02.06.2022

Version 5.1.0 of the VDA ISA Catalog is available!
 

What is the VDA ISA Catalog anyway?
The VDA ISA Catalog describes the information security requirements of the automotive industry. It contains industry-wide coordinated requirements for information security and is the basis for assessments to determine the level of information security (Information Security Assessments - ISA for short). The VDA ISA catalog is the basis for the TISAX® assessment.

And TISAX® was again...?
The VDA ISA calls for the protection of information and data within the company.

TISAX® is an industry standard for the automotive industry that pursues various test objectives such as information security, prototype protection and data protection.

Those requirements of the VDA ISA for information security in the automotive industry can be proven by the company in question if the audit is successful.

ATTENTION:

The requirements originate from the automotive sector, but they are aimed at ALL institutions that exist in the automotive value chain. This includes companies that immediately come to mind, such as manufacturers of automotive parts.

But they also include those companies that you might not immediately think of, such as trade show builders, media agencies, or printers that work for or are contracted by automotive groups.

What's new in the VDA ISA catalog version 5.1?
In 2020, the VDA ISA Catalog Version 5.0 was fundamentally revised and optimized - below we have reported in detail on all the changes and the impact on a TISAX® assessment.

According to the change history in the VDA ISA Catalog 5.1, the following changes and adjustments have now been added:

• Correction of spelling and expression, linguistic clarification, elimination of ambiguities.
• Restructuring of spreadsheet "Welcome", definition of spreadsheets moved to "Definition".
• Addition of protection goals regarding requirements for high and very high protection needs in the "Information Security" spreadsheet
• Removal of the "Addressed protection goals" column in the "Information security" and "Prototype protection" spreadsheets
• Contents of the "Usual process owner" column in the "Information security" and "Prototype protection" spreadsheets emptied out
   

Thus, with version 5.1, in addition to language corrections, the protection goals regarding requirements for high and very high protection needs were added to the "Information Security" spreadsheet. No change in requirements took place.

In establishing and maintaining an appropriate level of information security, member companies are supported by the "Information Security Recommendation" and the VDA ISA catalog.

16.09.2020

Changes to the VDA-ISA Catalog 5.0 and the impact on TISAX®

The time has come - Version 5.0 of the VDA Information Security Assessment (ISA) catalogue has been published.

But what exactly has changed? And what effects do the adjustments have on certification according to TISAX?

We give you the summary at a glance here:

Format

• Restructuring in the information security module according to topics.
• The new table format provides a better overview and facilitates exporting

Revision

• of all questions, goals and requirements
• In principle, the target maturity level in all controls has now been set to 3
• The mandatory requirement for KPIs is no longer applicable, but they are still listed as examples and are helpful in monitoring implementation
• Notes and explanations have been built into the controls accordingly
• There is now partly a proposal for the "usual process owners"

Information security

• In this module, the requirements were reorganised and partially summarised.
• Various areas were specified in more detail and obsolete requirements were removed.
• The optional requirements have been removed
• The number of requirements has been reduced: Must (by 32), Should (by 52), High (by 6) and Very High (by 4).
• The addressed protection goals are explicitly listed

Third party connection

• Not applicable as an independent module
• is transferred to the subject area of information security

Prototype protection

• The number of must requirements has been increased by 32

New Controls

• mobile working (2.1.4.)

Addresses more strongly the current requirements in the home office and measures when travelling to safety-critical countries

• Employee suitability (2.1.1.)

to ensure the suitability of employees for sensitive areas of activity.

• Dealing with means of identification (4.1.1.)

deals with the handling of protective features and the handling of means of identification such as keys, visual identity cards or cryptographic tokens.

Integration of following Controls

• 1.2 in new Control 1.2.1
• 8.3 in new Control 3.1.4
• 9.3 in new Control 4.2.1
• 11.2 in new Control 3.1.2
• 11.3 in new Control 3.1.1
• 12.4 in new Controls 3.1.2 and 3.1.4
• 12.6 in new Control 5.2.4
• 13.3 in new Control 5.2.7
• 14.2 and 14.3 in new Control 5.3.1
• 15.2 in new Control 6.1.1
• 16.2 in new Control 1.6.1

Elimination of the following Control

• Control 12.9

Download the new VDA-ISA catalogue 5.1 under this link:

publication-renderer | VDA

From 01 October 2020, the VDA ISA Catalogue, Version 5.0 will be used for new TISAX® assessments.

Until then, the previous VDA ISA catalogue, version 4.1.1, applies.

And don't panic: For ongoing TISAX® assessments commissioned before 01.10.2020, the previous catalogue can also be used until 31.03.2021.

Summary

Anyone who has properly implemented and lived VDA-ISA 4.1.1 in the past can switch to the new VDA-ISA catalogue 5.0 with little effort and easily implement the additional requirements.

We at OPTIQUM are happy to support you with a GAP analysis and also with questions about VDA-ISA and TISAX®.

Contact us for a non-binding initial consultation:  vda-isa-berater[at]optiqum.de

To ensure that you are optimally prepared for the new requirements and your certification according to TISAX®, OPTIQUM exclusively offers the GET READY FOR TISAX® workshop.

You will find information → here