An information security management system or ISMS is an integral part of every company these days and to no surprise: When it comes to corporate assets, few are as valuable as knowledge and information. However, as assets, they are under greater threat than ever: Human error, cybercrime and, increasingly, natural causes pose a consistent hazard. ISO 27001 and TISAX® audits both increase and document a company’s resilience to risks such as these. But who needs which audit? And what are the differences between them?
ISO 27001 and TISAX® in a nutshell
- The international standard ISO 27001 and the TISAX® mechanism define requirements for corporate information security management systems or ISMSs.
- ISO 27001 establishes general requirements for all companies, and TISAX®, on the other hand, defines requirements specifically aimed for suppliers in the automotive industry.
- While TISAX® derives from ISO 27001, both standards are fully independent of one another. This also pertains to audits and certifications, where there are no interdependencies between the two systems.
- Important: Only companies that meet the requirements of ISO 27001 receive certification. There is no public certificate for conformity with TISAX®. By the rules of the mechanism, companies are also prevented from publicly advertising a successful TISAX® audit. Only other TISAX® participants can see the results of a TISAX® audit.
- The standards are complementary: It is highly recommended that all suppliers in the automotive industry meet the requirements of both standards.
In this article
- What is audited under ISO 27001and TISAX® respectively?
- What is the scope of ISO 27001, what is the scope of TISAX®?
- Does ISO 27001 and TISAX® build on one another?
- Does TISAX® require ISO 27001 certification? Is it possible to combine both audits?
- TISAX® or ISO 27001 – which is more difficult to achieve?
- Does TISAX® prioritise data protection more than ISO 27001?
- Should automotive suppliers with a successful TISAX® audit aim to achieve an ISO 27001 certification?
- Who carries out the audits? Are the same authorities competent for both standards?
- Conclusion: Is it better to carry out both ISO 27001 and TISAX® audits together?
What is audited under ISO 27001 and TISAX® respectively?
Both standards define the requirements that an information security management system (ISMS) must meet. So, in a general way, both address the same set of issues. The generally applicable ISO 27001 standard was published by the International Organisation for Standard Organisation or ISO. The industry standard TISAX® (short for Trusted Information Security Assessment Exchange) defines requirements specifically placed on suppliers in the automotive industry; developed under the guidance of the German Association of the Automotive Industry (VDA), TISAX® is also part of the ENX Association’s commercial platform.
Put simply, the main difference between ISO 27001 and TISAX® is the scope – that is, the areas where either is applicable or valid.
What is the scope of ISO 27001, what is the scope of TISAX®?
In the case of ISO 27001 certification, companies can determine the scope themselves, within given limits. The standard describes general requirements for the introduction, implementation, operation, monitoring, control, continuity, and ongoing improvement of an ISMS. It also allows participants to select the area they would like to certify. That means companies can choose to have a certain site, individual product lines, or services certified under to ISO 27001 – or even the entire company, should they so choose.
This is not the case with TISAX®. Instead, TISAX® looks at the entire company structure and its information security processes. Another important difference: You will often hear “certification” used in combination with both ISO 27001 and TISAX®. But technically, there is no such thing as a TISAX® certificate. In fact, TISAX® is more of a platform backed by automotive manufacturing associations from various European nations. Companies that want to operate as suppliers for the industry need to register for the platform and meet the TISAX® requirements. The automobile industry prefers to keep information on who meets the TISAX® requirements as information only among the participants themselves. For this reason, companies are prevented from publicly advertising that they meet the TISAX® requirements.
Does ISO 27001 and TISAX® build on one another?
Since 2017, TISAX® was derived from ISO 27001 as a catalogue of criteria and questions for information security as it pertains to suppliers in the automotive industry. This makes the TISAX® questionnaire, a kind of information security self-assessment and the audited areas direct descendants of the ISO standard. However, the standards increasingly diverge with each new version of TISAX®. The self-assessment is now in its fifth iteration – while at first glance the similarities are not as apparent as they once were, the relationship between both systems remains obvious.
Tip: You can view and download the current TISAX® questionnaire on the ENX’s website.
Does TISAX® require ISO 27001 certification? Is it possible to combine both audits?
There is no formal connection nor are there any interdependencies between ISO 27001 and TISAX®. The standards work fully independently of one another. Companies may meet the TISAX® requirements and also have ISO 27001 certification. Or they may only meet one of the standards. However, there is potential for synergies: Any company that has successfully undergone a company-wide ISO 27001 audit will have little trouble passing TISAX®.
