02.06.2022

Version 5.1.0 of the VDA ISA Catalog is available!

What is the VDA ISA Catalog anyway?
The VDA ISA Catalog describes the information security requirements of the automotive industry. It contains industry-wide coordinated requirements for information security and is the basis for assessments to determine the level of information security (Information Security Assessments - ISA for short). The VDA ISA catalog is the basis for the TISAX® assessment.

And TISAX® was again...?
The VDA ISA calls for the protection of information and data within the company.

TISAX® is an industry standard for the automotive industry that pursues various test objectives such as information security, prototype protection and data protection.

Those requirements of the VDA ISA for information security in the automotive industry can be proven by the company in question if the audit is successful.

ATTENTION:

The requirements originate from the automotive sector, but they are aimed at ALL institutions that exist in the automotive value chain. This includes companies that immediately come to mind, such as manufacturers of automotive parts.

But they also include those companies that you might not immediately think of, such as trade show builders, media agencies, or printers that work for or are contracted by automotive groups.

What's new in the VDA ISA catalog version 5.1?
In 2020, the VDA ISA Catalog Version 5.0 was fundamentally revised and optimized - below we have reported in detail on all the changes and the impact on a TISAX® assessment.

According to the change history in the VDA ISA Catalog 5.1, the following changes and adjustments have now been added:

Correction of spelling and expression, linguistic clarification, elimination of ambiguities.
Restructuring of spreadsheet "Welcome", definition of spreadsheets moved to "Definition".
Addition of protection goals regarding requirements for high and very high protection needs in the "Information Security" spreadsheet
Removal of the "Addressed protection goals" column in the "Information security" and "Prototype protection" spreadsheets
Contents of the "Usual process owner" column in the "Information security" and "Prototype protection" spreadsheets emptied out

Thus, with version 5.1, in addition to language corrections, the protection goals regarding requirements for high and very high protection needs were added to the "Information Security" spreadsheet. No change in requirements took place.

In establishing and maintaining an appropriate level of information security, member companies are supported by the "Information Security Recommendation" and the VDA ISA catalog.

You can download the VDA ISA catalog version 5.1.0 from this link on the portal of ENX:

Downloads · ENX Portal

16.09.2020

Changes to the VDA-ISA Catalog 5.0 and the impact on TISAX®

The time has come - Version 5.0 of the VDA Information Security Assessment (ISA) catalogue has been published.

But what exactly has changed? And what effects do the adjustments have on certification according to TISAX?

We give you the summary at a glance here:

Format

Restructuring in the information security module according to topics.
The new table format provides a better overview and facilitates exporting

Revision

of all questions, goals and requirements
In principle, the target maturity level in all controls has now been set to 3
The mandatory requirement for KPIs is no longer applicable, but they are still listed as examples and are helpful in monitoring implementation
Notes and explanations have been built into the controls accordingly
There is now partly a proposal for the "usual process owners"

Information security

In this module, the requirements were reorganised and partially summarised.
Various areas were specified in more detail and obsolete requirements were removed.
The optional requirements have been removed
The number of requirements has been reduced: Must (by 32), Should (by 52), High (by 6) and Very High (by 4).
The addressed protection goals are explicitly listed

Third party connection

Not applicable as an independent module
is transferred to the subject area of information security

Prototype protection

The number of must requirements has been increased by 32

New Controls

mobile working (2.1.4.)

Addresses more strongly the current requirements in the home office and measures when travelling to safety-critical countries

Employee suitability (2.1.1.)

to ensure the suitability of employees for sensitive areas of activity.

Dealing with means of identification (4.1.1.)

deals with the handling of protective features and the handling of means of identification such as keys, visual identity cards or cryptographic tokens.

Integration of following Controls

1.2 in new Control 1.2.1
8.3 in new Control 3.1.4
9.3 in new Control 4.2.1
11.2 in new Control 3.1.2
11.3 in new Control 3.1.1
12.4 in new Controls 3.1.2 and 3.1.4
12.6 in new Control 5.2.4
13.3 in new Control 5.2.7
14.2 and 14.3 in new Control 5.3.1
15.2 in new Control 6.1.1
16.2 in new Control 1.6.1

Elimination of the following Control

Control 12.9

Download the new VDA-ISA catalogue 5.1 under this link:

publication-renderer | VDA

From 01 October 2020, the VDA ISA Catalogue, Version 5.0 will be used for new TISAX® assessments.

Until then, the previous VDA ISA catalogue, version 4.1.1, applies.

And don't panic: For ongoing TISAX® assessments commissioned before 01.10.2020, the previous catalogue can also be used until 31.03.2021.

Summary

Anyone who has properly implemented and lived VDA-ISA 4.1.1 in the past can switch to the new VDA-ISA catalogue 5.0 with little effort and easily implement the additional requirements.

We at OPTIQUM are happy to support you with a GAP analysis and also with questions about VDA-ISA and TISAX®.

To ensure that you are optimally prepared for the new requirements and your certification according to TISAX®, OPTIQUM exclusively offers the GET READY FOR TISAX® workshop.

You will find information → here