Introduction
ISO/IEC 27001:2022 and TISAX® (VDA ISA 6.0) are two important frameworks for information security - one international and industry-neutral, the other developed specifically for the automotive industry. Both help companies to build a robust information security management system (ISMS), but they do so with a different focus. In this article, we compare the similarities and differences between ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0, giving information security professionals a concise overview of how both standards cover basic security measures, where their focus lies and what new requirements the current revision brings with it.
Common foundations: ISMS, risk management and PDCA
ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0are both based on the proven principles of an ISMS. The central element is a risk-based approach: both frameworks require companies to systematically identify and assess security risks and address them with suitable measures. Both also rely on the principle of continuous improvementaccording to the PDCA cycle(Plan - Do - Check - Act). This means that organizations should plan, implement, monitor and optimize their information security measures on an ongoing basis. This methodology ensures that information security is not seen as a one-off project, but as an ongoing process.
In addition, both standards cover basic security measures. These include, for example, guidelines for access control, physical security measures, employee awareness training, incident management, the use of cryptography and many other organizational and technical controls. In their core requirements, ISO 27001 and TISAX® therefore ensure that a company has established a comprehensive set of basic security measures to guarantee the confidentiality, integrity and availability of information.
Different focus: industry neutrality vs. automotive specifics
Despite the common basis, the two frameworks differ significantly in their scope and focus. ISO/IEC 27001:2022is a globally recognized standard that is formulated in an industry-neutralway. It is suitable for organizations of all sizes and industries. The 2022 revision has made ISO 27001 even broader and more modern - new controls have been introduced to take account of current technologies and threats (such as cloud use, threat intelligence, etc., see below). ISO 27001 thus provides a general best practice foundation forinformation security that can be applied flexibly to different contexts.
VDA ISA 6.0 (TISAX®), on the other hand, was developed specifically for the requirements of the automotive industry. It goes into much greater detail in certain areas in order to meet the special protection requirements in the networked automotive supply chain. TISAX® contains specific requirements that are not explicitly addressed in ISO 27001, for example: prototype protection(protection of secret development projects and pre-production models from unauthorized access or leaks), determination of protection requirementsin the automotive context (fine-grained classification of which information is critical and to what degree - for example, differentiation between development data, production data, customer data, etc.), as well as extended specifications for business continuity management (BCM), which here specifically includes IT service continuityin production environments. TISAX® also requires mature crisis management- companies must prove that they have specific emergency plans and playbooks(predefined instructions for action) in place for security-related incidents and crises (e.g. cyber attacks, supply chain failures). Another industry-specific aspect is provider segmentation: automotive manufacturers expect their suppliers to strictly separate service provider and partner networks so that, for example, development data from different customers is clearly isolated and external IT service providers only have controlled access to relevant sub-areas. These additional focal points make it clear that TISAX® aims to specifically cover the deeper risks of the automotive industry - from pre-development to networked production.
ISO/IEC 27001:2022 - New controls for modern technologies
With the 2022 update, ISO/IEC 27001 has introduced several new controls (security measures)that adapt the standard to current developments in technology and the threat situation. A total of eleven new controls have been adopted from ISO 27002:2022. Below is an overview of these new measures and how they are to be classified:
- A.5.7 Threat intelligence- introduction of threat intelligence: organizations should collect and evaluate information about current threats in order to be able to react to new risks at an early stage.
- A.5.23 Cloud use- Specific requirements for the secure use of cloud services: regulates, for example, the selection of trustworthy cloud providers, securing cloud configurations and dealing with shared responsibilities in the cloud.
- A.5.30 ICT readiness for business continuity- Ensures that the IT/ICT infrastructureis prepared for emergencies: The availability of IT services should be ensured through contingency planning, backup strategies and redundancies in order to maintain business processes even in the event of incidents.
- A.7.4 Physical security monitoring- Extends physical protection through monitoring, e.g. video surveillance or alarm systems, to detect unauthorized access to buildings or data centers at an early stage.
- A.8.9 Configuration management- Requires controlled management of system and security configurations (for servers, clients, network devices, etc.) to ensure a consistent level of security and avoid misconfiguration as an attack vector.
- A.8.10 Deletion of information- introduction of a control for secure data deletion: Companies must have procedures in place to delete or destroy information at the end of its lifecycle in a reliable and data protection-compliant manner (e.g. when data carriers are decommissioned).
- A.8.11 Data masking- requires the use of data masking techniques to protect sensitive data in non-production environments or tests (e.g. anonymizing or pseudonymizing real data so that developers or testers do not access plain text customer data).
- A.8.12 Data leakageprevention- This refers to data leakage prevention (DLP): measures to detect and prevent unauthorized data leakage (e.g. DLP software, monitoring of data transfers, policies against uploading confidential data to insecure clouds).
- A.8.16 Monitoring activities- General security monitoring requirements: Companies should continuously monitor security-related activities (e.g. log management, use SIEM systems, detect anomalies) in order to detect incidents quickly.
- A.8.23 Web filtering- requirement to control and filter web access to block access to malicious or unwanted websites (often via proxy/URL filter or secure web gateway), reducing the attack surface e.g. for malware.
- A.8.28 Secure coding- Establishes guidelines for secure coding practicesin software development: Developers should follow secure coding guidelines to avoid vulnerabilities in the first place (e.g. input validation, secure libraries, code reviews for security).
These new controls make it clear that ISO/IEC 27001:2022 addresses current topics such as cloud security, proactive threat prevention and modern development practices. For companies, this means that an ISO 27001:2022-compliant ISMS now addresses today's digital landscape even more comprehensively - an advantage that TISAX does not cover in all respects, as it is strongly focused on the automotive context.
