ISO 27001 vs. BSI IT-Grundschutz vs. TISAX: The Business Comparison (2026)

Choosing the right information security framework is a strategic decision. ISO 27001, BSI IT-Grundschutz, and TISAX have different origins, target audiences, and sets of requirements. This comparison shows which framework is right for your organization—and why, in many cases, the answer is “several of them.”

An Overview of the Three Frameworks

ISO 27001 – The international standard

ISO 27001 is the globally recognized standard for information security management systems (ISMS). It defines requirements for the establishment, operation, monitoring, and continuous improvement of an ISMS. The certificate is issued by accredited certification bodies and is publicly verifiable.

What ISO 27001 requires:

• Scope definition and context analysis (Chapter 4)
• Risk assessment procedures and risk treatment plan (Chapter 6)
• Information security policy and security objectives (Chapters 5, 6.2)
• Statement of Applicability (SoA) for all 93 controls from Annex A
• Internal audit program and management review
• Two-stage certification audit (Stage 1: Document review, Stage 2: Implementation audit)

Timeline for SMEs (50–200 employees):

• Months 1–2: Gap analysis
• Months 3–6: ISMS documentation and implementation of measures
• Months 7–9: Internal audit and management review
• Months 10–12: Stage 1 and Stage 2 certification audit
• Thereafter: Annual surveillance audits, full recertification after three years

BSI IT-Grundschutz – The German Operational Framework

BSI IT-Grundschutz is a methodological standard published by the Federal Office for Information Security (BSI). It is available in full in German and can be downloaded free of charge at bsi.bund.de/grundschutz. The complete compendium comprises over 100 thematic modules—the BSI IT-Grundschutz profile "Cybersecurity for SMEs" (2022) distills 47 concrete, immediately implementable requirements from these.

Core Elements of BSI IT-Grundschutz:

• BSI Standard 200-1: Information Security Management Systems
• BSI Standard 200-2: IT-Grundschutz Methodology
• BSI Standard 200-3: Risk Analysis
• BSI Standard 200-4: Business Continuity Management
• IT-Grundschutz Compendium: Over 100 modules (ISMS.1, ORP.4, SYS.2.2, etc.)

BSI IT-Grundschutz is compatible with ISO/IEC 27001. Many companies use it as an operational implementation method and simultaneously seek ISO 27001 certification. The BSI provides an official mapping that allows IT-Grundschutz implementation to lead directly to ISO 27001 certification.

Time required for the SME profile: 4–12 weeks to implement the 47 core measures—significantly less than the full IT-Grundschutz, which can take 6–18 months.

TISAX – The Automotive Standard

TISAX (Trusted Information Security Assessment Exchange) was developed by the VDA (German Association of the Automotive Industry). It is based on the VDA ISA (Information Security Assessment) questionnaire, which in turn is heavily modeled after ISO 27001—approximately 70% of the VDA ISA controls correspond to ISO 27001 requirements.

Difference from ISO 27001: TISAX is not a public certificate, but an industry-internal label. The results are visible only on the ENX portal to authorized OEMs. There is no "TISAX certificate"—only a TISAX label.

TISAX Assessment Levels:

Level	Protection Requirement	Assessment Method	Typical Suppliers
AL2	Normal	Self-declaration + plausibility check, remote assessment possible	Tier-2/Tier-3, service providers without direct OEM contact
AL3	High	On-site audit – no remote option	Tier-1, direct OEM development partners

The three TISAX scopes:

1. Information Security (IS): For all suppliers handling confidential information such as design data or NDA documents
2. Prototype Protection (PT): For suppliers handling physical prototypes or test vehicles
3. Data Protection: For suppliers processing personal data of OEM customers

