Where are the differences between 27001:2022 and TISAX®?
1. requirements catalog
The basis of TISAX® is the VDA-ISA requirements catalog. This requirements catalog is based on the controls of ISO and adapts them to the suppliers of the automotive industry.
Added to this are...
- special requirements for processing personal data
- non-disclosure agreements
- Prototype protection
..., which are not included in ISO 27001:2022.
The Controls of VDA-ISA catalogue require specific evidence of implementation, while the measures in ISO 27001:2022 are more generic.
In the TISAX® requirements catalog, there is a difference between "must" and "should" as well as the requirements for "high protection needs" and "very high protection needs".
2. testing process
The ISO 27001:2022 certification requires an audit to demonstrate that compliance with the measures, requirements and requirement objectives have been effectively implemented.
TISAX® is focuses on the audit target objectives.
There are 8 of them and at least one audit objective must be defined, but several can be attracted.
Depending on the audit objective, different ISMS processes and measures must be implemented.
Each audit objective is found in the VDA-ISA requirements catalog and is the benchmark for the ISMS.
In TISAX® certification, there are three different audit levels, the so-called assessment levels, with correspondingly different requirements for each level
Level 1 means self-assessment and is very rarely accepted.
Level 2 includes a document review with a remote audit
Level 3 also has document review, but is associated with an on-site audit.
In contrast to ISO 27001:2022, the TISAX® requirements catalog has a defined maturity level concept in 6 levels (from 0 to 5).
Each required measure must be completed with at least target maturity level 3.

Once successfully completed, the TISAX® label is valid for 3 years.
Incomparision to the ISO 27001:2022, there are no annual surveillance audits to verify continuous improvement of the ISMS by a certified TISAX® auditor.
If the TISAX® audit is completed with a minor non-conformance, companies have 9 months from the date of the audit to close the minor non-conformance. The companies receive the preliminary label for this period and after closing all the minor deviations the final label.
ISO 27001:2022:2022 does not have this process.
3. scope
With ISO 27001:2022, companies can define the scope themselves.
This means that with ISO 27001:2022, the scope can also be limited to sub-areas of the company.
In the case of TISAX® certification, the scope is already specified.
In most cases, the standard scope of the site is attracted, which covers the procedures, processes and resources of the entire company.
In individual cases, the reduced or extended scope may also be applied here.
For example, a company may outsource certain activities, delegate them to partner companies or suppliers, or carry them out in separate subsidiaries.