ISO 27001 Certification vs. TISAX® Label
TISAX® is on everyone's lips... Trusted Information Security Assessment Exchange! OKAYYY sounds busy!
TISAX® seems to be an equivalent to ISO 270001.
But let's get things straight first: A TISAX® label does not replace ISO 27001 certification!
TISAX® is not getting roasted here, on the contrary, the connection between TISAX® and ISO 27001 should not be underestimated.
First of all, it is not necessarily a meeting of two aries! ISO 27001 still has the highest international enforcement. But even loners (with family ISO 27002, ISO 27005, etc.) need a reliable buddy by their side from time to time to talk about things that you don't usually deal with so deeply.
Especially when it comes to new road trips. And for that, you usually need a car. And here we are... TISAX® brings the BMW X6M into play. So TISAX® seems to know which car will get you safely through the snow? Kinda..
So it's fitting what drives TISAX®! TISAX® is a cross-company testing and exchange procedure for information security in the automotive industry. One hell of an industry! It addresses the protection of data whose integrity and availability play a role in both the manufacturing process and the operation of vehicles.
So do ISO 27001 and TISAX® build on each other?
TISAX® has been around since 2017 and was derived from ISO 27001 as a catalog of requirements and tests for information security at suppliers to the automotive industry.
So the good buddy ISO 27001 talked a bit out of the closet, around a cozy campfire. And since TISAX® is very interested in cars, it was obvious to copy a few things and spice them up with some horsepower.
Thus, the so-called "Information Security Self-Assessment" (TISAX® questionnaire) and the individual control areas go directly back to the ISO 27001 standard.
And as in every relationship, the two standards diverge further with each new TISAX® version. In the meantime, there is version 5 of the TISAX® - here the similarities are no longer quite so obvious at first glance, but a close relationship is still clearly recognizable. That's what happens when a friend moves too far away! Until next year my friend.... crying.
What are the similarities and the differences of ISO 27001 and TISAX®?
1. Both define requirements for information security management systems (ISMS) of companies. So in both cases it's actually about the same thing. But..
ISO 27001 applies generally and to all companies, while TISAX® defines requirements that apply specifically to suppliers in the automotive industry.
2. The International Organization for Standardization (ISO) is behind the generally applicable ISO 27001, while the industry standard TISAX® (Trusted Information Security Assessment Exchange) defines requirements specifically for suppliers in the automotive industry and is the international responsibility of the privately organized ENX Association and the German Association of the Automotive Industry (VDA).
3. As with ISO 27001, the effectiveness of the ISMS according to TISAX® can be demonstrated by audits according to the VDA-ISA. If the audit is successful, an auditor from the ENX Association (commissioned by the German VDA) awards a TISAX® label in its database. Attention. "Label" not "certificate"! This label is recognized by all VDA members and vehicle manufacturers. It is even required by large companies such as BMW, Daimler, Porsche, Continental and Volkswagen.
This is not only for Germany, made by Germans. TISAX® is just as internationally respected as ISO 27001! Assuming you are a supplier, service provider or partner of a VDA member, you most likely need TISAX®.
As already mentioned, TISAX® was derived from ISO 27001, but the two standards exist completely independently of each other. After all, they are only friends and not married to each other! There are also no mutual dependencies in terms of audits and certifications.
4. The Scope: If you've been paying attention, you can already see that the main difference between ISO 27001 and TISAX® is the scope.
See previous blogs: ISO 27001 certification allows companies to define their own scope within the given framework. The standard describes general requirements for the establishment, implementation, operation, monitoring, control, continuity and continuous improvement of an ISMS, but leaves the choice of scope up to the users themselves.
In concrete terms, this means that it is perfectly possible for companies to have a specific site, individual product lines or services, or even the entire company certified to ISO 27001. However, the latter is not mandatory. A healthy relationship - everything is possible, nothing is a must.
The situation is different with TISAX®. Here, the respective overall company and its information security processes are always put to the test.
5. Certificate? Well, companies will only receive a certificate if they meet the requirements of ISO 27001. Although buddy ISO 27001 has been babbling a bit too much after the fourth beer around the campfire, in the end an Aries wins. Despite naivety!
1:0 for ISO 27001; because here is no certificate for TISAX® compliance. Nor may a successful TISAX audit be used for public advertising. Unlike an ISO 27001 certificate, which can be proudly displayed on walls or websites.
However, care must be taken with the wording here. TISAX® is a mechanism, not a standard!
And for its purpose, it doesn't need to hide either! Because as a TISAX® member, you belong to a chosen circle:
Because the result of a TISAX® audit can only be viewed by other TISAX® members.
