TISAX proves compliance to a known audience, not to the open market.
5. Prototype Protection — The Unique TISAX Requirement
Prototype protection is a TISAX-specific criteria catalogue with no direct exact equivalent to this in ISO 27001. It covers customer separation and protection against unauthorized access, secure storage and handling of documents and parts, camouflage of test vehicles during test drives, and security of models used in photoshoots. If your scope includes prototypes, this module alone may drive a significant chunk of TISAX-specific work.
Worth noting is that this module is only specifically covered in TISAX because of its relative importance in the automotive industry. Prototypes and test vehicles are also company assets, and when thought this way, ISO 27001 controls can be applied toward proper and secure management of prototypes. However, applying ISO 27001 alone may not cover such requirements as “protection of test vehicles on public roads”, as this may not be directly derived from the plain language of ISO 27001 which focusses on information security management.
6. Validity and Surveillance Audits
Both credentials are valid for three years. But ISO 27001 requires annual surveillance audits in between and hence comes with a recurring cost. TISAX does not require this. Audited parties pay for a full reassessment during the initial acquisition of the label and every subsequent renewal, with no mandatory checks in the intervening period.
Which One Do You Need? A Decision Framework
“It depends” is the unhelpful answer most articles give. Here is a more concrete matrix based on your organization’s profile.
| Your Profile |
Recommended Path |
Rationale |
|
Tier 1–3 automotive supplier to German/EU OEMs, or sometimes, sub-contractors to their major suppliers |
TISAX (AL2 or AL3) |
TISAX most likely is a contract prerequisite; ISO 27001 alone may not satisfy OEMs, unless expressly stated by the OEM |
|
IT/SaaS vendor serving German/EU OEMs automotive clients, or sometimes, to their major suppliers
|
TISAX AL2, add ISO 27001 if serving non-auto clients too |
AL2 covers most remote service providers, while ISO 27001 broadens marketability. Check with your OEMs or purchaser/client. |
|
Engineering / design firm handling prototypes |
TISAX AL3, ISO 27001 optional |
AL3 is mandatory for prototype handling; ISO 27001 helps outside auto |
|
Non-automotive enterprise (finance, SaaS, health) |
ISO 27001 only |
TISAX adds no value outside automotive supply chains |
|
Startup with mixed client base, includes auto OEMs |
ISO 27001 first, add TISAX when an OEM demands |
Build the general-purpose ISMS once; layer TISAX when the contract requires it. However, TISAX may have lead time until acquisition, so make a probabilistic assumption based on your appetite and exposure to automobile clients to prevent any lost business. Conversely, a TISAX-ready supplier provides a strong signal to any OEM scouting for potential vendors and suppliers |
Combining TISAX and ISO 27001 (Dual-Certification Strategy)
Can You Do a Combined Audit?
Not really. Despite the control overlap, a combined audit is generally not feasible — ISO 27001 and TISAX audits take different perspectives (company risk view vs. OEM supply-chain assurance view), different audit bodies, and different evidence requirements. Some audit providers will conduct both audits back-to-back using shared documentation, but the assessments themselves remain separate.
Migration Path: ISO 27001 → TISAX
If you already hold ISO 27001, a typical success route to TISAX is:
- Confirm TISAX scope and objectives: locations, systems, and which of the three modules (information security, prototype protection, data protection) apply. Confirm this with the OEM client as they will drive these requirements, unless your internal decision is to get assessed for the highest rigor (AL3), for all three criteria catalogues.
- Run a gap analysis against VDA ISA 6.0: focus on prototype protection, data protection, and the ISA 6.0 additions (operational resilience, supply chain security). Note that this self-assessment is basically AL1, but results in no labels.
- Close the gaps: tighten supply-chain controls, extend data protection documentation, and build prototype-protection controls if in scope
- Register on the ENX portal and select an approved assessor
- Conduct the TISAX assessment: AL2 remote or AL3 on-site, depending on scope
Organizations with mature ISO 27001 programs typically complete the TISAX addition faster, whereas a business starting without an ISMS will need at least 12 months to implement one, to demonstrate a full cycle of an effective and operational ISMS. A standard TISAX certification generally takes 6–12 months to complete.
Cost and Time Savings from Dual Pursuit
Pursuing both in parallel can yield roughly 20-50% cost savings compared to sequential certification, primarily from reusable ISMS documentation, shared risk registers, and a single coordinated implementation effort. The savings assume the same implementation team, not separate consulting engagements.
