ISA 2027 brings a new naming convention and a simplified Prototype Protection module – but if you're the one responsible for keeping an ISMS aligned with TISAX® day to day, what matters most is what changed in the Information Security module itself. Below, we go control by control through what's new: most of the 43 revisions exist purely to improve clarity, but a smaller number introduce substantive changes – including a handful that shift from "should" to "must" – and those are the ones worth reviewing closely before your next assessment.

Note: the information below is preliminary, as the TISAX® ACAR documents describing the processual management of TISAX® for Audit Providers have not yet been published.

Policies, Roles, and Assets

1.1.1 – To what extent are information security policies available? Policies must now be available and communicated. Placing greater emphasis on communicating policy changes to all relevant parties addresses a common challenge for many organizations – policies that exist but were never actually communicated down the chain.

1.2.2 – To what extent are information security responsibilities organized? Roles must be defined, assigned, and empowered. This closes a frequent gap where roles are assigned formally on paper but lack the actual authority needed to fulfill and enforce them.

1.3.1 – To what extent are information assets identified and recorded? Assets must be identified, classified, and assigned to a responsible person – with greater emphasis on classification and clear ownership than before.

Incident and Crisis Management

1.6.2 – To what extent are reported security events managed? Escalation criteria and timeframes must now be defined – clarifying what triggers escalation and within what time frame it must occur.

1.6.3 – To what extent is the organization prepared to handle crisis situations? A crisis management plan must be defined and tested, with more emphasis on both planning and testing crisis handling in practice rather than just documenting it.

Human Resources and Access Management

2.1.4 – To what extent is mobile work regulated? The term "teleworking" has been replaced with "mobile work," which better reflects how organizations actually describe this today.

4.2.1 – To what extent are access rights assigned and managed? Access rights must be assigned, reviewed, and revoked – an update that better reflects the continuous, lifecycle nature of access rights management rather than treating it as a one-time setup task.

IT and Cyber Security

5.2.4 – To what extent are event logs recorded and analyzed? Logging must now include remote sessions and policy violations. Logging remote session activity is a sensible step for traceability and accountability – though it remains an open question which policy violations can realistically be identified and logged in a technically reliable way.

5.2.6 – To what extent are IT systems and services technically checked (system and service audit)? Vulnerabilities must be identified and remediated within a defined timeframe. Simply identifying vulnerabilities without a remediation commitment is no longer sufficient – a welcome tightening, since unresolved known vulnerabilities are one of the more common gaps we see in practice.

5.2.8 – To what extent is continuity planning for IT services in place? Specific scenarios – DDoS, ransomware, and similar – must now be defined explicitly, so that remediation strategies can be tailored to each scenario rather than relying on a generic continuity plan.

5.2.9 – To what extent is the backup and recovery of data and IT services ensured? Backup, recovery, sequencing, and isolation must all be defined, with greater emphasis on restorability, backup interdependencies, and the information security aspects of backups themselves (e.g., protecting backups while at rest).

Supplier Relationships

6.1.1 – To what extent is information security ensured among contractors and cooperation partners? Requirements must now be defined, monitored, and audited. A supplier's risk profile can change over time – a supplier considered acceptable in the past may no longer meet current evaluation criteria – so recurring internal and external audits play an important role in continuously confirming confidentiality and availability status.

In our quality reviews, we often see organizations miss the opportunity to cascade TISAX® requirements down to their own supplier base. If a supplier is critical to the availability of your products or services, that supplier should be required to demonstrate a corresponding level of availability assurance. The same logic applies when confidential information is shared with suppliers, who should likewise be required to demonstrate they meet the necessary information security requirements.

6.1.3 (formerly 1.2.4) – To what extent are the responsibilities between external IT service providers and the organization defined? This control has moved into the supplier management chapter, and the term "IT Suppliers" has been broadened to "IT Service Providers." In the past, many organizations interpreted "IT Suppliers" too narrowly, associating it mainly with outsourced IT services – even though the control was always intended to cover all externally provided IT/OT services, including cloud and web-based services.

The revised wording makes clear that external IT service providers can be contractually required to protect confidential information (through SLAs and a supplier Statement of Applicability), while the organization itself remains responsible for internal rules governing how its own employees handle confidential information shared with external providers.

Compliance

7.1.2 – To what extent is the protection of personal data considered when implementing information security? The more intuitive term "personal data" is now used alongside "personally identifiable information" known from established ISO frameworks and legal frameworks such as the GDPR.

Have questions about it?

We would also be happy to answer your questions in a personal meeting. Without obligation and free of charge.

Get in touch

Where We Still See Room for Further Improvement: The IT/OT Scope Gap

One area we'd flag for particular attention: many organizations don't realize the term "IT system" is defined more broadly in the ISA catalog than they expect. Under the ISA definitions, an IT system is any type of system used for electronic information processing – a definition broad enough to encompass Operational Technology (OT) such as switches, cameras, and sensors.

As a result, organizations frequently overlook that controls referencing IT systems – especially those tied to IEC 62443-2-1 – apply to both IT and OT environments, not just the classic IT estate.

This was already the case under ISA 6.0, and in our view, ISA 2027 could have placed more emphasis on the OT dimension explicitly. In practice, we expect self-assessment descriptions to address IT and OT separately whenever they are managed by different teams or employ different measures to achieve the intended objective of ISA controls.

What This Means in Practice

None of these changes require organizations to rebuild their ISMS from scratch. But a few are worth checking against your current documentation before your next assessment:

  • Policy communication and role empowerment – not just "do these exist," but "are they actually communicated and enforceable."
  • Supplier cascading – whether your own supplier base is held to the availability/confidentiality standards your organization needs to meet for your customers.
  • Responsibilities – whether employees are provided with guidance on the secure and responsible use of provided web services.
  • OT scope – whether your self-assessment currently treats OT systems (switches, sensors, cameras, industrial control systems) as in-scope alongside classic IT.

If you'd like a broader view of what's changing across the whole ISA 2027 catalog – including the Prototype Protection simplification and the new annual publication cycle – see our companion article, "ISA 2027: What's Changing in the New TISAX® Catalogue."

This article reflects the publicly available information on ISA 2027 at the time of writing. As with any new catalog release, some details around the exact transition timeline and process may still be clarified by ENX and the VDA. We will update this content as more information becomes available.

Want help mapping these specific control changes against your current ISMS?

Download our TISAX® Assessment White Paper for a broader foundation.

Download our Free White­pa­per
Author

Holger Schmeken

Product Manager for TISAX® and VCS, Auditor for ISO/IEC 27001, Expert for Software Engineering with more than 30 years of experience, and Deputy Information Security Officer. Holger Schmeken holds a Master's in Business Informatics and has extended audit competence for Critical Infrastructures in Germany (KRITIS).

Loading...

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog
Loading...

Release of AIAG & VDA SPC Manual Ed 1

Blog
Loading...

ISA 2027: What's Changing in the New TISAX® Catalogue

Blog
Loading...

What the latest IATF updates reveal about audit expectations