Whoever belongs to this group of TISAX® members and fulfills the requirements to whatever extent is to remain primarily internal industry information, according to the will of the automotive industry. For this reason, companies are also not allowed to publicly advertise that they meet the TISAX® requirements. The CIA is calling!
How does the TISAX® portal work?
Participants in the TISAX® process share their information security status with each other via a common online portal. At first, this sounds a bit like Uber... which again has to do with cars!
Registration on this portal is a prerequisite for participation in a TISAX® procedure. In addition to exchanging assessment data, the portal also allows participants and test service providers to get in touch.
In short, what happens on this online portal: Certain test criteria are relevant to the automotive industry. Likewise, the proven test quality and its results. The information on this platform is homogeneous and of high quality.
Unlike ISO 27001, the testing and reporting procedures are standardized and thus the comparability and informative value of the results is high.
Thus, there is a broad acceptance in the automotive industry and a consistent focus on customer needs is created.
ISO 27001 audit vs. TISAX® audit
Basically, both follow the same audit procedure.
In other words: What measures does a company take, how are these measures implemented, and what evidence is there to support them? The management of a company bears full responsibility here!
However, there are differences:
In the case of an ISO 27001 certification, the effort required for internal preparation of the workforce is somewhat higher, since employees can also be involved in measures and corresponding processes. In a TISAX® audit, on the other hand, only the management and, at most, the information security officer are questioned.
Fact: ISO 27001 certification covers a broader range of information security processes than the TISAX® label. The audit questions, however, are less in-depth. If a measure is demonstrably implemented, one is satisfied with the ISO 27001 audit so far. The TISAX® audit, on the other hand, also looks at the level of maturity of implementation.
The TISAX® label is also valid for three years. However, there are no annual surveillance audits as with ISO 27001.
Why is TISAX® more concerned with data protection than ISO 27001?
TISAX® uses a criteria catalog for general information security, one for prototype protection and a third for data protection. Prototype protection, okay, we haven't had that yet.
TISAX® is primarily designed to create a basic level of information security in the automotive industry. Patents, prototypes, research and development in general, then you can only imagine how many different stakeholders are involved. Seeing an Erlkönig at the gas station still gives some a little kick ;). The development of the latest electric SUVs to market launch is a multi-million dollar business.
Therefore, information security is crucial for a smooth and secure supply chain in the automotive industry.
The special aspect of a TISAX® audit at a supplier's premises is that the original equipment manufacturer or OEM determines which set of criteria is to be the focus of the audit. The required level of implementation maturity is then determined. The assessment levels range from 1 for "normal" to 3 for "very high". From level 3, the requirements are significantly higher than for an ISO 27001 audit. Level 3 means that intensive on-site audits are carried out.
ISO 27001 certificate vs. TISAX® label
So why an ISO 27001 certificate? As an automotive supplier with a successful TISAX® audit, you should be sufficiently equipped, right?
It's not that simple! As already mentioned, only an ISO 27001 certificate can be officially presented and thus demonstrate information security and position yourself on the market.
A successful TISAX® audit is a different story. However, an automotive supplier does not necessarily need ISO 27001 certification to become part of an industrial supply chain. Rather, TISAX® is essential in this industry.
But beware, there are enough Original Equipment Manufacturers who expect their suppliers to have an ISO 27001 certificate in addition to TISAX®. So the bundle is highly recommended!
Can you then do both certifications in one and the same audit pass?
To repeat: Formally, there is no connection and therefore no dependencies between ISO 27001 and TISAX®. It is not like the ISO 27k family, where each ISO 27k member argues with the other, but would still donate a kidney to the other. TISAX® and ISO 27001 dance in the same club, but have brought their own bunch of people.
The standards are completely independent of each other. But that doesn't mean that the different group members here could enter into a nice relationship. After all, that wouldn't be inbreeding! For those who already have an ISO 27001 certificate, TISAX® is not too much of a challenge anymore.
And despite the similarities, a joint audit is still not possible. But why? The audit perspectives are simply too different.
With ISO 27001, auditors look at risks and all information security measures from the company's perspective.
TISAX®, on the other hand, aims to provide a secure supply chain for the original equipment manufacturer, who expects his supplier to have a TISAX® - compliant management process. The main focus is on the perspective of the end customer.
So companies can meet the TISAX® criteria AND be ISO 27001 certified at the same time, or they can meet only one of the two standards.
This sounds like a special relationship. But this one could work and it is not that complicated, like it sounds! Because synergies can be exploited! The two standards complement each other, so compliance with both standards is highly recommended for suppliers!!!
Secfix helps with this bundle! Book a consultation with us!