VDA ISA 6.0 (TISAX®) - Extended requirements of the automotive industry
Version 6.0 of the VDA ISA catalog, on which TISAX® is based, has also introduced innovations to meet current challenges and expand industry-specific depth. Some striking new or extended requirements in TISAX® (VDA ISA 6.0)are:
- Business Continuity Management & IT Service Continuity- TISAX® now places even greater emphasis on BCM, particularly with regard to the continuity of critical IT services. Companies must prove that they have taken precautions to keep important business processes and production IT running in the event of disruptions (including cyber attacks).
- Incident response and crisis management with playbooks- The requirements for incident and crisis management have been significantly expanded. Companies should have playbooksor defined emergency procedures ready to respond quickly and in a coordinated manner in the event of security incidents or crises (such as ransomware attacks). This includes clear roles, escalation paths and regular exercises of these scenarios.
- Provider segmentation- Separating and securing access for different partners plays a major role in the automotive industry supply chain. TISAX® 6.0 explicitly requires external service providers and partner connections to be segmentedand operated in isolation from the rest of the network. This minimizes the risk of a compromised partner access affecting the entire IT environment.
- Strengthening cyber resilience (e.g. against ransomware/APT)- Several new control issues in ISA 6.0 are aimed at increasing resilience to advanced threats. These include stricter requirements for offline backups, disaster recovery plans and protection concepts against advanced persistent threats (APT). These requirements supplement the existing package of measures in order to ward off attacks with high damage potential in particular.
- Store floor security & OT integration- Another new feature is the clear inclusion of production IT and OT (operational technology). ISA 6.0 references the IEC 62443-2 standard, for example, to ensure that information security does not end at the office door, but is taken into account right through to the production facilities and networked machines.
With these additions, TISAX® ensures that auditing in accordance with VDA ISA 6.0 is even better tailored to the current needs of the automotive industry. Topics such as prototype protection and data protection(there is a separate module for personal data in the TISAX® catalog) were already unique to TISAX in previous versions; with version 6.0, operational resilience and supply chain security are now even more important. This means that TISAX® requires more depth and verificationin certain areas than ISO 27001 - especially where industry-specific risks are concerned.
Assessment model and certification process
An important difference between ISO 27001 and TISAX® lies in the assessment and certification approach. ISO/IEC 27001requires formal certificationby an independent accredited certification body. The ISO audit primarily checks whether all required controls have been effectively implemented - essentially a binary verification("compliant" or "non-compliant" in the event of deviations). If the audit is successful, the company receives an ISO 27001 certificate. This certificate is internationally recognized and typically valid for three years, with annual surveillance audits to check ongoing compliance.
TISAX®, on the other hand, does not issue a classic certificate, but a label that is made available to participating companies via the ENX portal. The audit is carried out by audit providers recognized by the ENX Association in accordance with the VDA ISA catalog. Unlike ISO, TISAX® uses a maturity model: The auditors assess how wella measure is implemented, not just whether it is in place. There are different maturity levels(e.g. from 0 = not implemented to 5 = optimized), whereby a certain level (often maturity level 3 = defined/established) must usually be achieved in all relevant controls for a successful TISAX® result. This approach encourages a deeper examination of the maturity level of thecompany's security processes.
The resultof a TISAX® assessment is stored in the ENX portal as a label with a defined validity (usually also three years). There are no publicly displayed certificates; instead, authorized partners (e.g. OEMs) can view the TISAX® result online. The process is designed to enable the trustworthy exchange of assessment resultswithin the industry - so a supplier does not have to carry out separate audits for each individual OEM, but the one TISAX® assessment is recognized by all of them. Another special feature: TISAX® recognizes different assessment levelsdepending on the protection requirements (e.g. TISAX® Level 1, 2, 3), which determine the scope and depth of the assessment. Higher levels (especially level 3 for very high protection requirements) mean much stricter audits - here, for example, more intensive on-site audits are required - sometimes going beyond what is covered by a standard ISO 27001 audit.
The certification processitself is therefore different: ISO 27001 certificates are awarded by certification bodies and are widely visible as a seal of approval; TISAX® relies on a collaborative approach where the label is managed in a central platform. Both credentials are important in their respective spheres - for example, the international business world often requires an ISO 27001 certificate as proof of general security maturity, while major automotive manufacturers require a valid TISAX® result from their suppliers. In many cases, it makes sense (or is required by the customer) for an automotive supplier to have both.
Conclusion
ISO/IEC 27001:2022 and TISAX® VDA ISA 6.0are each strong frameworks that help companies to systematically implement information security. ISO 27001 impresses with its broad applicability and updates to modern technologies, making it a universal standardfor a wide range of industries. TISAX®, on the other hand, shines due to its depth in the industry-specific requirementsof the automotive industry - it addresses detailed aspects that are crucial for security in complex supply chains and development networks.
For companies in the automotive industry, this results in a clear mandate: ISO 27001 certificationlays a solid foundation and signals general security competence, but it is not enough. The specific requirements of the automotive world - from prototype protection and IT service continuity to strict partner management - are only comprehensively covered by a TISAX® assessment. Anyone working in this industry should therefore also fulfill the TISAX® requirements in addition to ISO certification. Ideally, organizations should make use of synergies between the two systems: a well-implemented ISMS in accordance with ISO 27001 facilitates the path to TISAX® and, conversely, TISAX® ensures that no security detail relevant to the automotive industry is overlooked. In short: both systems have their strengths - used together, they offer the greatest added value in order to seamlessly anchor information security both at a general level and in a specific industry context.
