TISAX vs ISO 27001: automotive assessment exchange vs certifiable ISMS
TISAX is the automotive industry\'s VDA ISA-based assessment; ISO 27001 is the general certifiable information security standard.
Scope, proof and audience
| Feature | TISAX | ISO 27001 |
|---|---|---|
| Owner / basis | ENX Association; based on the VDA ISA questionnaire | ISO/IEC; ISO 27001:2022 requirements standard |
| Primary audience | Automotive suppliers and their OEM partners | Any organisation, any sector |
| Result | Assessment result and label exchanged via the ENX portal | Publicly verifiable accredited certificate |
| Assessment levels | AL 1 (self), AL 2 (remote plausibility), AL 3 (on-site) | Single certification audit by an accredited body |
| Public certificate | No public certificate — results shared participant-to-participant | Certificate can be shown publicly |
| Special scope | Adds prototype protection and data confidentiality modules | Generic risk-based ISMS, no sector module |
| Control basis | VDA ISA, structurally aligned with ISO 27001/27002 | Clauses 4-10 plus Annex A controls |
Automotive supplier: do you still need ISO 27001
If your customers are automotive OEMs or tier-one suppliers, TISAX is usually the credential they actually ask for, because it is the result they can look up and trust through the ENX portal. ISO 27001 is not a formal prerequisite for TISAX, but the two share most of their control substance: the VDA ISA questionnaire is structurally aligned with ISO 27001 and ISO 27002. In practice, an organisation that already holds ISO 27001 has built most of the ISMS that TISAX assesses and only needs to add automotive-specific elements such as prototype protection and the right assessment level (AL 2 or AL 3). If you sell beyond automotive as well, keeping ISO 27001 gives you a publicly verifiable certificate that TISAX does not provide. Many suppliers run both: ISO 27001 for general assurance, TISAX for the automotive supply chain.
Prepare your VDA ISA assessment with the TISAX Copilot →If you operate in automotive
- Reuse an existing ISO 27001 ISMS as the base for VDA ISA controls
- Pick the assessment level (AL 2 or AL 3) your OEM partners require
- Add prototype protection and confidentiality modules for TISAX
- Keep ISO 27001 when you also need a publicly verifiable certificate
Frequently Asked Questions
Is TISAX a certification?
TISAX produces an assessment result and label that are exchanged between participants through the ENX portal rather than a public certificate. It is an assessment-and-exchange mechanism for the automotive supply chain, not an accredited certification like ISO 27001.
Do I need ISO 27001 before doing TISAX?
No, ISO 27001 is not a formal prerequisite. However, the VDA ISA questionnaire is structurally aligned with ISO 27001/27002, so an existing ISO 27001 ISMS covers most of what a TISAX assessment evaluates.
What are TISAX assessment levels?
TISAX uses three assessment levels. AL 1 is an internal self-assessment with low trust and is not used for customer-facing TISAX labels. The labels OEMs and tier-one partners actually accept are AL 2 (remote plausibility check, evidence review) and AL 3 (on-site audit). Higher protection needs, such as prototype data, typically require AL 3.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.