TISAX vs. ISO 27001: What IT managers in the automotive supply chain need to know

• Approximately 75% of controls overlap: If you already operate an ISO 27001-compliant ISMS, you've already covered most of the requirements of the automotive-specific audit standard – the remaining effort focuses on prototype protection, physical security, and the specific exchange process via the ENX portal.
• Two distinct outcomes: ISO 27001 culminates in an internationally recognized certificate. The automotive-specific audit standard does not issue a certificate, but rather a label that is stored in the ENX portal and can only be shared with authorized partners – public self-promotion with it is strictly forbidden.
• IT documentation is the common mandatory foundation: Both frameworks require complete, up-to-date documentation of IT assets, network structures, and authorization concepts. If you've properly established this once, you can use the same data foundation for both audit processes.

Anyone who plans TISAX and ISO 27001 as two separate projects wastes time and budget. Approximately 75% of the controls overlap – those who ignore this pay twice for the same effort. This article shows where the two standards truly diverge and when a common data basis supports both validations.

What are the fundamental differences between ISO 27001 and TISAX?

ISO/IEC 27001 is the internationally recognized standard for Information Security Management Systems (ISMS). It describes how organizations of any industry and size should systematically identify, assess, and treat information security risks. The result of a successful audit is a formal certificate, issued by an accredited certification body, valid for three years – with annual surveillance audits in between.

The automotive-specific audit standard, known by the acronym TISAX, was developed in 2017 by the German Association of the Automotive Industry (VDA) and is managed internationally by the ENX Association. It is based on ISO 27001, but supplements the generic standard with industry-specific requirements, which are not optional extras in the automotive supply chain: protection of prototypes and development data, physical security of sites, specific supplier management, and – since VDA ISA 6.0 – availability as an independent audit objective.

The core result is not a certificate, but a label that is stored in the ENX portal. Only authorized partners can view it. Public communication of the result is explicitly prohibited according to the rules of the exchange procedure.

What are the specific differences in the audit procedures of TISAX vs. ISO 27001?

The structural differences begin with the scope. With ISO 27001, companies can define the scope themselves: a single site, a specific department, or a specific product can be certified. This allows for focused, resource-efficient initial projects.

The automotive-specific audit standard does not offer this flexibility. It always considers the entire company – a scope limitation to individual areas is not provided for. This has practical consequences for IT departments: all assets, all sites, all network segments must be documented and assessed.

Another structural difference lies in the maturity level model. ISO 27001 audits are binary: requirements are either implemented or not. The automotive-specific audit standard uses a graded maturity level model from 1 to 5 – and defines a target maturity level for each VDA ISA control point. For most automotive OEM requirements, maturity level 3 (the measure is defined, approved, and implemented) or, in exceptional cases, maturity level 5 is required. Anyone who only understands the maturity level model during the assessment will have a problem – therefore, the gap analysis should be performed at the beginning of every preparation project.

The audit intervals also differ: While ISO 27001 requires annual surveillance audits and re-certification every three years, with correct execution of the automotive-specific audit procedure, assessment costs are only incurred every three years.

What requirements do ISO 27001 and TISAX share?

Despite the structural differences, both frameworks share a substantial core of content. According to VDA ISA 6.0, approximately 75% of the controls align with the requirements from ISO/IEC 27001 Annex A. This primarily concerns:

• Risk management and risk treatment process
• Access controls and authorization management
• Network security and segmentation
• Patch management and vulnerability management
• Supplier management (with the automotive-specific standard delving deeper here)
• Incident management and Business continuity

For IT departments, this means: The same operational data foundation – a complete IT inventory, up-to-date authorization concept, documented network structures, and demonstrable patch management – supports both audit procedures. Anyone who has systematically built this foundation once does not need to create it twice.

What does TISAX require in addition to ISO 27001?

The additional effort for companies with an existing ISO 27001 ISMS focuses on three areas that play no role or only a minor role in the generic standard:

Prototype protection: Anyone who manages development vehicles, design drawings, CAD data, or test data must demonstrate how these are protected from unauthorized access, unintentional publication, and physical exposure. This applies not only to IT systems but also to production halls, photo studios, and external locations.

Physical security: The automotive-specific audit standard places significantly more emphasis on physical access controls than ISO 27001. Building security, zone concepts, and the physical protection of server and network infrastructure are audited in more detail than in the generic standard.

Availability (new since VDA ISA 6.0): Since the current catalog version, availability has been considered an independent audit objective – a direct response to ransomware attacks that have paralyzed entire production lines in the automotive supply chain. Emergency plans and recovery plans must be specific, documented, and demonstrably tested.

When do IT departments need both TISAX and ISO 27001?

The answer depends less on company size than on who the customers are. Companies that maintain business relationships with automotive OEMs like BMW, Volkswagen, Mercedes-Benz, or Stellantis, or are active in their supply chain, will generally require certification according to the automotive-specific standard. Whether ISO 27001 is additionally required depends on further customer requirements, regulatory obligations (such as NIS-2 for critical infrastructures) and their own strategic positioning.

A practical rule of thumb: Companies with a global customer base beyond the automotive industry are better off using ISO 27001 as a foundation and the automotive-specific audit standard as an extension, rather than the other way around. ISO 27001 is internationally recognized, is required by banks, insurers, and public clients, and forms the ISMS foundation upon which industry-specific extensions can be built.

For pure automotive suppliers without further compliance requirements, the automotive-specific standard may suffice as sole proof – OEMs recognize it as equivalent proof of information security.

What has changed in 2024 and 2025 regarding TISAX and ISO 27001?

VDA ISA 6.0.2 has been mandatory since January 1, 2024. The most significant changes compared to the previous version:

• Availability as a new assessment objective: Stand-alone assessment module that separately evaluates emergency planning, recovery concepts, and backup strategies
• Stricter requirements for supplier management: Sub-suppliers who have access to OEM data must be demonstrably integrated into the company's own ISMS
• Clearer maturity level descriptions: The assessment criteria for maturity levels 3 to 5 have been refined, making the audit practice more transparent for auditors and companies

In parallel, the NIS2 Directive, which applies to a significant number of automotive suppliers as critical or important entities, has increased pressure on IT Documentation and risk management further enhanced. Companies subject to NIS-2 that also operate in the automotive sector benefit most from an integrated ISMS strategythat addresses both sets of compliance requirements from a common data foundation.

What does an integrated implementation strategy for ISO 27001 and TISAX look like?

Implementing both frameworks on a common ISMS basis saves, according to practical estimates, 30 to 50% of the effort compared to separate projects. The operational foundation for this is always the same:

1. Comprehensive IT Inventory: All assets – hardware, software, virtual machines, cloud services – must be recorded and kept up-to-date. Both audit procedures start here, and both result in a poor outcome if the inventory status is outdated during the assessment.
2. Authorization Concept: Who is allowed to access which systems and data must be documented, justified, and regularly reviewed.
3. Network Documentation: Segmentation concept, network diagrams, and interface documentation are mandatory components of both audit procedures.
4. Risk Register: Structured risk assessment based on inventoried assets – for ISO 27001 according to Chapter 6, for the VDA-ISA catalog according to its risk management requirements.

The critical success factor is not the framework, but the data foundation. Automated inventory tools that continuously keep asset data, authorization structures, and network topologies up-to-date drastically reduce the effort for both audit preparations. Agentless solutions like Docusnap inventory Windows, Linux, and VMware environments without installation effort and generate audit-ready reports directly from the current data foundation – for ISO 27001 as well as for the VDA-ISA-Catalog.