What is the primary objective of **TISAX**?

**TISAX's primary objective is to standardize information security assessments and enable secure exchange of results across the automotive supply chain.** Developed by the ENX Association using the VDA ISA catalog version 5.0.4 (with updates to 6.0), it verifies protection of sensitive data like IP, prototypes, and personal information against cyber threats via three maturity levels: Basic, Significant, and Very High.

Who is legally or professionally required to comply with **TISAX**?

**TISAX is contractually required by OEMs for automotive suppliers, service providers, and partners handling sensitive data.** Targets include Tier 1/2 suppliers, OEMs (e.g., Volkswagen, BMW), logistics firms, IT/cloud vendors, and R&D contractors processing OEM IP, prototypes, or ADAS software; scalable for SMEs to multinationals, often mandated in RFPs for portal access.

Does **TISAX** require an external audit or third-party certification?

**Yes, TISAX requires external audits by ENX-accredited providers (e.g., DQS, TÜV) for Significant and Very High levels.** AL1 is self-assessment (no label); AL2 involves remote plausibility checks; AL3 mandates on-site audits with interviews and facility inspections, issuing labels valid for 3 years uploaded to the ENX portal.

How often should an assessment for **TISAX** be performed?

**TISAX assessments must be performed every 3 years to maintain label validity.** No annual surveillance audits are required, but organizations conduct internal reviews, tabletop exercises, and gap analyses using VDA ISA controls; reassess upon major changes like new OEM contracts or scope expansions.

What are the consequences of non-compliance with **TISAX**?

**Non-compliance with TISAX results in contractual termination, lost revenue, and exclusion from OEM portals.** OEMs impose penalties up to 5% of contract value, remediation costs (€20,000–€100,000 per audit cycle), reputational damage, and production halts; e.g., Tier 2 suppliers risk €10–50M annual orders.

Can **TISAX** be mapped to other international frameworks?

**Yes, TISAX maps directly to ISO 27001/27002 via its VDA ISA catalog structure.** It reuses ISMS principles, Annex A controls, and PDCA cycles, enabling 20–30% efficiency gains in integrated implementations; automotive-specific extensions like prototype protection complement general frameworks.

What is the first step to begin implementing **TISAX**?

**The first step is registering on the ENX portal (enx.com) and defining the Assessment Scope and Leadership Profile (ASLP).** Collaborate with OEMs to classify protection needs (Normal/High/Very High), download VDA ISA Excel for gap analysis across 70+ controls in 7 groups, and assemble a cross-functional team.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security.** It operationalizes security risks—including malicious acts, functional failures, and disruptions—through a Plan-Do-Check-Act (PDCA) cycle structured across Clauses 4–10, embedding risk assessment aligned with ISO 31000 and integrating security into business processes for holistic governance.

Who is legally or professionally required to comply with **ISO 28000**?

**ISO 28000 is voluntary and applies to all organization types and sizes across any activity, internal or external, with no legal mandates.** It is professionally relevant for logistics providers, manufacturers, retailers, ports, and government agencies managing supply chain risks, driven by customer requirements, contractual flow-downs, insurance incentives, or market access needs like customs facilitation programs.

Does **ISO 28000** require an external audit or third-party certification?

**No, ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally.** Certification follows ISO 28003 guidelines via accredited bodies through Stage 1 (design review) and Stage 2 (implementation) audits, with surveillance thereafter, but organizations may self-declare or use customer-led assurance based on maturity.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires a maintained risk assessment and treatment process with no fixed frequency, planned at intervals based on risk, context changes, and performance.** Internal audits occur per a risk-based program (Clause 9.2), management reviews at planned intervals (Clause 9.3), and monitoring/measurement as determined (Clause 9.1), ensuring continual relevance to evolving threats and supplier interdependencies.

What are the consequences of non-compliance with **ISO 28000**?

**ISO 28000 has no direct legal penalties as it is voluntary, but non-conformity risks operational disruptions, financial losses from incidents, and failure to meet contractual or market requirements.** Internally, it triggers corrective actions (Clause 10); externally, it may lead to lost business, higher insurance premiums, regulatory scrutiny in trade facilitation, or reputational damage from supply chain failures.

Can **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000 aligns with ISO management system standards via its Annex SL structure, enabling integrated audits and shared governance.** Its PDCA cycle, risk processes (ISO 31000-aligned), and security plans (ISO 22301-consistent) support mapping to frameworks like business continuity or quality systems, with bibliographic references to ISO 22301, ISO 19011, and ISO/IEC 27001 for efficiency.

What is the first step to begin implementing **ISO 28000**?

**The first step is determining the organization's context, interested parties, and SMS scope per Clause 4, including supply chain boundaries and externally provided processes.** This foundational analysis—covering internal/external issues, legal requirements, and stakeholder needs—produces documented scope information to guide risk planning (Clause 6) and leadership commitment (Clause 5).

TISAX vs ISO 28000

Standards Comparison

TISAX

Mandatory

2017

Automotive framework for standardized security assessments exchange

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

TISAX ensures information security for automotive supply chains via tiered assessments, while ISO 28000 builds resilient security management systems for any sector. Automotive firms adopt TISAX for OEM contracts; others use ISO 28000 for broad supply chain risk mitigation and certification.

