A lot of dealerships run into ISO 27001 or TISAX because someone upstream wants reassurance: “Can you protect our data, your systems, and your access to ours?” The names sound similar. The work is not.
This guide explains the differences in plain language, shows what each one typically requires, and calls out the parts that tend to trip up dealerships. It also explains how Safer Dealer helps you run a gap analysis so you know exactly where you stand.
Start here: what kind of requirement is this?
Before comparing frameworks, it helps to understand what these requests usually mean in practice.
- ISO 27001 is about proving you run security as a managed program, with defined responsibilities, risk decisions, and a repeatable operating rhythm.
- TISAX Level 2 (AL2) is about proving you meet an automotive security requirement set using a structured questionnaire, supporting evidence, and an interview. It also supports sharing results with approved partners.
For most dealerships, that difference matters because one path is “build a full system and certify it,” and the other is “document and validate what you do against an automotive checklist.”
The short version: which one tends to be easier?
In dealership environments, TISAX Level 2 (AL2) is usually the lighter lift.
ISO 27001 is not impossible, but it typically requires more operational overhead and more disciplined documentation over time. If you already have a mature compliance culture, strong documentation, and clear ownership, ISO can be manageable. Most dealerships are busy running a business and do not have spare compliance bandwidth.
Side-by-side comparison (what’s required and how it’s evaluated)
| Topic | ISO/IEC 27001:2022 (Certification) | TISAX Level 2 (AL2) |
|---|---|---|
| End goal | Earn and maintain a security certification for an ISMS | Complete an automotive security assessment with a shareable result |
| How you’re judged | Formal certification audits that test both documentation and real-world operation | Evidence review and expert interview validating your self-assessment |
| What “good” looks like | You can show security is governed, measured, reviewed, and improved | You can show your answers are accurate and supported by proof |
| Documentation burden | Higher (management system artifacts plus control evidence) | Medium (self-assessment plus evidence set) |
| Ongoing effort | Higher (ongoing audit cycle and ISMS routines) | Medium (controls still must run, reassessment expectations vary) |
| Best fit | When you need a widely recognized credential across many partner types | When the requirement is automotive-specific and results-sharing matters |
| Typical lift for dealers | Heavier | Lighter at AL2 when scope is contained |
Where dealerships get stuck (even with good tools)
Most dealer groups already have security tooling. The choke points are usually people, process, and proof. These issues show up under either ISO or TISAX:
Shared logins and weak account control
What reviewers want to see:
- MFA on key systems
- User-level accounts for sensitive access
- Admin rights controlled and limited
- Offboarding done fast and consistently
Why it’s tricky in dealerships:
- Shared accounts in service lanes, parts counters, and sales teams
- Temporary users that become permanent
- Vendor “helper accounts” that never get removed
Vendor access sprawl
What reviewers want to see:
- A current vendor list
- Who has access to what
- How remote access is approved
- Regular reviews of vendor access
Why it’s tricky:
- Too many vendors touching too many systems
- Multiple remote access paths that nobody owns
- No routine for quarterly access review
Customer data living in too many places
What reviewers want to see:
- Clear rules for handling customer data
- Secure storage and controlled sharing
- Consistent scanning and retention practices
Why it’s tricky:
- PDFs and exports on desktops and shared drives
- Email attachments with personal data
- Scan-to-email and scan-to-folder workflows with little control
Backups that exist but cannot be proven reliable
What reviewers want to see:
- Backup coverage for critical systems
- Restore testing results
- Defined responsibilities and timelines
Why it’s tricky:
- “We back up” but no proof of a successful restore test
- Cloud apps assumed to be “covered”
- Split responsibility across vendors with gaps
Monitoring without proof of follow-through
What reviewers want to see:
- Alerts, logs, and response steps
- Proof someone reviews alerts
- A simple incident process and records
Why it’s tricky:
- Alerts scattered across tools
- No central tracking of response actions
- Unclear escalation and decision-making
What ISO 27001 adds that often raises the lift
Dealers usually feel ISO 27001 weight in three areas:
1) The management system requirements
You need to show security is run as a program:
- Defined scope and responsibilities
- Documented risk process
- Internal audits and management reviews
- Continuous improvement actions
2) The Statement of Applicability (SoA)
This is where you document which controls apply, which do not, and why. It sounds simple. It becomes time-consuming fast without a mature documentation process.
3) The “keep it going” requirement
Passing once is not the finish line. ISO expects ongoing operation and recurring audits. That means your documentation and evidence need to stay current.
What TISAX AL2 emphasizes (and what can still surprise dealers)
TISAX AL2 is often more approachable, but it is still an assessment. Dealers get surprised by:
1) Evidence quality
If your self-assessment says “yes,” you need proof. If your evidence does not match your answers, the conversation gets uncomfortable quickly.
2) Scope and objectives
TISAX can include different objectives depending on what’s required. If the scope expands or objectives add higher-friction areas, the lift rises.
3) Consistency across rooftops
Single store is simpler. Multi-rooftop groups often struggle because controls are implemented differently at different locations.
What “preparing for either one” tends to look like
If a dealership wants a practical way to think about readiness, it usually comes down to six workstreams:
- Access and identity cleanup (MFA, shared accounts, admin control, offboarding)
- Vendor access control (inventory, approvals, access reviews, removal)
- Data handling rules (exports, scanning, storage, retention)
- Backups and recovery proof (restore tests, roles, realistic recovery expectations)
- Monitoring and incident readiness (logging, alert handling, response plan)
- Documentation and evidence (policies that match reality, records that prove it)
How Safer Dealer helps (gap analysis and readiness plan)
Safer Dealer’s gap analysis is built for dealerships that want clarity and traction, not a 60-page PDF that sits in a folder.
What the gap analysis answers
- What the requirement really expects for your situation
- What is already in place that counts
- What gaps will block approval
- What your “pass path” looks like, step-by-step
What you get
- A readiness summary by category (Ready, Needs Work, High Risk)
- A prioritized fix list (first, next, later)
- An evidence checklist so you can prove what you do
- Clear ownership, so actions do not stall
Many dealers use the gap analysis as the starting point, then decide whether they want help closing gaps and staying on a routine afterwards. <CTA Here>
FAQs (Safer Dealer)
Is this mostly an IT project?
No. It is an operations and accountability project with IT work inside it. The biggest problems are usually shared access, vendor control, and lack of proof.
What tends to take the longest?
Cleaning up access and vendor sprawl, then building an evidence trail that matches reality across departments and rooftops.
Do we need to buy a bunch of new tools?
Sometimes, but not always. Many dealerships already own tools that can support the requirements. The bigger lift is getting consistent configuration, process, and proof.
What is the easiest way to get in trouble?
Overstating maturity. Both ISO and TISAX reward honesty and evidence. If the evidence does not match the answers, confidence drops fast.