> ./exec Infosec.sh — ARTICLE

TISAX vs. ISO 27001: Which Standard Actually Applies to Automotive Mid-Market Suppliers?

Marcus — Solution Architect MarcusChine · Solution Architect 25-06-2026 6 min read INFOSEC

The short answer: as an automotive supplier, you have no choice. TISAX is not an option to weigh against ISO 27001. It is a market access requirement.

Any Tier 1 or Tier 2 supplier that handles confidential vehicle data, prototypes, or OEM information requiring protection needs a TISAX label. BMW, Mercedes-Benz, Volkswagen, and their direct Tier 1 partners do not ask whether you hold ISO 27001 certification. They ask for your TISAX label. Those without one are excluded from the selection process.

That sounds harsh. But it is the reality of the European automotive ecosystem since the TISAX program was launched by the ENX Association in 2017.[1]

Yet this question lands regularly in my projects with mid-market clients. Usually because a consultant with an ISO 27001 background has sold TISAX requirements as "essentially the same thing." That is wrong. And expensive.

What TISAX Actually Is

TISAX stands for Trusted Information Security Assessment Exchange. The program was developed by the German Association of the Automotive Industry (VDA) and is operated by the ENX Association. The technical foundation is the VDA ISA catalog (Information Security Assessment), which builds on the principles of ISO/IEC 27001 but adds significant automotive-specific requirements.

TISAX defines three assessment levels:

Assessment Level 1 is a plausibility check. The participant self-assesses using the VDA ISA questionnaire. No external verification. Not applicable to OEM requirements.

Assessment Level 2 is the standard label for most suppliers. An accredited audit service provider verifies the self-assessment and conducts interviews. OEMs accept this label for handling confidential information and development data.

Assessment Level 3 applies to particularly sensitive data: prototypes subject to confidentiality obligations, experimental vehicle architectures, data with national security relevance. Virtually no mid-market supplier involved in active vehicle development can avoid Level 3.[2]

The assessment result is not published publicly. It is shared selectively between supplier and OEM via the ENX platform. TISAX is not a public certificate but a bilateral trust credential within the automotive supply chain.

What ISO 27001 Actually Is

ISO/IEC 27001 is the international standard for information security management systems. It defines requirements for the establishment, operation, monitoring, and continuous improvement of an ISMS. The standard is deliberately sector-agnostic: it applies equally to banks, hospitals, SaaS providers, and automotive suppliers.

ISO 27001 certification is carried out by an accredited body, is publicly visible, and internationally recognized. It signals maturity in security management. It says nothing about conformity with automotive-specific protection requirements.

ISO 27001 is the foundation. TISAX is the building erected on that foundation for a specific industrial purpose. Showing an OEM only the foundation means you have no building.

The Key Difference: Domain-Specific Requirements

Vaughn Vernon describes in his work on Domain-Driven Design how every business domain develops its own language and its own rules, which generic approaches cannot structurally represent in full.[3] This applies to software architecture. It applies equally to compliance frameworks.

The automotive domain has requirements that simply do not appear in ISO 27001: prototype protection during transport, camera bans in certain development areas, network segmentation for vehicle development data, specific requirements for outsourcing chains to software development partners. The VDA ISA catalog contains these controls explicitly. Annex A of ISO 27001 does not.

Presenting an ISO 27001 certificate to an OEM as TISAX evidence demonstrates that you do not understand the difference. That is not a negotiating argument, it is a disqualifying criterion.

The audit depth also differs fundamentally. An ISO 27001 audit reviews the management system. A TISAX Assessment Level 2 reviews actual implementation against 60 to more than 80 mandatory controls, verified through interviews and supporting documentation. That is not "essentially the same thing."

The Recommendation: TISAX First, ISO 27001 as a Useful Complement

I draw no gray areas. For mid-market companies in the automotive sector, the following prioritization applies:

If you have OEM contracts or are seeking them: TISAX Assessment Level 2 is not optional. Clarify with your OEM contact what scope the assessment must cover. Engage an accredited TISAX audit service provider and start with a gap analysis against the current VDA ISA catalog.

