Does ISO 27001 Cover TISAX®? Where They Overlap, and the Gap That Still Needs Closing

Executive Summary

Partly. A certified ISO 27001:2022 ISMS covers roughly 70–80% of the VDA® Information Security module behind a TISAX® assessment, because TISAX was built on ISO 27001 Annex A. But that module is one of three. Prototype protection, data protection, the maturity-evidence model, and the automotive weighting inside the controls all sit outside an ISO 27001 certificate. That last slice is where suppliers tend to find out, too late, that the two are not interchangeable.

The question behind the question

"I'm already ISO 27001 certified, so doesn't that cover TISAX?" is one of the most common things we hear from automotive suppliers, and it usually arrives right after an OEM has made a label a condition of the next contract. Our TISAX vs. ISO 27001 comparison put the overlap at roughly 80%, which is correct as far as it goes. On its own, though, the number does more harm than good. It tells you how much overlaps without telling you where, and the where is the whole point.

That 70–80% is not spread evenly across TISAX. It sits almost entirely in one module. Read the figure without that context and you plan a three-week top-up. Read it with the context and you scope the work properly. So the rest of this is a breakdown by control area: where an ISO 27001 ISMS does the heavy lifting, and where it stops. The useful answer to "does ISO 27001 cover TISAX" is a plan, not a percentage.

Why so much overlaps in the first place

TISAX is not a rival to ISO 27001. It is the automotive industry's structured lens on the same underlying ISMS. The assessment runs on the VDA Information Security Assessment (ISA) catalogue, currently version 6.0.3, which has been the mandatory basis for all new TISAX assessments since 1 April 2024. That catalogue references ISO/IEC 27001:2022 directly: in the ISA workbook, a dedicated column points each control back to its ISO 27001 reference. The link is built into the document.

The numbers show how close the two run. ISO 27001:2022 has 93 Annex A controls across four themes: 37 organizational, 8 people, 14 physical, and 34 technological, sitting on top of the clause 4–10 management-system requirements. The VDA ISA Information Security module carries 45 controls and 297 individual requirements at the High protection level assessed under AL2, with another 17 requirements layered in for Very High protection at AL3. In practice, that module is a structured overlay on ISO 27001:2022 Annex A, and an organization running a real, certified ISMS will recognize almost every control in it.

That is where the 70–80% comes from, and it holds up. The catch is the denominator. It is 70–80% of the Information Security module, not of TISAX as a whole.

Where the two genuinely meet

If you hold an ISO 27001:2022 certificate, these are the areas where your ISMS already does most of what an ISA assessor will ask about:

• Governance and risk management map straight onto ISO clauses 5 and 6 and Annex A 5.1–5.8. ISO 27001's risk discipline is its core, and it is the part TISAX leans on hardest.
• Asset management, including the software-approval requirement added in ISA 6, lines up with A.5.9–5.14.
• Human resources security (screening, terms of employment, awareness, offboarding) maps to A.6.1–6.8.
• Identity and access management corresponds to A.5.15–5.18 and A.8.2–8.5.
• Cryptography and operations security, covering key management, logging, malware protection, vulnerability management, and backup, map across A.8.6–8.24, with the ISA's backup and IT-service-continuity controls (5.2.8, 5.2.9) landing in A.5.30 and A.8.13–8.14.
• Supplier relationships map to A.5.19–5.23, an area both standards take seriously and ISA assessors probe closely.
• Incident management and compliance map to A.5.24–5.28 and A.5.31–5.36.

Across these, a certified ISMS is not so much a head start as the substance of the requirement. This is the 70–80%, and it is why nobody should rebuild from scratch.

Free Gap Assessment: map your current ISMS against the TISAX labels you actually need.

Where ISO 27001 stops, and TISAX keeps going

The overlap is only useful if you are honest about the gap. Five things sit outside what an ISO 27001 certificate gives you, and they are the reason an OEM asks for TISAX specifically rather than accepting your certificate.

