Transition to TISAX VDA ISA Version 6

Information Security Assessment for the automotive industry

TISAX (Trusted Information Security Assessment eXchange) is the automotive industry standard for assessing the information and cybersecurity of suppliers of equipment and services to the sector.

Developed by the VDA (German vehicle manufacturers association) and the ENX network (a joint solution from the European automotive industry) VDA ISA 6.0 targets the secure exchange of critical development, purchasing, and production control data. It is audited annually by accredited, independent third-party certification bodies.

VDA ISA version 6.0 comes with a large set of improvements that will protect the interconnections within the supply chain network and make TISAX assessments simpler and more streamlined.

The updated VDA ISA Version 6.0

Version 6 was released in October 2023. The updates in it are a crucial step towards strengthening the cybersecurity infrastructure in the automotive industry.

The main changes are a more precise focus on Information Technology (IT) and Operational Technology (OT) availability of suppliers and the complete review of the personal data protection catalogue.

Also, there are changes to the TISAX labels will see the old "Info High" and "Info Very High" labels making way for "Confidential" and "Strictly Confidential." This transition clarifies security requirements for production parts and infrastructure providers to safeguard trade secrets.

Additionally, ISA Version 6 has mandated a switch of its main working language to English. VDA plans to offer more language versions in future but, if there are any differences in other languages, it will be the English version which will take precedence and be used to settle any translation inaccuracies.

Moreover, since other standards affecting cybersecurity are also subject to continuous improvement, VDA ISA 6.0 has taken into account recent developments in related standards.

A new revision of ISO/IEC 27001 was published in 2022 and accordingly VDA ISA 6 now contains references to the 2022-revision of ISO/IEC 27001. In addition, VDA ISA 6 now also comes with a new mapping to NIST CSF version 1.1.

Transition timeline

VDA has set 1 April 2024 as the effective date for VDA ISA 6 in TISAX. The rules for the transition defined around that effective date are the same as in previous changes:

  • Assessments already completed according to older standards will fully retain their validity. If your TISAX labels do not expire, there is no reassessment necessary.
  • New TISAX assessment proceedings ordered until March 31st, 2024, will be conducted using ISA version 5.
  • New TISAX assessment proceedings ordered from April 1st, 2024, will be conducted using ISA version 6.
  • Assessment activities related to an existing assessment such as corrective action plan assessments, follow-ups or scope extensions will be conducted using the same version as the original assessment.
  • If an organization ordered new assessment activities in time for ISA 5 but think ISA 6 fits better, it may be able to optionally switch to ISA 6 for assessment activities executed after 1 April 2024. To find out if a switch is possible and what conditions apply, organizations should contact their audit provider.

Preparing for implementation

We recommend that you start preparing for the transition as early as possible and properly plan how to implement required changes into your management system. Recommended steps:

  • Get to know the updated standard, focusing on the changes.
  • Train relevant personnel in your organization to ensure they understand the requirements and key changes.
  • Identify gaps to be addressed and establish an implementation plan.
  • Update your management system and implement actions.

How can DNV help?

Whether looking to transition or starting your certification journey, DNV can be your partner. We offer transition and standard training, self-assessments, gap analysis and certification.