Stay informed

VDA ISA catalog - current standards

The VDA ISA catalog describes the information security requirements of the automotive industry. It contains industry-wide harmonized requirements for information security and is the basis for assessments to determine the level of information security (Information Security Assessments – ISA for short). The VDA ISA catalog is the basis for the TISAX® assessment.

On this page we inform you about the latest developments, updates and resulting adjustments to your processes.

Are you unsure whether the latest version of the VDA ISA catalog requires action in your company?

contact us:

16.10.2023

VDA ISA Version 6 is available today and offers an updated and improved version of the cyber security standard for the automotive industry.

This standard, part of the TISAX program, was developed to ensure the security of information and data in the automotive industry.

Here are the most important new features of ISA Version 6:

Expanded focus on IT and OT availability: In view of the increasing threat of ransomware attacks, there is a stronger focus on ensuring the availability of information and IT resources, including operational technology (OT).
English as the leading language: ISA Version 6 is the first to be developed by an international team of experts, making English the leading language. This enables better clarity and consistency in implementation.
Addition of implementation guidance: ISA 6 includes more practical advice and examples to help organizations implement security controls.
Revised data protection catalog: The data protection catalog has been completely revised to help organizations meet the requirements of the General Data Protection Regulation (GDPR) in the context of order processing.
References to other standards: ISA 6 contains references to important security standards such as ISO/IEC 27001:2022, BSI-Grundschutz and NIST Cyber Security Framework Version 1.1.
Continuous improvement and maintenance: ISA 6 brings clarity and precision to the requirements and makes the standard easier to understand.

Organizations that have already completed ISA audits must convert to the new ISA 6 version by 1 April 2024 at the latest. However, the existing assessments remain valid as long as the TISAX labels do not expire.
New audits commissioned from April 1, 2024 will be conducted in accordance with ISA Version 6. Updating the standard will help to continuously improve cybersecurity in the automotive industry and adapt to current challenges.

The changes in detail:

Additional requirements to improve availability: ISA Version 6 contains additional requirements to ensure the availability of IT and OT resources in production supply chains.
New Control 1.3.4 (“Software Approval”): added to ensure the secure management of software on clients.
Renamed control section 1.6 (“Incident and crisis management”): Control section 1.6 has been renamed in order to structure the management of security incidents and crisis situations more clearly.
Revised control 1.6.1 (“Reporting of security incidents”): The control for reporting security incidents has been revised to ensure that clear reporting channels are established.
New control 1.6.2 (“Management of security incidents”): A new control has been added to ensure an orderly and timely response to security incidents.
New control 1.6.3 (“Dealing with crisis situations”) (replaces 3.1.2): This new control aims to prepare organizations for crisis situations and ensure appropriate handling.
Replaced control 3.1.2: Control 3.1.2 has been replaced by control 1.6.3.
New Control 5.2.8 (“IT Service Continuity Planning”): focuses on IT service continuity planning, including redundancy and recovery of key systems.
New Control 5.2.9 (“Backup and Restore”): aims to prepare organizations to restore data and systems after security incidents.
Removal of ISA 4 compatibility: ISA version 6 no longer contains the references to version 4.
Update of the “Data protection” module: The “Data protection” module has been updated and contains revised requirements provided by the VDA “Data protection” working group.
References to ISA/IEC 62443-2, ISO 27001:2022 and NIST CSF: ISA 6 contains references to important security standards, including ISA/IEC 62443-2, ISO 27001:2022 and NIST Cyber Security Framework.
References to implementation guidance (BSI IT-Grundschutz, NIST SP800-53): ISA 6 includes references to implementation guides such as BSI IT-Grundschutz and NIST SP800-53 to assist organizations in implementing security controls.
Extended scope of IT systems in operational technology (OT): ISA Version 6 has extended the scope of IT systems in OT in order to strengthen security in this area.
Added information, examples, typical auditor questions and typical evidence: ISA 6 provides additional information, examples and practical support for many of the security controls (columns W to AB) to help organizations implement them.

TISAX® is a registered trademark of the ENX Association

You can download the latest version of the VDA ISA catalog at this link on the ENX portal:

02.06.2022

Version 5.1.0 of the VDA ISA catalog

What is the VDA ISA catalog anyway?

And TISAX® was again...?

The VDA ISA requires the protection of information and data within the company. TISAX® is an industry standard in the automotive industry that pursues various test objectives such as information security, prototype protection and data protection. The company in question can prove that it meets the requirements of the VDA ISA for information security in the automotive industry if the audit is successful.

ATTENTION:
The requirements originate from the automotive sector, but they are aimed at ALL institutions that exist in the automotive industry value chain. These include companies that immediately spring to mind, such as manufacturers of automotive parts.

But these institutions also include companies that you might not immediately think of, such as stand builders, media agencies or print shops that work for or have been commissioned by automotive groups.

What's new in the VDA ISA catalog version 5.1?

In 2020, the VDA ISA catalog was fundamentally revised and optimized in version 5.0 – below we have reported in detail on all changes and the influence on a TISAX® assessment.

According to the change history in the VDA ISA catalog 5.1, the following changes and adjustments have now been added:

Correction of spelling and expression, linguistic clarification, elimination of ambiguities
Restructuring of "Welcome" worksheet, definition of worksheets moved to "Definition"
Addition to the protection goals regarding requirements for high and very high protection needs in the "Information security" spreadsheet
Removal of the "Addressed protection goals" column in the "Information security" and "Prototype protection" spreadsheets
Contents of the "Usual process owner" column in the "Information security" and "Prototype protection" worksheets emptied

With version 5.1, in addition to linguistic corrections, the protection goals regarding requirements for high and very high protection needs were added to the “Information security” worksheet. There was no change in requirements.

Member companies are supported in establishing and maintaining an appropriate level of information security by the “Information Security Recommendation” and the VDA ISA catalog.