Changes to the VDA-ISA Catalog 5.0 and the impact on TISAX®

The time has come - Version 5.0 of the VDA Information Security Assessment (ISA) catalogue has been published.


But what exactly has changed? And what effects do the adjustments have on certification according to TISAX?

We give you the summary at a glance here:


  • Restructuring in the information security module according to topics.
  • The new table format provides a better overview and facilitates exporting



  • of all questions, goals and requirements
  • In principle, the target maturity level in all controls has now been set to 3
  • The mandatory requirement for KPIs is no longer applicable, but they are still listed as examples and are helpful in monitoring implementation
  • Notes and explanations have been built into the controls accordingly
  • There is now partly a proposal for the "usual process owners"


Information security

  • In this module, the requirements were reorganised and partially summarised.
  • Various areas were specified in more detail and obsolete requirements were removed.
  • The optional requirements have been removed
  • The number of requirements has been reduced: Must (by 32), Should (by 52), High (by 6) and Very High (by 4).
  • The addressed protection goals are explicitly listed


Third party connection

  • Not applicable as an independent module
  • is transferred to the subject area of information security


Prototype protection

  • The number of must requirements has been increased by 32


New Controls

  • mobile working (2.1.4.)

Addresses more strongly the current requirements in the home office and measures when travelling to safety-critical countries

  • Employee suitability (2.1.1.)

to ensure the suitability of employees for sensitive areas of activity.

  • Dealing with means of identification (4.1.1.)

deals with the handling of protective features and the handling of means of identification such as keys, visual identity cards or cryptographic tokens.


Integration of following Controls

  • 1.2 in new Control 1.2.1
  • 8.3 in new Control 3.1.4
  • 9.3 in new Control 4.2.1
  • 11.2 in new Control 3.1.2
  • 11.3 in new Control 3.1.1
  • 12.4 in new Controls 3.1.2 and 3.1.4
  • 12.6 in new Control 5.2.4
  • 13.3 in new Control 5.2.7
  • 14.2 and 14.3 in new Control 5.3.1
  • 15.2 in new Control 6.1.1
  • 16.2 in new Control 1.6.1


Elimination of the following Control

  • Control 12.9



Download the new VDA-ISA catalogue 5.0 under this link:

VDA ISA catalogue version 5.0 - VDA

From 01 October 2020, the VDA ISA Catalogue, Version 5.0 will be used for new TISAX® assessments.

Until then, the previous VDA ISA catalogue, version 4.1.1, applies.

And don't panic: For ongoing TISAX® assessments commissioned before 01.10.2020, the previous catalogue can also be used until 31.03.2021.



Anyone who has properly implemented and lived VDA-ISA 4.1.1 in the past can switch to the new VDA-ISA catalogue 5.0 with little effort and easily implement the additional requirements.

We at OPTIQUM are happy to support you with a GAP analysis and also with questions about VDA-ISA and TISAX®.


Contact us for a non-binding initial consultation:  vda-isa-berater[at]optiqum.de

To ensure that you are optimally prepared for the new requirements and your certification according to TISAX®, OPTIQUM exclusively offers the GET READY FOR TISAX® workshop.


You will find information → here