ISO/IEC 27001:2022 vs. TISAX® VDA ISA 6.0 – A Comparison of Both Standards

Introduction

ISO/IEC 27001:2022 and TISAX® (VDA ISA 6.0) are two important frameworks for information security – one is international and industry-neutral, while the other is specifically developed for the automotive industry. Both help organizations establish a robust Information Security Management System (ISMS), but they do so with different focuses. In this article, we compare the similarities and differences between ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0. Information security professionals will get a precise overview of how both standards cover fundamental security measures, where their emphases lie, and what new requirements each current revision brings. 

Common Foundations: ISMS, Risk Management, and PDCA

ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0 both rely on the established principles of an ISMS. A central element is a risk-based approach: Both frameworks require that organizations systematically identify, assess, and address security risks with appropriate measures. They also both adhere to the principle of continuous improvement according to the PDCA cycle (Plan – Do – Check – Act). This means that organizations should continually plan, implement, monitor, and optimize their information security measures. This methodology ensures that information security is understood not as a one-time project but as an ongoing process.

Furthermore, both standards cover fundamental security measures. These include, for example, policies for access control, physical security measures, employee awareness training, incident management, the use of cryptography, and many other organizational and technical controls. In their core requirements, ISO 27001 and TISAX® ensure that a company has established a comprehensive set of baseline protection measures to ensure confidentiality, integrity, and availability of information.

Different Focus: Industry Neutrality vs. Automotive Specifics

Despite the common foundation, the two frameworks differ significantly in their scope and focus. The ISO/IEC 27001:2022 is a globally recognized standard that is formulated in a industry-neutral manner. It is suitable for organizations of all sizes and sectors. With the 2022 revision, ISO 27001 has been broadened and modernized – new controls have been introduced to address current technologies and threats (such as cloud usage, threat intelligence, etc.; see below). Hence, ISO 27001 provides a general best-practice foundation for information security that can be flexibly applied to different contexts. 

The VDA ISA 6.0 (TISAX®), on the other hand, has been specifically developed for the requirements of the automotive industry. It delves significantly deeper into certain areas to meet the specific protection needs in the connected automotive supply chain. For example, TISAX® includes specific requirements that are not explicitly addressed in ISO 27001, such as prototype protection (protecting secret development projects and pre-series models from unauthorized access or leaks), protection needs assessment in the automotive context (fine-grained classification of which information is critically important – such as distinguishing between development data, production data, customer data, etc.), as well as extended requirements for Business Continuity Management (BCM), which specifically includes IT service continuity in production environments. TISAX® also demands a sophisticated crisis management – companies must demonstrate that they have concrete emergency plans and playbooks (predefined action instructions) in place for security-relevant incidents and crises (e.g., cyberattacks, supply chain failures). Another industry-specific aspect is provider segmentation: Automotive manufacturers expect strict separation of contractor and partner networks from their suppliers so that, for example, development data from different customers are cleanly isolated and external IT service providers only have controlled access to relevant sub-areas. These additional focuses clarify that TISAX® aims to specifically address the deeper risks in the automotive industry – from pre-development to connected production. 

ISO/IEC 27001:2022 – New Controls for Modern Technologies

With the 2022 update, ISO/IEC 27001 introduced some new controls (security measures) that adapt the standard to current developments in technology and threat landscape. In total, eleven new controls from ISO 27002:2022 have been adopted. Below is an overview of these new measures and how they are categorized: 

• A.5.7 Threat Information – Introduction of Threat Intelligence: Organizations should collect and assess information about current threats to respond early to new risks. 

• A.5.23 Cloud Usage – Specific provisions for the secure use of cloud services: Regulates, for example, the selection of trusted cloud providers, securing cloud configurations, and dealing with shared responsibilities in the cloud. 

• A.5.30 ICT Readiness for Business Continuity – Ensures that the IT/ICT infrastructure is prepared for emergencies: The availability of IT services should be ensured through emergency planning, backup strategies, and redundancies to maintain business processes even in the event of incidents. 

• A.7.4 Physical Security Monitoring – Expands physical protection through monitoring, such as video surveillance or alarm systems, to detect unauthorized access to buildings or data centers early. 

• A.8.9 Configuration Management – Requires controlled management of system and security configurations (for servers, clients, network devices, etc.) to ensure a consistent security level and avoid misconfigurations as an attack vector. 

• A.8.10 Deletion of Information – Introduction of a control for secure data deletion: Companies must have procedures in place to reliably and in accordance with data protection regulations delete or destroy information at the end of its lifecycle (e.g., when decommissioning data carriers). 

• A.8.11 Data Masking – Requires the use of techniques for data masking to protect sensitive data in non-production environments or tests (e.g., anonymizing or pseudonymizing real data so that developers or testers do not have access to unencrypted customer data). 

• A.8.12 Prevention of Data Leaks – Refers to Data Leakage Prevention (DLP): Measures to detect and prevent unauthorized data flows (such as DLP software, monitoring data transfers, policies against uploading confidential data to insecure clouds). 

• A.8.16 Monitoring Activities – General Security Monitoring requirements: Companies should continuously monitor security-relevant activities (e.g., log management, using SIEM systems, detecting anomalies) to quickly uncover incidents. 

• A.8.23 Web Filtering – Requirement to control and filter web access to block access to malicious or unwanted websites (often via proxy/URL filters or Secure Web Gateways), which reduces the attack surface for malware, for example. 

• A.8.28 Secure Coding – Establishes guidelines for Secure Coding Practices in software development: Developers should follow secure programming guidelines to avoid vulnerabilities from the outset (e.g., input validation, secure libraries, security code reviews). 