If you simultaneously serve non-automotive clients: ISO 27001 can be a useful supplementary certificate. It addresses clients outside the automotive ecosystem who are unfamiliar with TISAX and do not require it. Since both standards share significant overlap in controls, the additional effort for ISO 27001 after a solid TISAX assessment is manageable.

If you only have ISO 27001 and are waiting for TISAX inquiries: That will not work. The time required to obtain a TISAX confirmation typically ranges from 9 to 18 months, depending on the maturity of your existing security measures and the complexity of the scope being assessed. Start now.

The sequence is clear: TISAX first, because the market demands it. Then optionally ISO 27001, because it opens additional markets and makes internal governance internationally visible.

TISAX Consulting: What Actually Works in the Mid-Market

Here is what I see in practice, and what I recommend to every CISO in the automotive mid-market:

Verify your consultant's VDA ISA background. The critical question is not whether someone is an ISO 27001 Lead Auditor. The question is how many TISAX assessments they have accompanied and at which assessment levels. Someone who only knows ISO 27001 will build you an ISMS that fails at automotive-specific controls during the TISAX assessment.

Start with a structured gap assessment against the current VDA ISA. The catalog is regularly updated; version 6.0 is currently in effect.[2] An experienced consultant conducts this gap assessment in two to four days and delivers a prioritized list of deficiencies with risk classifications.

Define the assessment scope precisely. A scope that is too broad costs time and money while increasing audit risk. A scope that is too narrow leads OEMs to request locations or systems you left out. Scope definition is one of the most critical decisions in the entire TISAX preparation process.

Plan for at least 12 months for Assessment Level 2. Those who underestimate the effort produce compliance debt with no operational security maturity behind it. Martin Fowler coined the term "technical debt" to describe the long-term costs of taking shortcuts in software systems.[4] The analogy holds equally for compliance debt: those who implement controls on paper without real implementation depth behind them generate risks that become visible in the next assessment cycle or in a real incident.

Choose your consultant and audit service provider independently. ENX publishes the list of accredited audit service providers. The party that prepares you and the party that conducts the assessment should not come from the same organization. Conflict of interest.

Use TISAX as an ISMS build, not a checklist project. Germany's Federal Office for Information Security (BSI) recommends a risk-based approach with systematic protection needs analysis as the starting point for building information security management systems in the mid-market.[5] TISAX enforces exactly that: information classification, risk-based control selection, traceable documentation. Those who implement TISAX properly have, after two cycles, a robust ISMS that largely covers ISO 27001 requirements as well.

Conclusion

TISAX or ISO 27001 is not a strategic trade-off for automotive mid-market suppliers. It is a market reality. TISAX is mandatory if you process OEM data. ISO 27001 is a useful complement if you want to address markets outside the automotive supply chain.

Those who confuse the two pay twice: once for an ISO 27001 certification that no OEM requires, and once for the TISAX assessment that comes eventually regardless.

Invest in solid TISAX consulting that knows the VDA ISA, defines the scope precisely, and builds operational security maturity. The rest is administrative overhead.

Sources

[1] ENX Association. TISAX Participant Handbook, Version 3.0. ENX Association, 2024. https://portal.enx.com/tisaxPH.pdf

[2] Verband der Automobilindustrie (VDA). Information Security Assessment (ISA), Version 6.0. VDA, 2024. https://www.vda.de/de/themen/digitalisierung/informationssicherheit

[3] Vernon, Vaughn. Implementing Domain-Driven Design. Addison-Wesley Professional, 2013.

[4] Fowler, Martin. "Technical Debt". martinfowler.com, 2019. https://martinfowler.com/bliki/TechnicalDebt.html

[5] Bundesamt für Sicherheit in der Informationstechnik (BSI). IT-Grundschutz-Kompendium, Edition 2024. BSI, 2024. https://www.bsi.bund.de/grundschutz

Marcus — Solution Architect

MarcusChine

Solution Architect

Overall architecture, ADRs, technical coherence, knowledge graphs.

Need help with Infosec?

Free initial consultation, fixed price after audit.

INIT_CONSULTATION() →