Direct Comparison: ISO 27001 vs. BSI IT-Grundschutz vs. TISAX

Feature	ISO 27001	BSI IT-Grundschutz	TISAX
Publisher	ISO/IEC (international)	BSI - Federal Office for Information Security	VDA / ENX Association
Scope	Industry-independent	Industry-independent	Automotive industry
Result	Public certificate	No certificate (framework)	TISAX label (not public)
Language	English (standard), German translations	German	English/German
Documentation Costs	-	Free (bsi.bund.de)	Free (ENX Portal)
Certification Costs	8,000–20,000 EUR	- (no certificate)	3,000–30,000 EUR (assessment)
Total costs for SMEs	30,000–150,000 EUR	0–5,000 EUR (consulting)	10,000–50,000 EUR
Time required	10–18 months	4–18 weeks (SME profile)	3–12 months
ISO 27001 overlap	100%	~90% (mapping available)	~70%
Recognized for NIS2	Yes (Art. 21)	Yes (BSI recommendation)	No (industry-specific)
International recognition	Worldwide	Germany/EU	Global automotive industry
Mandatory for	Many large customers, public sector clients	Government agencies (often mandatory)	Automotive suppliers (de facto mandatory)

Detailed Cost Comparison

ISO 27001 - Total Costs for SMEs (50-250 Employees)

Cost Category	Typical Range
External Consulting (Gap Analysis + Implementation)	20,000-60,000 EUR
Internal personnel costs (project time)	15,000–40,000 EUR
Tools (ISMS software, vulnerability scanners)	5,000–15,000 EUR/year
Penetration testing	5,000–20,000 EUR
Security awareness training	3,000–10,000 EUR/year
Certification audit (Stage 1 + 2)	8,000–20,000 EUR
Total initial certification	56,000–165,000 EUR

Ongoing Costs: 36,000–108,000 EUR/year (monitoring audit, ISMS software, awareness, ISB)

BSI IT-Grundschutz - Cost Comparison

	BSI IT-Grundschutz (without certification)	ISO 27001 Certification
Tools	0 EUR (verinice is free)	-
Consulting	0–5,000 EUR	10,000–30,000 EUR
Certification body	-	5,000–15,000 EUR
Time required	4–12 weeks (SME profile)	6–18 months

TISAX - Assessment Costs (2025)

Level	Company size	Assessment costs
AL2 (remote possible)	Small enterprises < 50 employees	3,000–6,000 EUR
AL2 (remote possible)	Medium-sized enterprises 50–500 employees	6,000–12,000 EUR
AL3 (on-site required)	Small enterprises	8,000–15,000 EUR
AL3 (on-site required)	Medium-sized companies	15,000–30,000 EUR

Additional costs include: ENX registration (400 EUR/year), preparation and consulting (10,000–30,000 EUR), and internal personnel costs. The TISAX label is valid for 3 years.

Which framework is suitable for whom?

ISO 27001 - Recommended if:

• Customers or tenders explicitly require certification
• You operate in a regulated sector (finance, healthcare, KRITIS)
• You are subject to NIS2 (ISO 27001 covers NIS2 Art. 21)
• You serve government agencies or public sector clients
• International customers expect recognized certification

BSI IT-Grundschutz - Recommended if:

• You work in public administration (where it is often mandatory)
• You are looking for a cost-effective, pragmatic entry point
• German is used as the working language and German-language documentation is helpful
• You must meet NIS2 requirements and the BSI is accepted as proof
• You are aiming for ISO 27001 and wish to use IT-Grundschutz as a path to implementation

TISAX - Recommended (or mandatory) if:

• You work as a supplier for BMW, Mercedes-Benz, VW, Stellantis, or other OEMs
• You process confidential development data, design documents, or NDA documents
• You handle prototypes or test vehicles at your facility
• Your direct client requires a TISAX label as a contractual prerequisite

The Combination Strategy

In practice, the three frameworks are rarely alternatives but rather combinations—depending on the customer base and regulatory environment.

Recommended Combination for Most SMEs

BSI IT-Grundschutz as an operational framework + ISO 27001 as certification:

The synergies are significant. The BSI IT-Grundschutz profile for SMEs offers a structured, German-language entry point without high consulting costs. The ISO 27001 certificate built upon this provides a publicly verifiable quality signal to customers. The BSI offers an official mapping through which an IT-Grundschutz implementation can lead directly to ISO 27001 certification—no duplicate documentation effort.

