TISAX vs ISO 27001: automotive supply-chain security compared
TISAX is an automotive-industry information security assessment based on the VDA ISA catalog — mandated by OEMs (VW, BMW, Mercedes, etc.) for their suppliers. ISO 27001 is the international ISMS certification. ~80% control overlap. Many suppliers certify both; OEMs require TISAX specifically.
Side-by-side
| Dimension | TISAX | ISO 27001 |
|---|---|---|
| Type | Assessment + label (ENX governing body) | Certification (accredited certification body) |
| Industry scope | Automotive supply chain (+some aerospace adoption) | Any industry |
| Control set | VDA ISA (currently v6) — 40+ controls | ISO 27001:2022 Annex A — 93 controls |
| Output | TISAX label (AL1/AL2/AL3) valid 3 years | ISO 27001 certificate valid 3 years |
| Labels / levels | AL1 standard, AL2 high, AL3 high + prototype | Single certification (no levels) |
| Audit type | TISAX-accredited auditor, on-site for AL3 | Stage 1 (desktop) + Stage 2 (on-site) by accredited CB |
| Cost (mid-size supplier) | €20-50k incl. audit + remediation | €25-60k year 1, €15-35k year 2+ |
| Market recognition | OEM-enforceable — required for automotive contracts | Globally recognized |
| Data classification | OEM-assigned sensitivity labels (prototype protection, etc.) | Organization-defined classification |
| Prototype protection (AL3) | Specific physical + IT controls | Not explicitly covered |
When to choose which
TISAX
You're in the automotive supply chain (tier 1, 2, or 3). OEMs have contractually required TISAX. You handle automotive prototype data (requiring AL3).
ISO 27001
You operate across industries and need the globally-recognized ISMS standard. Your customers expect ISO 27001 as vendor qualification.
Both
You're an automotive supplier with international customers. Certify ISO 27001 first, then add TISAX (~3-6 months incremental, since 80% overlap). One ISMS, two attestations.
The overlap
~80% — VDA ISA v6 maps closely to ISO 27001:2022 Annex A. Policies, access control, incident response, supply chain, secure development, crypto — all appear in both. The gap: TISAX-specific items (prototype protection, OEM data classification rules, automotive-specific supplier management). ISO 27001-certified organizations typically achieve TISAX in 3-5 months incremental.
Key differences
- TISAX is automotive-industry specific. ISO 27001 is universal.
- TISAX uses levels (AL1/AL2/AL3) driven by data sensitivity. ISO 27001 has no levels.
- TISAX mandates OEM-assigned data classifications. ISO 27001 lets organizations define their own.
- TISAX AL3 has specific prototype-protection controls (physical security, visitor management, photography restrictions). ISO 27001 covers these loosely.
- TISAX is OEM-enforceable — failing means losing automotive contracts. ISO 27001 is market-driven.
- ENX is the governing body for TISAX. ISO 27001 certification bodies are accredited nationally (e.g., DAkkS in Germany).
Frequently asked questions
If I have ISO 27001, do I still need TISAX for automotive contracts?+
Yes — OEMs specifically require TISAX, not ISO 27001. ISO 27001 is helpful preparation but not sufficient. Fortunately, the incremental effort to achieve TISAX after ISO 27001 is small (~3-5 months) because 80% of controls overlap. Most tier-1 automotive suppliers certify both.
What are AL1, AL2, AL3?+
Assurance Levels defined by ENX. AL1 = standard protection (basic info sec). AL2 = high protection for business-critical info (most automotive contracts require AL2). AL3 = high protection + prototype/special-sensitivity data (physical security + on-site audit). OEMs specify required level per contract — often AL2 for tier-1, AL3 for R&D-sensitive work.
Can I certify TISAX first and then add ISO 27001?+
Yes, but uncommon. TISAX is industry-specific; ISO 27001 is the general-purpose ISMS. Going ISO first makes the ISMS foundation broader. That said, if OEM pressure is immediate and the business is purely automotive, TISAX-first is feasible — then ISO 27001 becomes additive for non-automotive customer requests.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.