TISAX® vs. ISO 27001: A comparison of the rating of non-conformities
- Marc Borgers
- 16. Nov. 2023
- 3 Min. Lesezeit
In the world of information security, the TISAX® assessment and the ISO 27001 audit are two possible procedures for assessing and ensuring compliance with security standards in companies. In this article, I will take a closer look at the differences in assessing deviations between these two approaches.
TISAX® is a registered trademark of the ENX Association. AUDIT MANUFAKTUR has no business relationship with ENX. The mention of the TISAX® brand does not imply any statement by the trademark owner regarding the suitability of the services advertised here. TISAX® assessments for the purpose of obtaining labels are only carried out by the testing service providers listed on the ENX homepage.Main deviations
Major non-conformities in the TISAX® assessment: A major non-conformity in a TISAX® assessment is identified when there is a significant immediate risk to information security or when serious doubts arise about the overall effectiveness of the information security management system (ISMS).
Major non-conformities in ISO 27001 Audit: A major non-conformity in an ISO 27001 audit is identified when there is doubt about the overall effectiveness of the ISMS. This means that the effectiveness of the entire management system is called into question when such a deviation exists.
From the TISAX® Participant Handbook:
Type | definition | Reaction | Examples |
Major non-conformity | A major non-conformity: - creates a significant immediate risk to your information security - or creates doubts regarding the overall effectiveness of your information security management system | You have to: - address major non-conformities immediately with appropriate compensating measures - implement corrective actions without undue delay | - Systematic non-conformities - Implementation deficits that create critical risks to the security of confidential information - Implementation deficits that are not addressed by an appropriate corrective action |
Source: https://www.enx.com/handbook/tisax-participant-handbook.html#ID1169; link date 16.11.2023
Minor deviations
Minor non-confirmities in the TISAX® assessment: A minor deviation in the context of a TISAX® assessment is identified if a requirement from the VDA ISA is not or not fully met and if this does not result in a significant immediate risk to information security or a doubt about the overall effectiveness of the ISMS.
Minor non-conformities in the ISO 27001 audit: A minor deviation in the context of an ISO 27001 audit is identified if a requirement in the standard has not been met or has not been fully met and this does not raise any doubts about the overall effectiveness of the ISMS.
From the TISAX® Participant Handbook:
Type | definition | Reaction | Examples |
Minor non-conformity | A minor non-conformity: - does not create a significant immediate risk to your information security - and does not create doubts regarding the overall effectiveness of your information security management system | You have to: - implement corrective actions without undue delay | - Isolated or sporadic mistakes - Non-compliance or deficits in the implementation of requirements or your policies |
Source: https://www.enx.com/handbook/tisax-participant-handbook.html#ID1169; link date 16.11.2023
Similarities and differences
Both methods identify major non-conformities as serious threats to information security. The main difference, however, is the additional focus:
ISO 27001: Focuses on the overall effectiveness of the ISMS.
TISAX®: Additionally highlights the immediate risk to information security.
It must be emphasised in this context that in the TISAX® assessment, the auditor is solely responsible for determining whether the identified failure represents a significant, immediate risk to information security. Minor non-conformities are not considered as serious threats to information security in the procedures. However, there is a notable difference in the handling of findings related to the validity of the label/certificate:
ISO 27001: The certificate is valid for 3 years and there are annual surveillance audits. The validity can be extended after the 3 years. A deadline is set for the elimination of a minor deviation, which must be met. The elimination is, as a rule, verified in the next surveillance audit. If the deadline is not met, the minor non-conformity is upgraded to a major non-conformity.
TISAX®: The label is valid for 3 years and there are no annual surveillance audits. The validity cannot be extended. Deadlines are set for the elimination of minor deviations, which must be adhered to. The elimination must be carried out promptly without undue delay and within the deadline specified for these procedures (9 months) and must be proven in good time. A final label can only be obtained if all findings have been demonstrably eliminated.
Conclusion
There are parallels between the procedures in terms of non-conformities, but also specific differences. While TISAX® adds the risk factor to the assessment, in ISO 27001 audits minor non-conformities that are not eliminated on time are only upgraded to major non-conformities in the following year. For companies that have to comply with these requirements, it is important to develop a thorough understanding of the respective assessment criteria in order to be able to prepare effectively for the audits and avoid non-conformities.