These new controls underscore that ISO/IEC 27001:2022 addresses current topics such as cloud security, proactive threat defense, and modern development practices. For companies, this means that an ISO 27001:2022-compliant ISMS now comprehensively addresses today’s digital landscape – a benefit that TISAX does not cover in all respects as it is strongly focused on the automotive context. 

VDA ISA 6.0 (TISAX®) – Extended Requirements of the Automotive Industry 

The version 6.0 of the VDA ISA catalog, on which TISAX® is based, has also introduced novelties to address current challenges and expand industry-specific depth. Some notable new or extended requirements in TISAX® (VDA ISA 6.0) are: 

• Business Continuity Management & IT Service Continuity – TISAX® now places even greater emphasis on BCM, especially regarding the continuity of critical IT services. Companies must demonstrate that they have taken measures to keep important business processes and production IT running in the event of disruptions (including cyberattacks). 

• Incident Response and Crisis Management with Playbooks – The requirements for incident and crisis management have been significantly expanded. Companies should have playbooks or defined emergency procedures on hand to respond quickly and effectively to security incidents or crises (such as ransomware attacks). This includes clear roles, escalation paths, and regular exercises of these scenarios. 

• Provider Segmentation – In the automotive industry's supply chain, separating and securing access for different partners is of great importance. TISAX® 6.0 explicitly requires that external service providers and partner connections be segmented and isolated from the rest of the network. This minimizes the risk that a compromised partner access affects the entire IT environment. 

• Strengthening Cyber Resilience (e.g., against Ransomware/APT) – Several new control questions in ISA 6.0 aim to increase the resilience against sophisticated threats. This includes stricter guidelines for offline backups, emergency restart plans, and protection concepts against advanced persistent threats (APT). These guidelines complement the existing measures package to effectively counter high-potential damage attacks. 

• Shopfloor Security & OT Integration – New is the clear incorporation of production IT and OT (Operational Technology). ISA 6.0 references the standard IEC 62443-2 to ensure that information security does not stop at the office door but is considered all the way into manufacturing facilities and connected machines. 

Through these additions, TISAX® ensures that auditing according to VDA ISA 6.0 is even better tailored to the current needs of the automotive industry. Topics such as prototype protection and data privacy (for personal data, there is a dedicated module in the TISAX® catalog) were already unique to TISAX in previous versions; with version 6.0, operational resilience and supply chain security are now also given greater emphasis. This means TISAX® demands more depth and proof in certain areas than ISO 27001 – especially where it concerns industry-specific risks.

Assessment Model and Certification Process 

An important difference between ISO 27001 and TISAX® lies in the assessment and certification approach. ISO/IEC 27001 requires a formal certification by an independent accredited certification body. The ISO audit primarily checks whether all required controls are effectively implemented – essentially a binary proof (“compliant” or “non-conformity” in case of deviations). If the audit is successful, the company receives an ISO 27001 certificate. This certificate is internationally recognized and typically valid for three years, during which ongoing conformity is verified through annual surveillance audits. 

TISAX® does not award a classic certificate but a label that is made accessible to participating companies through the ENX portal. The examination is carried out by audit providers recognized by the ENX association according to the VDA ISA catalog. Unlike ISO, TISAX® employs a maturity model: Auditors assess how well a measure is implemented, not just if it exists. There are different maturity levels (e.g., from 0 = not implemented to 5 = optimized), with a certain level (often maturity level 3 = defined/established) typically needing to be achieved across all relevant controls for successful TISAX® results. This approach promotes a deeper engagement with the maturity of security processes within the organization. 

The result of a TISAX® assessment is stored as a label with a defined validity (usually also three years) in the ENX portal. There are no publicly displayed certificates; instead, authorized partners (e.g., OEMs) can view the TISAX® result online. The process is designed to enable the trustworthy exchange of audit results within the industry – thus, a supplier does not have to conduct separate audits for each OEM, but rather one TISAX® assessment is recognized by all. Another unique feature: TISAX® recognizes different assessment levels depending on protection needs (e.g., TISAX® Level 1, 2, 3), which determine the scope and depth of the examination. Higher levels (especially Level 3 for very high protection needs) entail much stricter examinations – such as requiring more intense on-site audits that sometimes go beyond what a typical ISO 27001 audit covers. 

The certification procedure itself differs: ISO 27001 certificates are awarded by certification bodies and are widely recognized as a quality seal; TISAX® relies on a collaborative approach where the label is managed on a central platform. Both proofs are important in their respective spheres – the international business world often demands an ISO 27001 certificate as proof of general security maturity, while large automotive manufacturers strictly require a valid TISAX® result from their suppliers. In many cases, it is sensible (or mandated by the customer) for an automotive supplier to demonstrate both.

Conclusion 

ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0 are both strong frameworks that assist organizations in systematically implementing information security. ISO 27001 impresses with its wide applicability and updates for modern technologies, thereby serving as a universal standard for various industries. TISAX®, on the other hand, shines with its depth in the industry-specific requirements of the automotive industry – it addresses detailed aspects crucial for safety in complex supply chains and development networks. 

For companies in the automotive industry, this provides a clear mandate: An ISO 27001 certification lays a solid foundation and signals general security competence, but it is not sufficient. The specific requirements of the automotive world – from prototype protection to IT service continuity to strict partner management – are comprehensively covered only by a TISAX® assessment. Therefore, those operating in this industry should absolutely meet the TISAX® requirements in addition to ISO certification. Ideally, organizations utilize the synergies of both systems: A well-implemented ISMS according to ISO 27001 facilitates the path to TISAX®, and conversely, TISAX® ensures that no security detail relevant to the automotive industry is overlooked. In short: Both systems have their strengths – when used together, they provide the highest added value in embedding information security comprehensively at both a general and a specific industry context.