Comparison of TISAX VDA ISA to ISO 27001 - TISAX - solution

TISAX® Implementation guide with TX® solution
ISO 22301 Beratung
Advantage through knowledge
TISAX® Implementation guide
Advantage - through knowledge
Beratung zu TISAX VDA ISA
Go to content

Comparing TISAX against ISO 27001

What is ISO 27001?

ISO 27001

ISO 27001 is an internationally recognized standard for an information security system (ISMS). It was published by the ISO - International Organization for Standardization in Geneva. It was based on the British Standard (BS) 7799 from England.

ISO 27001 is recognized worldwide for demonstrating information security by means of an information security management system (ISMS). An entire ISO 270xx family of standards has been created - which regulates various areas such as network security or ISMS in industries in more detail. The implementation of the ISO 27001 requirements in the company can be confirmed by an external certification. The certification is based on the ISO 27001 part of the standard, which formulates the requirements for the ISMS.

ISO 27001 has an Annex A, in which parts A5 to A18 formulate requirements for measures in various areas such as physical security, ISMS organization, access regulations, secure IT operation, etc. This Annex is not generally part of certification. This annex is generally not part of a certification. The central component of ISO27001 is risk management for information security. Threats and vulnerabilities are assessed here. In risk management, the risk countermeasures based on Annex A or ISO 27002 can be used for management. Companies have to submit a declaration of application for ISO27001. In this declaration, the company must list the implemented recommended measures from Annex A, which thus become the subject of certification. At the end of 2021 or beginning of 2022, a new structure of Annex A and ISO 27002 will be published. TISAX has already oriented itself to this with VDA ISA 5.

The certificate references the declaration of applicability of ISO27001. Auditing organizations can obtain accreditation for this from the respective national accreditation body - in Germany from DAKKS - or offer certification as a non-accredited certification body - which is generally permitted and possible.

In addition to ISO 27001, there is another part of the standard, ISO 27002, which takes Annexes A5 - A18 of ISO 27001 and explains them in more detail, thus offering solutions to the requirements. ISO 27002 does not go as deep as other standards in this area. BSI Grundschutz or NIST (USA) go much deeper here and offer direct solutions.

If we look at the development of ISO 27001 certifications by country, we notice that the Netherlands holds about 1,000 certificates, England over 4,500. The class up to 5,000 certificates per country is fulfilled among others by China/Hong Kong, India, UK - everything is surpassed with Japan, where almost 10,000 certificates have already been awarded.

Reasons for TISAX

The German Association of the Automotive Industry e.V. (VDA) had already developed ISO27001_VDA_14516 ISO_IEC TR in 2005 in the working group "Integral information protection with IT security, prototype protection and risk management".
The objective was to specifically supplement ISO 27001 with the requirements for product protection in the German automotive industry. This involved protecting information security, the special protection of design and innovation in the area of development or test operation of prototypes or vehicle components, and the construction of design models. Car clinics, photo shoots and event marketing were not considered at that time. Over the past 10 years, different VDA ISA questionnaires (audit catalogs) have thus emerged from the VDA, all based on ISO 27001 and applied by VDA member companies (e.g. OEM) to audit suppliers in this field. Thus, it could happen that a supplier had to undergo several audits by different OEMs or customers in one year.

Development of a TISAX process

In order to simplify this ISA audit process and eliminate multiple audits, the VDA working group developed TISAX (Trusted Information Security Assessment Exchange) - an audit and exchange mechanism.
This was tested as a concept in a pilot phase from May 2016 to 2017 and transferred to operation before the end of 2017. The ENX Association, founded in 2000 at the instigation of the VDA, was entrusted with the implementation of TISAX as a neutral party.

In the procedure, the supplier registers on the TISAX platform of ENX and deposits his achieved level of TISAX verification there. The verification is carried out by ENX-approved verification organizations. However, ENX is not a nationally recognized standardization or accreditation body in the sense of ISO standards implementation! The TISAX certificates (TISAX labels) have a duration of 3 years - like ISO certificates. However, there are no annual audits as with ISO27001.

The TISAX labels are only recognized in the automotive industry as proof of information security - but this is now worldwide in this industry.

TISAX participant development
What is TISAX?

