The differences between ISO 27001 and TISAX®

Written by : Stéphanie HANTAT, expert consultant – EURO-SYMBIOSE partner specialised in Information Security

TISAX® and ISO 27001 are both standards dedicated to information security. Although they have many similarities (90% of the common part of TISAX® Information Security is based on the requirements of Annex A of ISO 27001), they also each have their own particularities which make them complementary.

While one is a generalist (ISO 27001), the other is specialised in the automotive field (and is starting to be extended to trucks). If one allows the protection of the company’s data or data entrusted to the company (ISO 27001), the other focuses on securing the manufacturers’ data throughout the supply chain. While one is proprietary: TISAX® is a certification based on the catalogue of requirements drawn up by the VDA, the other is international. This implies a more agile management of the first one (the requirements catalogue is reviewed at least once a year) and a more regulated one for the second one (the review cycle of an ISO standard is 5 years).

TISAX® is a label based on a 6-level assessment (from 0 to 5). To be TISAX® certified, a company must achieve level 3. To be certified to ISO 27001, an organization must have satisfactorily addressed each of the chapters of the ISO 27001 requirements as well as the applicable security measures in Annex A.

TISAX® applies to an entire site, with no exclusions. ISO 27001 allows for a precise perimeter to be defined.

ISO 27001 is an audit-based certification, TISAX® is an assessment-based label.

TISAX® offers three possible levels of assessment: level 1 is a self-assessment, level 2 is an assessment performed by a remote third-party auditor and level 3 is an assessment performed on site by a third-party auditor. ISO 27001 only offers the possibility of an on-site audit.

Finally, once you are ISO 27001 certified, you can proudly display your certificate, while with TISAX®, the results of your assessment are deposited on the ENX platform and can be shared with all partners to whom you give read rights.

To deepen your understanding of these standards, we invite you to participate in the following courses:

• TISAX®: Implementing the VDA ISA to achieve TISAX® certification – #920

• ISO 27001: 2013 – Understanding the requirements of the standard – #270 

• ISO 27001: 2013 – Designing an Information Security Management System – #271

• ISO 27001: 2013 – Become a system auditor – #272 

You are interessed ? 

Contact us at 02 51 13 13 00 or at service.clients@euro-symbiose.fr