What is TISAX?
TISAX ® (Trusted Information Security Assessment Exchange) is an information security standard tailored to the needs of the automotive industry. It is a standard that vehicle manufacturers, automotive suppliers, IT service providers, consultants and third-party software vendors can use to meet their information security requirements for automobile production. TISAX® certification is a compulsory requirement for many automobile manufacturers and suppliers to the (German) automotive industry.
The VDA (Verband der Automobilindustrie) created an Information Security Assessment sheet, which has great resemblance with ISO 27001 and the Annex A controls. However, it adds specific security controls for connection with third parties, prototype protection, and data protection.
Understanding the links between TISAX and ISO 27001
ISO 27001 focuses on the organization and its structure (Information security management system) when TISAX® focuses on topics relevant to partners and specific physical locations.
The VDA information Security assessment can be divided in 4 main groups:
- Information Security
- Connection to third parties
- Data protection
- Prototype protection
The Information Security topic is quite similar on the ISO 27001 standard. The ISO 27001 standard can be used as a guidance as there are a lot of clauses and controls that can be used to meet the necessary TISAX compliance.
TISAX has 7 chapters on Information security (IS Policies and Organization, Human Resources, Physical Security and Business Continuity, Identity and Access Management, IT Security/Cyber Security, Supplier Relationships and Compliance) that are also handled within the ISO 27001 standard.
ISO/IEC 27001 manages information security of the organization the same way TISAX manages information security in the automotive supply chain.
The next schematic overview shows the relationship between TISAX compliance and how the ISO 27001 standard can help you with its implementation.
| TISAX Topic | ISO 27001 (ISMS) |
|---|---|
| TISAX Topic | ISO 27001 (ISMS) |
| IS Policies and Organization | 19 controls + clauses |
| Human Resources | 6 controls |
| Physical Security and Business Continuity | 8 controls |
| Identity and Access Management | 11 controls |
| IT Security/Cyber Security | 16 controls |
| Supplier Relationships | 4 controls |
| Compliance | 5 controls |
The controls are listed in ANNEX A from the ISO 27001 standard.
From the 114 ISMS controls listed in the ANNEX A from the ISO 27001 standard, 69 controls can help/guide you by the implementation of TISAX. The next table shows you the difference in effort for gaining the required certification level.
| Topic | ISO 27001 | TISAX |
|---|---|---|
| ISO 27001 Clauses | ||
| 4 Context of the organization | Mandatory | Mandatory |
| 5 Leadership | Mandatory | Light |
| 6 Planning | Mandatory | Light |
| 7 Support | Mandatory | Light |
| 8 Operation | Mandatory | Light |
| 9 Performance Evaluation | Mandatory | Light |
| 10 Improvement | Mandatory | Light |
| ISO 27001 ANNEX A Controls | 114 | 69 |
| ISO 270017 standard | NA | 5 |
| Industry specific | Data Protection (4) | |
| Prototype Protection (22) |
Mandatory: the clause and its subdivisions need to be fully implemented.
Light: some topics of the clause need to be implemented or are helping the organisation by implementing them.
As we can establish from this table, TISAX and ISO 27001 are very closely related. Once your organization finalizes the TISAX-journey, there is only a small effort left for obtaining an ISO 27001 certification as you are already touching all of the requirements and some of the controls. Conversely, the concepts of TISAX are also compatible with ISO 27001 and can help in improving your Information security Management System.
To sum things up, both ISO 27001 and TISAX are compatible: mastering one also allows you to jump to the other quite easily, ultimately improving both your organization’s processes and security controls.