TISAX VDA ISA Questionnaire

In the VDA ISA question catalog (audit catalog) version 5.0, the audit areas of information security, data protection and prototype protection were defined as audit content. The audit of information security is carried out along the requirements of ISO 27001 / ISO 27002 and ISO 27017 (requirements for security in the cloud) and direct references are made to the standard in the TISAX VDA ISA question catalog. However, in principle, the TISAX requirement also includes a full ISMS - as with ISO 27001.
Contributions about TISAX on the Internet state that ISO 27001 requires 119 measure requirements in Annex A and TISAX only 52. This is not correct, as TISAX sometimes combines several ISO 27001 requirements in one checkpoint. In addition, it breaks down these 52 groups of requirements into almost 400 individual requirements.



TISAX Certification

The term TISAX certification is incorrect. It is a TISAX assessment in which the maturity of the implementation is also assessed.
In the TISAX assessment, the implementation and the process maturity are each checked in levels 0-5 - more or less in the same way as in a maturity model such as COBIT, ISO15504 or CMM.

It can thus be said that the VDA has installed a parallel certification world for information security in the automotive industry with ENX and the TISAX examination procedure. This basically comprises parts of the requirements of ISO 27001, supplemented by other special audit fields. However, TISAX is a verification of information security in the automotive industry.

There is also a fundamental difference in the way information security is viewed. ISO 27001 focuses on the company's own information security (including the regulation of processes outside the company's own ISMS and documents provided by third parties). TISAX, however, has a very large focus on the security of third-party information in its own ISMS - i.e. the data that the automotive manufacturer hands over to its suppliers. This is also to be mapped within the risk analysis.

TISAX is not an ISO standard and currently has no international recognition outside the automotive industry - it is used for supplier accreditation in the automotive sector to demonstrate the extended requirements in the area of third party connectivity and prototype protection on a uniform basis. For this purpose, the working group also added extended requirements (including those that must be implemented as a MUST). This means that requirements that go beyond the requirements of ISO27001 are formulated in certain parts. With the maturity level concept, TISAX attempts to provide companies with assistance and an assessment standard for the implementation of the requirements. The objective of TISAX is also to strengthen international recognition, i.e. currently OEMs such as Renault are already involved at EU level and, due to the international production sites, TISAX audits already reach countries such as Spain or Poland and as far as CHINA. In the future, however, TISAX will also be introduced at US OEMs. The international commitment of suppliers is progressing very fast.

An ISO 27001 is an internationally recognized verification without industry reference - which is recognized worldwide. The two test areas of data protection (order processors) and prototype protection are not included in the test. With an ISO certification, no implementation maturity (level) is tested, but whether the requirements are met - i.e., a yes or no. That is why we speak here of audit and not of assessment. The audit procedure is therefore tougher!

The VDA has been working on this topic in the area of supplier approval for its members for many years. The German Federal Office for Security (BSI) with basic protection and later with basic protection based on ISO 27001 and BSI certification based on ISO27001 primarily for the public sector did likewise.

Thus, industry-specific standards for information security are being formed by the associations or authorities.
Recently, different efforts have been observed in Germany to improve security for information processing. For example, companies such as BASF, Allianz and Bayer are now joining forces in working companies to improve security jointly in Germany and conserve resources.

The extent to which certificates are recognized among themselves here remains to be seen. Currently, there is only one ISO 27001, which is recognized internationally across all industries.

TISAX is, as mentioned, an audit standard of the automotive industry and is mainly used for supplier accreditation. BMW and VW are making this a requirement as of 2018.

The Volkswagen Group has currently formulated that it will only accept TISAX to prove information security - no others like ISO 27001 will be recognized by VW. Others will surely follow.

However, it is certainly not the case that TISAX now replaces ISO 27001 or is a better way, as some sites on the Internet claim. Perhaps it is better to say that those who already have ISO 27001 - usually have a short way to TISAX (they have already implemented an ISMS, which must be supplemented and adapted). Nevertheless, he will not reach TISAX without adaptations.

And whoever does TISAX has almost already developed a complete ISMS based on ISO 27001, which he could normally have confirmed with an internationally recognized ISO 27001 certification without much additional effort. If he is an automotive supplier, he may additionally have a now necessary proof for prototype protection and / or data protection (order processor) to achieve supplier approval.

However, TISAX is currently only of use to one supplier in the automotive industry - for supplier approval. In other industries, the situation is different.
This site is operated by CONSUVATION GmbH.
+49 (0) 7031.4181-860
Ziegelstraße 20
71063 Sindelfingen
Here you will find information
about our company
09:00  - 17:00

If you do not want to use the contact form, you can also send us an email or call us directly. We process your data from the contact form or email exclusively for processing your request and do not pass them on to third parties. We comply with the requirements of the Data Protection Regulation (DS GVO) and BDSG-neu.
Here you will find information about
Data protection
Back to content