Despite all the similarities that the two systems share, a combined audit is not possible. This is due to each audit assuming a fundamentally different perspective. With ISO 27001, the auditors look at the risks and measures related to information security from the perspective of the company itself. When it comes to TISAX®, the focus is a different one: TISAX® aims at ensuring a secure supply chain for OEMs that expect TISAX®-compliant management processes from suppliers. Here, the perspective is that of the end customer.
TISAX® or ISO 27001 – which is more difficult to achieve?
There is no clear answer to this question. The level of difficulty and challenges of each system should be viewed on an individual basis. Both audits basically run the same testing model. In each case, both check: What measures does a company claim to have taken to ensure information security? How were the measures implemented? What evidence can be provided in support? Incidentally, management is responsible of all three questions. That is to say, information security is and remains a management task – whether your company is being audited according to ISO 27001 or TISAX®.
However, there are differences worth mentioning. TISAX® auditors will only question management and, at most, a company’s information security officer. When being audited for ISO 27001 on the other hand, a company may expect to have its employees questioned about specific measures and processes. Thus, the required effort to prepare your staff for auditing will be slightly greater. It also bears mentioning that an ISO 27001 audit generally encompasses a greater range of information security processes than TISAX® does. This means the questions don’t run quite as deep. If a measure can be demonstrated to have been implemented, the question is checked off the list. TISAX® audits on the other hand also look at the maturity level of a given measure.
By the way: To help you keep your bearings when you’re being audited according to TISAX® and/or ISO 27001, we at DataGuard have put together two helpful “roadmaps”. These step-by-step guides will inform you of the deliverables that each step of either audit demands. Just click a below link to download your helpful guide now!
Does TISAX® prioritise data protection more than ISO 27001?
Yes, that is quite fair to say. ISO 27001 contains only one short paragraph explicitly mentioning data protection. On the other hand, TISAX® describes the requirements for data protection at great length in one of its three catalogues of criteria. By way of background, TISAX® has one catalogue of criteria focusing on general information security, one on prototype protection, and a third on data protection. What is unique about TISAX® audits is that the OEM determines whether all three catalogues will be central for the audited supplier, or a subset. The OEM can then specify the required maturity level of the information security process. The assessment ranges from 1 for “normal” to 3 for “very high”. In other words, if a company is audited according to the TISAX® catalogue of criteria for data protection at level 3, the requirements will be considerably higher than for an ISO 27001 audit. When it comes to TISAX®, level 3 assessments always entail an intensive on-site auditing process.
Should automotive suppliers with a successful TISAX® audit aim to achieve an ISO 27001 certification?
Definitely! It’s advisable to do so for PR reasons alone, since companies are permitted to publish their ISO 27001 certificate, e.g., on their website in order to attest their level of information security and position themselves on the market. As stated above, this is not the case if you successfully pass a TISAX® audit.
But then again, automotive suppliers don’t necessarily need ISO 27001 certification to operate as part of the supply chain in the industry. In this respect, only the TISAX® result is decisive. Still, exceptions tend to prove the rule, and so there are OEMs in the industry that will expect a supplier to prove compliance with ISO 27001 in addition to TISAX®.
Who carries out the audits? Are the same authorities competent for both standards?
While there are auditing providers that conduct audits according to both standards, the responsibilities for ISO 27001 and TISAX® do not overlap at all. By way of illustration, the ENX Association is solely responsible for accredited assessment results for TISAX® audits. For its part, the ENX Association accredits audit providers to conduct TISAX® audits. There are currently 14 accredited audit providers for TISAX® worldwide.
Responsibilities related to ISO 27001 are structured in an analogue way. In the UK the UKAS, as the relevant accrediting body, pulls the strings. As of 22.9., the UKAS web site identifies 31 certification bodies in the UK that will audit an ISMS. You can find an overview here.
Conclusion: Is it better to carry out both ISO 27001 and TISAX® audits together?
Not necessarily, and not for all companies. As a general rule, ISO 27001 certification is recommended. In this age, every company should be able to prove compliance with ISO 27001 to be on the safe side in terms of information security. Therefore, the demand for related consulting services and ISO 27001 certification is as high the market over as you might expect.
This is different for companies that operate either exclusively or in part as automotive suppliers. We at DataGuard strongly advise automotive suppliers to take both audits together. To ensure your ISMS is on a sure footing, you should comply with all ISO 27001 requirements and bear certification of it. Automotive suppliers will require a TISAX® audit on top.