Cybersecurity

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Centralized ENX portal shares assessments across partners
Automotive-specific prototype protection controls
Tiered levels (AL1-AL3) match protection needs
VDA ISA catalog extends ISO 27001 controls
Three-year labels eliminate duplicate OEM audits

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based assessment for supply chain threats
PDCA cycle for continual security improvement
Top management leadership and commitment
Controls for external providers and processes
Integration with ISO 31000 and 22301

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

TISAX Details

What It Is

TISAX (Trusted Information Security Assessment Exchange) is an industry framework developed by the ENX Association and VDA for the automotive sector. It standardizes assessments of information security, focusing on protecting sensitive data like IP, prototypes, and personal information in global supply chains. Rooted in ISO 27001, it uses a risk-based approach with the VDA ISA catalog (70+ controls) across policy, access, operations, and prototypes.

Key Components

Core pillars: CIA triad extended to prototype protection, supplier risks, incident response.
**Three assessment levelsAL1 (self), AL2 (remote), AL3 (on-site).
Modular objectives: information security, data protection, prototypes.
Certification via ENX-accredited providers; 3-year labels shared on ENX portal.

Why Organizations Use It

OEMs mandate it contractually for suppliers; non-compliance risks contract loss. Benefits include audit reduction (70-90%), market access, resilience. Builds trust, mitigates breaches costing millions.

Implementation Overview

Phased: scope/gap analysis (1-3 months), remediate/controls (3-9 months), audit (2-4 months), sustainment. Applies to suppliers/OEMs/services; scalable for SMEs to enterprises via self-assessments or audits. Costs €15k-€150k+; 6-18 months typical.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security management systems — Requirements is an international certification standard specifying requirements for a security management system (SMS) addressing supply chain security risks. It employs a risk-based PDCA (Plan-Do-Check-Act) methodology, aligned with ISO high-level structure.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement
Risk assessment/treatment per ISO 31000; security plans per ISO 22301
No fixed controls; tailored operational processes
Third-party certification via accredited bodies (ISO 28003)

Why Organizations Use It

Mitigates theft, sabotage, disruptions; enhances resilience
Meets contractual, regulatory, insurance demands
Enables market access, partner requirements
Boosts credibility through audits/certification

Implementation Overview

Phased: gap analysis, risk planning, controls, training, audits
Scalable for all sizes/industries with supply chains
6–18 months typical; internal/external audits required (181 words)

Key Differences

Aspect	TISAX	ISO 28000
Scope	Information security, prototypes, CIA triad	Supply chain security, risks, resilience
Industry	Automotive supply chain, global OEMs	All sectors, logistics, manufacturing
Nature	Voluntary industry assessment, ENX portal	Voluntary management system standard
Testing	AL1-AL3 audits, 3-year labels, on-site	Internal audits, certification, surveillance
Penalties	Contract loss, no legal fines	No penalties, business/reputational risk

Scope

TISAX

Information security, prototypes, CIA triad

ISO 28000

Supply chain security, risks, resilience

Industry

TISAX

Automotive supply chain, global OEMs

ISO 28000

All sectors, logistics, manufacturing

Nature

TISAX

Voluntary industry assessment, ENX portal

ISO 28000

Voluntary management system standard

Testing

TISAX

AL1-AL3 audits, 3-year labels, on-site

ISO 28000

Internal audits, certification, surveillance

Penalties

TISAX

Contract loss, no legal fines

ISO 28000

No penalties, business/reputational risk

Frequently Asked Questions

Common questions about TISAX and ISO 28000

TISAX FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Top 5 Reasons NIST SP 800-53 Rev 5 Overlays Unlock AI Risk Management for Private Sector Enterprises in 2025

Top 5 reasons NIST SP 800-53 Rev 5 AI overlays unlock risk management for private enterprises. Tailorable controls combat model poisoning & data leakage. CISO i

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Actionable CMMC Level 2 guide for small DIB contractors: 5-step roadmap to C3PAO certification with infographic on timelines, costs & POA&Ms. Achieve DoD compli

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

NIST CSF vs SOC 2

Decode NIST CSF vs SOC 2: NIST's flexible Govern-led risk framework vs SOC 2's audited Security TSC. Pick the right path for robust cyber compliance today.

CSL (Cyber Security Law of China) vs ISO 27701

Compare CSL (Cyber Security Law of China) vs ISO 27701: Unpack data localization, CII rules & PIMS controls for compliance mastery. Turn mandates into China market edge—explore now!

TISAX vs ISO 21001

Compare TISAX vs ISO 21001: Automotive cybersecurity vs educational management systems. Key differences, compliance tips & strategies. Choose the right standard now!

TISAX

ISO 28000

Quick Verdict

TISAX

Key Features

ISO 28000

Key Features

Detailed Analysis

TISAX Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

TISAX FAQ

What is the primary objective of TISAX?

Who is legally or professionally required to comply with TISAX?

Does TISAX require an external audit or third-party certification?

How often should an assessment for TISAX be performed?

What are the consequences of non-compliance with TISAX?

Can TISAX be mapped to other international frameworks?

What is the first step to begin implementing TISAX?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

Can ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

Top 5 Reasons NIST SP 800-53 Rev 5 Overlays Unlock AI Risk Management for Private Sector Enterprises in 2025

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

NIST CSF vs SOC 2

CSL (Cyber Security Law of China) vs ISO 27701

TISAX vs ISO 21001