• (0)

    ISO 27001 & ISO 22301 Blog

    How ISO 27001 and TISAX are related

    You probably know what ISO 27001 is, because it is an international standard, very popular in the information security sector, that helps organizations of all sectors to protect their information. But, did you know that the automotive industry is also interested in information security, and that they even have their own information security standards? In the following article, you’ll learn all the key aspects of the relationship between ISO 27001 and TISAX (Trusted Information Security Assessment Exchange), the information security standard for the automotive industry.

    Information technology and cars are inseparable today

    Twenty years ago, my mother had a small car, a Renault Twingo, and I was very impressed with it, because it was the first car that I had ever seen with an integrated digital control panel. In that time, this technology was a revolution, because most cars had an analog control panel. At the same time, that was my first experience with any digital technology in a car.

    Today, cars are so different, and I don’t know a current car without some kind of digital technology. Even so, information technology is probably one of the most important parts, because most of our cars are managed by software, and it is so useful, because most actions related to our cars are now automated: tire pressure, speed limit, parking, etc.

    Systems for a computer on wheels

    If you have a car with Wi-Fi/Bluetooth connection, applications, cameras, etc., then basically, you can say that you have a computer with wheels. And, of course, if your car is like a computer, then threats related to information security also apply to it.

    This is why companies in the automotive sector have performed information security assessments, not only in their own systems and processes, but also in their providers’ systems. But the problem is that without a common standard, each assessment may be performed according to different criteria, and the results may also be different.

    So, in 2016, the ENX association (an association of European vehicle manufacturers, suppliers, and organizations) developed a standard called “TISAX,” which is composed of requirements from VDA ISA (VDA is the German Association of the Automotive Industry, and ISA is an abbreviation for “Information Security Assessment”). Curiously, this standard is very similar to ISO 27001 and the security controls of its Annex A.

    The results of the information security assessment can be shared between other members of TISAX; so, for example, if your company is developing some system, or some software, or any other thing for an automotive company (BMW, Mercedes, Renault, or any other), you can share the results of your assessment with them, giving confidence that you are aligned with the TISAX requirements.


    As said, an important component in TISAX is the VDA ISA requirements (that really are security controls), which are very similar to the information security controls of ISO 27001 Annex A, but adding specific security controls for connection with third parties, prototype protection, and data protection.

    Really, the VDA ISA requirements can be put into four groups:

    • Information security (similar to the security controls in Annex A of ISO 27001)
    • Connection to third parties
    • Data protection
    • Prototype protection

    To learn more about Annex A, read this article: Overview of ISO 27001:2013 Annex A.

    The maturity levels

    For each requirement, TISAX uses maturity levels to indicate the effectiveness, and furthermore, TISAX defines a target maturity for each requirement. So, basically, if you want to implement the VDA ISA requirements and be compliant with TISAX, you need to implement all the requirements with a minimum maturity level.

    With ISO 27001, the concept of maturity levels does not exist, because you need to implement only the security controls that you need for the risks identified during the risk assessment. So, you only need to implement the necessary security controls for the risks identified, and you don’t need to define maturity levels. But, from my experience, this concept is very useful, because it can help you to improve the ISMS each year.

    The maturity levels defined in TISAX are the following:

    TISAX and ISO 27001: How are they related?Table: Maturity levels in TISAX

    For example, if you have security controls this year with the maturity level of “2 – Managed,” then clearly, you can improve your ISMS the next year if these security controls reach the level of “3 – Established.”

    For more information about maturity models, this article might be interesting for you: Achieving continual improvement through the use of maturity models.

    The PDCA in ISO 27001 and TISAX

    In TISAX, the PDCA is not mandatory as it is in ISO 27001. You only need to focus on the VDA ISA requirements, although, from my point of view, by clearly defining a PDCA you can improve the compliance with these requirements, because you can define a formal Information Security Management System for the continual improvement.

    And, although I have referenced “controls” in the table of maturity levels, you can also use the maturity levels for processes, which means that you can use them to improve the risk management process, or the internal audit process, or the management review process, etc.

    The solution is always ISO 27001

    As you can see in this article, TISAX and ISO 27001 are very similar, and one of the most important concepts of TISAX, which is the maturity levels, is compatible with ISO 27001, and can help you to improve your ISMS. And, of course, if you are on the TISAX side, the PDCA of ISO 27001 can also help you to improve your organization.

    So, basically, both standards are compatible, and they can work together to help your organization to improve both your processes and your security controls!

    Use this free online training ISO 27001:2013 Foundations Course to learn more about ISO 27001.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.