Migrating from ISO 27001 to TISAX
TISAX (Trusted Information Security Assessment Exchange) is built on ISO 27001 foundations—approximately 90% of controls overlap. If you're ISO 27001 certified, the main additions are automotive-specific requirements like prototype protection and registration on the ENX platform.
Critical Compliance Gaps
Prototype Protection
TISAX includes specific requirements for prototype protection that don't exist in ISO 27001. Automotive OEMs require this for pre-release information.
VDA ISA Catalog
TISAX uses the VDA Information Security Assessment (ISA) catalog which extends ISO 27001 with automotive-specific requirements.
TISAX Labels
TISAX uses specific assessment labels (AL1, AL2, AL3) indicating maturity level. These replace ISO 27001 certification in automotive contexts.
ENX Platform
TISAX results are shared through the ENX platform, not traditional certification. This is the automotive industry's trust network.
Step-by-Step Migration Roadmap
Follow these 10 steps to achieve TISAX compliance. Estimated timeline: 8 weeks.
Review VDA ISA 6.0 catalog and compare to ISO 27001 controls
Identify TISAX-specific requirements (prototype protection, etc.)
Determine required TISAX Assessment Level (AL1, AL2, or AL3)
Select ENX-approved TISAX audit provider
Implement prototype protection controls if handling pre-release information
Map ISO 27001 Annex A to VDA ISA requirements
Address any automotive-specific gaps
Undergo TISAX assessment
Register results on ENX platform
Share TISAX label with automotive customers
Unique TISAX Requirements
Strategic Use Cases
Need migration help?
Talk to our compliance experts to map your controls efficiently.
Consult an ExpertContinue Your Compliance Journey
Framework Guides
Ready to Expand Your Compliance?
Our experts can help you map your existing ISO 27001 controls to TISAX requirements and accelerate your migration timeline.
ISO 27001 to TISAX Migration FAQs
Why do automotive companies require TISAX instead of ISO 27001$22
TISAX is the automotive industry standard managed by the German Association of the Automotive Industry (VDA). It includes automotive-specific requirements and uses a shared trust network (ENX) that OEMs and Tier 1 suppliers recognize.
What are TISAX Assessment Levels$23
AL1 (self-assessment), AL2 (verified by provider), and AL3 (comprehensive on-site audit). Most automotive OEMs require AL2 or AL3. ISO 27001 certification typically corresponds to AL2/AL3 requirements.
Can I keep ISO 27001 and add TISAX$24
Yes, and this is common. ISO 27001 is globally recognized while TISAX is automotive-specific. Many suppliers maintain both for different customer requirements.
How long is TISAX valid$25
TISAX assessments are valid for 3 years, similar to ISO 27001 certification cycles. Results are shared through the ENX platform where automotive partners can verify your status.
About RiscLens
Our mission is to provide transparency and clarity to early-stage technology companies navigating the complexities of SOC 2 (System and Organization Controls 2) compliance.
Who we serve
Built specifically for early-stage and growing technology companies—SaaS, fintech, and healthcare tech—preparing for their first SOC 2 audit or responding to enterprise customer requirements.
What we provide
Clarity before commitment. We help teams understand realistic cost ranges, timeline expectations, and common gaps before they engage auditors or expensive compliance vendors.
Our Boundaries
We do not provide legal advice, audit services, or certifications. Our assessments support internal planning—they are not a substitute for professional compliance guidance.
SOC 2 (System and Organization Controls 2) is a voluntary compliance standard for service organizations, developed by the AICPA, which specifies how organizations should manage customer data based on the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
Get your personalized SOC 2 cost estimate
Free • No sales calls • Instant results