The Prototype Protection module has no direct equivalent in ISO 27001 Annex A. It governs the physical and logical protection of pre-production parts, vehicles, and data: receiving and storage, access control to prototype areas, handling of CAD files and test results, camouflage for test drives on public roads, and protection of models used in photo and film shoots. Its nearest ISO relatives are asset classification and handling (A.5.9–5.13) and the physical security perimeter (A.7.1–7.4), but those are starting points, not coverage. An assessor evaluating the prototype protection label will physically walk the areas. If your asset register stops at information assets and never reached the prototype bay, this is net-new work.

The Data Protection module was expanded in ISA 6 to cover GDPR obligations for suppliers acting as data processors for an OEM: legal basis, records of processing, data-subject rights, DPIAs, technical and organizational measures under Article 32, breach notification, and international-transfer mechanisms. It is rooted in Regulation (EU) 2016/679, not in ISO 27001. The closest standards-based fit is ISO/IEC 27701, the privacy extension to 27001, not 27001 itself. Treat it as a few extra controls rather than a data-protection programme and you will mis-scope it.

The maturity-evidence model is the difference suppliers underestimate most. ISA scores every applicable control on a scale from 0 to 5, and for both AL2 and AL3 the target is level 3, "established": the process is documented, implemented, and verifiably practiced. ISO 27001 is conformity-based. A control conforms or it does not. "We have a policy" sits around level 2; "the policy is consistently followed and evidenced" is level 3, and the distance between those two is where unprepared suppliers lose marks. An ISA assessor will not take "we are ISO 27001 certified" as a passing score. They verify implementation evidence row by row. Certification cuts your preparation effort. It does not replace the evidence.

The automotive weighting inside the shared controls is easy to miss. Even where a control maps cleanly, TISAX often pushes further than a generic ISMS would. ISA 6 puts real weight on network segmentation between office and operational-technology (OT) environments, on remote access to manufacturing systems, and on patch management for embedded systems. It also added an availability dimension: the old single "Information Security" label was split into separate Confidentiality and Availability labels, reflecting a sharper focus on resilience and ransomware response. An ISMS scoped only for confidentiality will be thin here.

The mechanism and the scope differ even when the controls do not. ISO 27001 gives you a certificate over a scope you define. TISAX gives you labels, shared through the ENX portal, over a scope the OEM drives through its exchange request. Same ISMS underneath. Different boundary, different proof, different reader.

Want to see where your own gaps sit, control by control? Two self-service tools give you a gap report without a call: the ISO 27001 audit hub scores your ISMS against Annex A, and the TISAX audit hub walks the VDA ISA controls.

The reverse is also true: a TISAX label is not an ISO 27001 certificate

This is worth stating plainly, because the assumption runs both ways. A TISAX label does not hand you an ISO 27001 certificate to show a non-automotive client. There is no Statement of Applicability to produce, and the label means little to a bank, a SaaS buyer, or a public tender that asks specifically for ISO 27001. The two do not substitute for each other in either direction, which is the real reason suppliers serving automotive and other sectors end up maintaining both.

The overlap, mapped

Here is where a certified ISO 27001:2022 ISMS lands against each part of a TISAX assessment:

• Governance, risk, asset, HR, identity and access, cryptography, supplier, incident, and compliance: these map to ISO 27001 clauses 4–10 and most of Annex A 5.x, 6.x, and 8.x. Coverage from a certified ISMS: strong.
• General physical security: maps to A.7.1–7.14. Coverage: strong.
• Operations security with availability and OT weighting: maps to A.8.6–8.23 and A.5.30. Coverage: partial.
• The availability label (new in ISA 6): maps to A.5.29–5.30 and A.8.13–8.14. Coverage: partial.
• The Prototype Protection module: the nearest ISO relatives are A.5.9–5.13 and A.7.1–7.4. Coverage: minimal.
• The Data Protection module: aligns to GDPR and ISO 27701, not ISO 27001. Coverage: minimal.
• The maturity-evidence model (0–5, target level 3): no ISO equivalent, since ISO is conform or not-conform. Coverage: none.

The pattern is consistent. The overlap is strong inside the Information Security module and falls away quickly once the prototype protection or data protection labels are in scope, or once the assessor starts grading maturity instead of conformity.

For the full control-by-control version of this table, with every ISA area mapped to its ISO 27001:2022 controls, see our ISO 27001 to VDA ISA 6 control mapping.

