TISAX
January 2026
TISAX vs ISO 27001: Which framework does your automotive supplier need?
By Swapna De., Managing Director, AuditVantage® GmbH
Both TISAX and ISO 27001 address information security. Both require you to demonstrate that sensitive information is appropriately protected. But they serve different purposes, use different assessment mechanisms, and satisfy different requirements.
The question of which one your organisation needs is not a technical question. It is a commercial one: who are your customers, and what do they require?
What TISAX is
TISAX is the automotive industry's information security assessment scheme, governed by the German automotive association VDA. It is required when organisations handle sensitive information for automotive OEMs and Tier-1 suppliers. Assessments are conducted at one of three levels (AL 1, AL 2, AL 3) depending on the sensitivity of the information involved. Results are shared through the ENX portal and not published publicly.
What ISO 27001 is
ISO 27001 is the international standard for Information Security Management Systems. It is recognised globally, certification is awarded by accredited certification bodies, and a valid certificate can be used as evidence of security posture across multiple clients and sectors.
The key differences
TISAX is industry-specific and assessment-based. ISO 27001 is sector-agnostic and certification-based. TISAX results are shared only with specific business partners through ENX. ISO 27001 certificates are publicly verifiable. Most automotive suppliers who need TISAX do not automatically satisfy the requirement by holding an ISO 27001 certificate, although there is significant overlap in the controls required.
If your customer base spans both automotive and non-automotive clients, running ISO 27001 and TISAX in parallel with controls mapped across both frameworks is often the most efficient approach.
AuditVantage® supports organisations through TISAX scoping, Assessment Level selection, gap analysis, remediation, and assessment readiness across all three assessment levels. Get in touch to discuss your requirements.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
How long is a TISAX label valid?+
A TISAX label is valid for three years from the date of issue, provided no significant changes to scope or controls occur in the interim. At the end of the three-year period, a renewal assessment is required. Significant scope changes or major incidents during the three-year period may trigger a reassessment earlier.
Is TISAX more expensive than ISO 27001?+
Direct comparison is difficult because the scopes differ. TISAX assessment at AL 2 is broadly comparable in effort and cost to an ISO 27001 audit for similar scope. AL 3, which includes prototype protection requirements, is significantly more expensive. The implementation effort to reach TISAX readiness depends on starting baseline; organisations with mature ISO 27001 typically have a shorter path to TISAX than greenfield organisations.
Can TISAX results be shared publicly?+
No. TISAX results are shared bilaterally through the ENX portal with specific business partners. The label cannot be displayed on a website, used in marketing, or published. This is a deliberate design of the TISAX scheme. Customers verify the label by accessing the ENX portal with the supplier permissioning them to view the result.
Can I do TISAX as a self-assessment?+
A self-assessment based on VDA ISA is used internally as a preparation step, but the TISAX label itself requires an assessment by an ENX-accredited assessment provider. Self-assessment alone does not produce a label. AL 1 is largely a documentation review; AL 2 includes a remote audit; AL 3 includes an on-site audit and substantially deeper testing.
Do I still need ISO 27001 if I have TISAX?+
It depends on your customer base. If your customers are exclusively automotive OEMs and tier suppliers that accept TISAX, you may not need ISO 27001. If you sell across automotive and other regulated industries (finance, healthcare, public sector), most non-automotive buyers will expect ISO 27001 separately. Many automotive suppliers hold both. The control sets overlap substantially, so the second certification is cheaper than the first.
How do I determine the right assessment level (AL 1, AL 2, AL 3)?+
The assessment level is determined by the protection needs of the information shared, not by the organisation. AL 1 is for information with low protection needs; AL 2 covers most automotive information sharing; AL 3 is required for high-sensitivity scenarios including prototypes and connected vehicle data. The OEM or customer typically specifies the required AL in the procurement process.