Recommended combination for automotive suppliers

ISO 27001 as a framework + TISAX as industry-specific proof:

Since approximately 70% of VDA ISA controls align with ISO 27001 requirements, the additional effort required for a TISAX assessment is manageable if an ISO 27001 ISMS is already in place. The recommended approach:

1. Establish an ISO 27001 ISMS as a framework
2. Conduct a VDA ISA gap analysis (determine the gap relative to TISAX)
3. Add automotive-specific controls (prototype protection, OEM supply chain)
4. Aim for dual certification: ISO 27001 certificate and TISAX label

Advantage: Maintain only one ISMS instead of two parallel systems. Documentation effort decreases by about 40%, and credibility with multinational customers increases.

Common Mistakes in Choosing a Framework

Mistake 1: Treating TISAX as a substitute for ISO 27001. TISAX is not a publicly recognized certification—it is an industry-specific label. Customers outside the automotive industry do not accept it as proof of information security.

Mistake 2: Viewing BSI IT-Grundschutz and ISO 27001 as competitors. They are complementary. Many successful ISMS implementations use IT-Grundschutz as a methodology and ISO 27001 as a certification framework.

Mistake 3: Defining the scope as too broad or too narrow. With ISO 27001, a scope that is too broad leads to overload, while one that is too narrow causes customers to doubt its relevance. Start with the core area and expand from there.

Mistake 4: Documentation without implementation. In the ISO 27001 Stage 2 audit and the TISAX assessment, actual practices are examined—not just the documentation. Auditors conduct interviews and require evidence.

Mistake 5: Management commitment exists only on paper. All three frameworks require active engagement from senior management. Without this, implementation will fail—regardless of which framework is chosen.

Frequently Asked Questions

Can I meet NIS2 requirements with BSI IT-Grundschutz?

Yes. The BSI IT-Grundschutz profile for SMEs addresses the essential technical and organizational measures required by NIS2 Art. 21. The BSI recognizes the implementation of IT-Grundschutz as proof of compliance. For KRITIS companies and critical infrastructure entities, ISO 27001 is additionally recommended.

Is ISO 27001 or TISAX more expensive?

For SMEs with fewer than 50 employees, a TISAX AL2 assessment (3,000–6,000 EUR) is more cost-effective than an initial ISO 27001 certification (total cost of 56,000+ EUR). For medium-sized companies, the costs are similar, especially if TISAX AL3 with an on-site audit is required. The decisive factor is the industry: automotive suppliers need TISAX, regardless of the cost.

How long does a TISAX assessment take?

Assessment preparation takes 3–12 months, depending on the assessment level and initial status. The actual assessment takes 2–5 days. A lead time of 4–8 weeks is often required between booking and the assessment date. The label is activated in the ENX portal 3–5 business days after the assessment.

Do I also need ISO 27001 for TISAX?

No—TISAX does not replace ISO 27001, and vice versa. However, implementing both makes sense if you serve both automotive customers and other customers. The synergies from a shared ISMS significantly reduce the overall effort.

Conclusion: The Right Choice for Your Company

There is no universally “best” solution—but there is the right one for your situation:

• General SMEs with requirements from major customers: ISO 27001 as a mandatory investment, BSI IT-Grundschutz as the implementation framework
• Public administration and government agencies: BSI IT-Grundschutz as the primary framework, often required by law
• Automotive suppliers: TISAX label as a prerequisite for market access, ISO 27001 to increase efficiency
• Startups and SMEs without external certification requirements: BSI SME Profile as a pragmatic starting point

AWARE7 supports companies every step of the way—from the initial gap analysis to the successful certification audit. We provide manufacturer- and product-independent consulting.

Request ISO 27001 Consulting | Schedule a Free Initial Consultation