What this means for "do I need both?"

The decision follows the scope, not the slogan. If the OEM only requires an Information Security label, your certified ISMS gets you most of the way, and the real work is the maturity evidence and the automotive-specific weighting. That is meaningful, but bounded. If the exchange request also calls for prototype protection or data protection labels, the gap is larger and a different shape, because those modules live mostly outside ISO 27001. And if your growth depends on customers beyond automotive, you still need the ISO 27001 certificate they recognize, so dropping it was never on the table.

There is a practical upside worth planning for. Running the two programmes together, rather than one after the other, reuses the shared controls and evidence and usually takes 20–30% less effort. The prerequisite is mapping the overlap honestly at the start, which is what this whole piece is about.

Common mistakes we see

When we review a supplier's posture before a TISAX assessment, the same patterns come back, and almost all of them trace to over-trusting the overlap:

• Treating an ISO 27001 certificate as a TISAX pass. The assessor still verifies every applicable ISA control, with evidence, at the required maturity level.
• Leaving the asset register at information assets only, then walking into a prototype protection scope with no physical-asset controls behind it.
• Letting the TISAX scope and the ISMS scope drift apart. The ISA cover sheet maps to the context-of-the-organization requirement in ISO clause 4, and a divergence between the two is itself a finding.
• Scoring maturity level 2 ("we have it written down") as if it were level 3 ("it is consistently practiced and evidenced").
• Ignoring the Data Protection module until the OEM triggers it, then discovering it is a GDPR programme, not a handful of extra controls.
• Assuming an ISMS scoped for confidentiality already satisfies the availability requirements ISA 6 introduced.

None of these need a war story to make the point. They are structural, and they come from reading "80% overlap" as "80% done."

How ITIS-Secure helps

Our gap assessments start where this article ends. We map your current ISO 27001 ISMS against the specific TISAX labels your OEM requires, mark every control area as strong, partial, or net-new, and hand you a scoped plan instead of a percentage. Whether you are weighing TISAX preparation, already hold ISO 27001, or are planning both at once, we can show you where the work is, and where it isn't.

If you would rather start on your own, those same audit hubs (ISO 27001, TISAX) return a gap report you can bring to the conversation.

Book your free gap assessment and we will map your posture against your target labels and give you a clear, honest roadmap.

No commitment required • GDPR compliant • Strategy confirmed via secure link

Frequently asked questions

Does ISO 27001 cover TISAX?

Not fully. A certified ISO 27001:2022 ISMS covers roughly 70–80% of the VDA ISA Information Security module, because TISAX is built on ISO 27001 Annex A. It does not cover the prototype protection or data protection modules, the maturity-evidence model, or the automotive-specific weighting, which is why an ISO 27001 certificate is not accepted in place of a TISAX label.

Is ISO 27001 certification required to get TISAX?

No. TISAX is an independent assessment with its own catalogue, and you can achieve a label without an ISO 27001 certificate. Holding one reduces the preparation effort considerably, because the shared Information Security controls are already in place.

How much of TISAX does ISO 27001 actually cover?

Around 70–80% of the Information Security module. Measured against a full TISAX scope that also includes prototype protection or data protection labels, the effective coverage is lower, because those modules sit largely outside ISO 27001.

Can I use one ISMS for both ISO 27001 and TISAX?

Yes. The same ISMS underpins both, and running them together reuses most of the controls and evidence. You add the TISAX-specific elements (prototype protection, data protection, and the maturity evidence) on top of the certified foundation.

Does a TISAX label count as ISO 27001 certification?

No. A TISAX label is shared through the ENX portal and is meaningful to automotive partners. It is not an ISO 27001 certificate, produces no Statement of Applicability, and is not recognized by clients or tenders that ask specifically for ISO 27001.

Is it cheaper to do both together?

Usually. Preparing for TISAX and ISO 27001 in parallel, rather than sequentially, typically saves 20–30% of effort by reusing shared controls, evidence, and audit preparation.

This article is general information about ISO 27001 and TISAX, not legal or certification advice. Your OEM's exchange request, the current VDA ISA 6.0.3 catalogue, and your own risk context determine exactly which controls and labels apply to you.