Short Overview
Corporate Information security is becoming increasingly important. In order to protect their information and sensitive data, companies are striving for established information security standards such as TISAX® or ISO 27001 certification. In this article, we will give you an overview of these two standards and explain when and for what purpose they should be used in your company. Let’s start right away with the most important points:
- ISO 27001 certification is accepted across all industries, while TISAX® was developed specifically for the automotive industry.
- TISAX® is based on the ISO 27001 and ISO 27017, but is a separate, independent standard with a specific focus on the automotive industry.
- ISO 27001 is not a prerequisite for obtaining the TISAX® label or vice versa. In some cases, however, it is advisable to obtain both certifications in order to "play it safe" and enjoy all the benefits of the standards.
- What they have in common is that both standards focus on the implementation of an information security management system (ISMS). TISAX® requires a functioning ISMS, while ISO 27001 is aimed at the implementation of an ISMS.
Key differences between ISO 27001 and TISAX®
ISO 27001 is a ” classical ” certification, while TISAX® is a label. However, the term TISAX® certification is also often used.
TISAX® is relevant to the automotive industry, while ISO 27001 is relevant to all industries.
TISAX® is a location-based label and considers the respective individual location of a company, whereas ISO 27001 can also certify individual product lines, parts of the company or the entire company.
According to the current version, the TISAX® label needs to be recertified every 3 years. In the case of ISO 27001, an annual review audit and a recertification audit by an external audit service provider take place every 3 years.
In comparison to ISO 27001, TISAX® defines “must” and “should” requirements. The “must” criteria must be fulfilled without exception. Furthermore, TISAX® specifies a maturity model that requires a minimum score of 2.7 to receive the TISAX® label.
TISAX® also has its own criteria catalogs for data protection and prototype protection, which must be fulfilled at the request of the OEMs or customers of the supplier.
The requirements of ISO 27001 are rather general and open to interpretation.
Another special feature of the TISAX® assessment is that the ENX Association offers a limited selection of auditors. The TISAX® auditors can be found on the official ENX website. The approved auditors for ISO 27001 are determined by the DAkkS (German Accreditation Body).
A combined audit is also possible. It is best to ask your preferred audit service provider whether they offer both audit procedures.
The timeframe for the ISO 27001 and TISAX® audit processes may vary depending on the size and complexity of the organization and the experience of the auditor. Below are some general guidelines for both standards:
ISO 27001:
- Preparation phase: 1-3 months
- Implementation phase: 3-12 months
- Internal audits: 1-3 months
- External certification audit (Stage 1 & Stage 2): 1-3 months
In total, the process from preparation to certification can take 6-18 months.
TISAX®:
- Preparation phase: 1-3 months
- Implementation phase: 3-6 months
- Internal audits: 1-2 months
- External TISAX assessment: 1-3 months
Overall, the TISAX® process can take 6-12 months from preparation to successful assessment, depending on the size, resources and complexity of the organization.
Please note that these timescales are indicative only and may vary from company to company. It is advisable to work with an experienced consultant or auditor to get a realistic estimate of the time required for your specific situation.
Which requirements need to be met for TISAX® and ISO 27001?
In the case of ISO 27001, the company can define the scope of application itself. The TISAX® label is a location-based label and defines the physical location of the company as the scope of application.
The ISO 27001 standard aims to increase the information security of the area of application. TISAX®, on the other hand, aims to ensure information security along the supply chain of original equipment manufacturers (OEMs) such as VW, Audi, etc. by means of a standardized audit approach.
The information security criteria catalog of the TISAX® self-assessment questionnaire is based on ISO 27001 and ISO27017. Version 5.1.0 of the questionnaire, which is being developed by VDA/ISA, is now available.
- TIP: Would you like to take a look at the current TISAX® questionnaire? It can be downloaded from the website of the German Association of the Automotive Industry or ENX.
Which audit service providers are available for TISAX® and ISO 27001?
The assessment result obtained for TISAX® is the sole responsibility of the ENX Association. It therefore also determines the specific service providers that are authorized to carry out TISAX® assessments. The currently approved assessment service providers can be found on the ENX website. For ISO 27001, there are just over 50 audit service providers in Germany that are authorized to carry out audits. One well-known example is DEKRA.
Is TISAX® a requirement for ISO 27001?
As the two standards are independent of each other, one does not require the other. However, due to the thematic similarity, it can make sense to take both assessments. Those who already meet the requirements of one standard will not have too many problems with the second.
Is the ISO 27001 certification also beneficial for companies in the automotive industry?
Unlike the TISAX® label, which may not be used for advertising purposes, companies can place their ISO 27001 certificate on their company website or similar for publicity purposes. Proof of audited information security creates trust and can help to generate new business. Once a company has successfully passed the TISAX® audit, the label is only available for other TISAX® participants on the ENX audit platform. This is intended to protect which companies already belong to the TISAX® circle..
While ISO 27001 can be obtained voluntarily, TISAX® is strongly recommended for automotive suppliers in order to remain fit for business in the future. Only in exceptional cases do OEMs require TISAX® AND ISO 27001 certification from their suppliers.
Scope of the certifications
TISAX® is a location-based label and considers the specific location of a company, whereas ISO 27001 can also certify individual product lines, parts of the company or the entire company.
ISO 27001 is the internationally accepted information security standard for companies. It applies to organizations of all types, sizes and sectors that process, store or transmit information, regardless of whether it is public or private. The certification relates to an organization’s information security management system (ISMS), which includes the security policies, processes and controls required to ensure the confidentiality, integrity and availability of information.
The TISAX® standard is accepted by most major automotive manufacturers and suppliers worldwide and is intended for companies that operate in the automotive industry or process or store data from automotive manufacturers. TISAX® includes a set of security requirements that are specifically tailored to the needs of the industry, such as the protection of intellectual property and the protection of customer data. TISAX® is designed to ensure that companies in the automotive industry maintain a high level of information security and handle data securely and confidentially.
Companies that meet the TISAX® standard can showcase their certification to other companies in the industry to demonstrate their ability to process and protect information and data securely.
Who is responsible for TISAX® or ISO 27001 in your company?
The responsibility for implementing and maintaining TISAX® or ISO 27001 typically lies with the management of an organization. Management must ensure that the organization provides the necessary resources to establish and maintain an appropriate information security management system (ISMS). This requires a commitment to the continuous improvement of information security processes, policies and controls.
Do you have specific questions?
Our information security experts are at your disposal. Just send us an e-mail and we will get in touch with you.