Timeline Comparison
Timeline
| Certification Path |
Estimated Timeline |
Notes |
|
TISAX |
6–12 months |
Timeline depends on the maturity and scale of the existing ISMS. The final assessment must be completed within nine months of the start date. |
|
ISO 27001 |
3 months to 1 year |
Timeline depends on the maturity and scale of the existing ISMS. Preparation for the audit takes about 4 months, and the audit itself spans another 1–3 months. |
|
Both in Parallel |
6–18 months |
Having an existing ISO 27001 certification makes the process significantly faster. |
|
No existing ISMS |
12+ months |
A business without an ISMS needs at least 12 months to implement one and complete a full Plan-Do-Check-Act (PDCA) cycle before certification. |
Frequently Asked Questions
Q: Is TISAX the same as ISO 27001?
A: No. TISAX’s VDA ISA catalogue is based on ISO 27001 and its Annex A and shares the majority of its controls, but TISAX adds automotive-specific modules (prototype protection, data protection) and uses a different audit and result-sharing mechanism. An ISO 27001 certificate does not satisfy TISAX requirements, although requesting OEMs should be consulted whether they accept a valid ISO 27001, especially if the scope is purely digital or data-based, involving no prototyping or test vehicles.
Q: Can ISO 27001 replace TISAX for automotive suppliers?
A: No. Automotive OEMs require a valid TISAX label shared via the ENX portal. ISO 27001 lacks prototype protection and is not accepted as a substitute, though it significantly accelerates TISAX preparation.
If the primary driver of acquiring is a potential business from a large OEM, we recommend confirming with them regarding accepted certifications.
Q: How much of ISO 27001 overlaps with TISAX?
A: Significant, but with major differences. VDA ISA uses ISO 27001 Annex A as its primary reference standard and includes a "Reference to other standards" column mapping requirements to known standards; while it most frequently references ISO 27001 controls, it also incorporates mappings to other frameworks like NIST CSF and BSI. The non-overlapping portion covers prototype protection, the GDPR-specific data protection module, and deeper supplier-security requirements introduced in recent revisions.
Q: Is acquiring a TISAX certification harder than getting ISO 27001 certified?
A: It depends on scope but likely yes. For the shared controls, the difficulty is comparable. TISAX AL3 becomes harder when prototype protection is in scope because it demands physical-security controls (access zones, camouflage procedures, photography restrictions) that ISO 27001 does not require.
Further, TISAX uses a six-level maturity model and typically expects Level 3 (“Established”) as the minimum — a more explicit bar than ISO 27001’s “effective implementation” criterion.
Q: Should I get ISO 27001 or TISAX first?
A: If you serve only automotive OEMs, start with TISAX. If you serve a mixed client base, start with ISO 27001 to build a reusable ISMS, then add TISAX when an OEM requires it. Either way, if you will eventually need both, parallel preparation can save roughly 20–50% of cost compared to working on them one after the other.
Q: Are TISAX and ISO 27001 mutually recognized?
A: No. An ISO 27001 certificate is not accepted in place of a TISAX label, and a TISAX label cannot be displayed publicly as ISO 27001 can. They serve different audiences and compliance purposes. Organizations that need both must pursue both. Auditing bodies (certification bodies) may also be different. For example, TISAX auditors tend to be Europe-based bodies, providing services globally. ISO 27001 is globally recognized and used, and there are certification bodies in all countries.
Choosing Your Path Forward
TISAX and ISO 27001 are not competing frameworks but should be thought of as complementary. While ISO 27001 proves general security maturity to any audience, TISAX demonstrates automotive-specific maturity to the OEMs that demand it.
The choice is driven by your current and potential customers and the industry you are based in.
A quick recap:
- If you serve German automotive OEMs (and sometimes, globally placed European OEMs too), TISAX might be non-negotiable. ISO 27001 alone may not satisfy procurement guidelines.
- If you operate outside the automotive sector, ISO 27001 is the more strategic investment. TISAX is not readily recognized outside of the scope stated in the point above. TISAX may also not be accepted by OEMs based out of Japan or the United States.
- If you need both, pursue them in parallel. Reusable ISMS documentation and shared implementation teams reduce combined cost by 20–30%.
- Start with a gap analysis. Map your current controls against both Annex A and VDA ISA 6.0 before committing to a timeline.
Whether your next step is a first TISAX assessment, a dual-framework program, or a migration from ISO 27001, the path begins with understanding how the two frameworks actually differ — and where they already align. Working with an experienced security partner such as NRI Secure who knows both standards can cut preparation time significantly and help you avoid scope and documentation missteps that delay the audit.




