After months of anticipation, the VDA has published the next generation of its Information Security Assessment (ISA) catalog. This release also introduces a new naming convention: the familiar version numbers, such as ISA 6.0 and ISA 6.0.3, have been replaced by a year-based designation – ISA 2027.

If you hold a TISAX® label or are preparing for your next TISAX® assessment, this shift is worth understanding – not because it changes everything overnight, but because it signals where the standard, and the automotive industry's approach to information security, is heading.

In the following, we explain how an annually published ISA catalog applies to you as a TISAX® customer when you renew your TISAX® labels on the regular three-year cycle, and outline the simplifications that ISA 2027 brings, particularly in the Prototype Protection module.

The information provided here is preliminary in nature, as the TISAX® ACAR documents describing the processual management of TISAX® for Audit Providers have not yet been published.

Annual Publication Cycle

The first change is evident in the title itself: instead of a version number, the catalog now bears the year of its application – in this case, 2027. This suggests that the ISA catalog will be published annually going forward.

An annual publication cycle offers the opportunity to respond more quickly to changes in the threat landscape within the automotive industry. Security requirements can be adjusted in a timely manner and tightened specifically where needed to counter new threats effectively.

Going forward, new editions of the ISA catalog are expected to be published in the middle of the preceding year. From the beginning of the following year, the new ISA catalog will become mandatory for all organizations undergoing an initial or renewal assessment for their TISAX® labels. This gives organizations planning to renew their TISAX® labels approximately six months to review the changes, identify the necessary measures, and implement them before their assessment.

Our experience with the introduction of ISA Catalog 6.0 shows that, in practice, companies didn't begin intensively addressing new requirements until about six months before the change anyway. The planned annual publication cycle is therefore unlikely to increase adaptation pressure – the lead time available corresponds to the period that has already proven sufficient under the previous three-year cycle for TISAX® label renewal.

That said, based on our experience with globally operating organizations, many are likely to prefer a longer transition period. Implementing new requirements consistently across international subsidiaries with different organizational structures and cultural environments can take considerably longer than six months, particularly where requirements need to be translated into local languages, checked against national legal frameworks, or backed by organizational or technical investment.

For these reasons, we expect many large, internationally active companies to view a six-month preparation window as an additional organizational challenge. Whether this assumption proves correct will ultimately depend on the transition approach defined in the forthcoming TISAX® ACAR.

Prototype Protection Module Now Follows the Same Logical Structure as the Other Assessment Modules

Until now, the Prototype Protection module has been one of the more complex areas of TISAX®. Companies often had to navigate multiple labels with different scopes, making it easy to misunderstand which labels were required. In practice, this occasionally led organizations to unintentionally omit a required label, which subsequently made a scope extension necessary.

ISA 2027 addresses this complexity with a much simpler, more intuitive structure. Going forward, only two Prototype Protection labels exist:

  • Prototype Protection Basic (AL2)
  • Prototype Protection Facilities (AL3)

Prototype Protection Facilities includes all requirements of Prototype Protection Basic – the same hierarchical model already used for other TISAX® labels, where Strictly Confidential includes all requirements of Confidential, Very High Availability includes all requirements of High Availability, and Special Categories of Personal Data covers all requirements of Standard Categories of Personal Data.

The Prototype Protection Basic (AL2) label demonstrates that an organization has established appropriate processes and qualified personnel for the secure handling of prototypes, including both components and vehicles. Prototype Protection Facilities (AL3) goes a step further: in addition to the process requirements covered by Basic, it demonstrates that the organization's sites and facilities provide the physical safeguards needed to securely store and protect prototypes locally.

This harmonization makes the Prototype Protection module considerably easier to understand and reduces the likelihood of organizations selecting an incomplete set of labels.

A Lighter Touch on Information Security

The Information Security module also changes, but far less dramatically. It contains 43 revised controls, most of which are aimed at improving clarity and consistency of interpretation between organizations and auditors, plus a small number of requirements that shift in emphasis from "should" to "must." We've covered these control-by-control in a companion deep-dive, ISA 2027's Information Security Module: A Control-by-Control Breakdown – worth a read if you're responsible for maintaining the ISMS day to day.

What This Means for Your Next Assessment

For organizations already compliant with ISA 6.0, the transition to ISA 2027 is not expected to pose significant challenges. The simplifications introduced in the Prototype Protection module are particularly welcome, and the Information Security module changes represent an evolution rather than a revolution. Overall, the transition to ISA 2027 is far less demanding than the move to ISA 6.0 was.

If your TISAX® labels are due for renewal, you'll have approximately six months to complete the transition. This is a good time to review your ISMS against the ISA 2027 requirements, identify any gaps, and implement the necessary improvements before your next assessment.

A few practical points to keep in mind:

  • Existing, valid labels are unaffected. ISA 2027 becomes relevant at your next assessment, not retroactively.
  • Check your policy documentation against the requirements that have gradually shifted in emphasis from "should" to "must."
  • Review your supplier and service-provider landscape in light of the broadened IT Service Provider scope, with a focus on sharing responsibilities clearly.

Get the Full Picture on TISAX® — Before Your Next Assessment

From assessment levels to audit labels, our TISAX® Assessment White Paper breaks down what it takes to get ready — and stay ready. A practical resource for anyone navigating their next TISAX® cycle.

Download our Free White Paper

Frequently Asked Questions About ISA 2027

Does ISA 2027 replace TISAX® certification?

TISAX® has never been a certification in the strict sense – it results in a label based on an assessment. ISA 2027 doesn't change that; if anything, it tightens the terminology to reflect it more precisely.

Do I need to redo my TISAX® assessment because of ISA 2027?

No. A valid TISAX® label keeps its existing validity period. ISA 2027 becomes relevant at your next scheduled assessment.

Is ISA 2027 as disruptive as the move to ISA 6.0?

No. It's described as an evolution – clarifying language and closing gaps – rather than a fundamental overhaul like the ISA 6.0 update.

Who is affected by the expanded "IT Service Provider" definition?

Organizations using external IT services, including web services and outsourced Operational Technology (OT) services. We cover this in more detail in our Information Security module deep-dive 

Stay Ahead of the Change

Understanding what has changed is the first step; understanding what it means for your organization specifically is the next one. DQS will continue to provide fact-based updates on ISA 2027 as the transition timeline becomes clearer, including an upcoming webinar dedicated to the topic.

 

Upcoming ENX Webinars About ISA 2027

  • 📅 July 21, 2026 (15:00–17:00 CEST) – English
  • 📅 July 22, 2026 (09:00–11:00 CEST) – German
  • 📅 July 23, 2026 (09:00–11:00 CEST) – English

This article reflects the publicly available information on ISA 2027 at the time of writing. As with any new catalog release, some details around the exact transition timeline and process may still be clarified by ENX and the VDA. We will update this content as more information becomes available.

Want to make sure you're ready for your next TISAX® assessment under ISA 2027?

Get in touch with our team to discuss the requirements relevant to your organization

Get in touch now
Author

Holger Schmeken

Product Manager for TISAX® and VCS, Auditor for ISO/IEC 27001, Expert for Software Engineering with more than 30 years of experience, and Deputy Information Security Officer. Holger Schmeken holds a Master's in Business Informatics and has extended audit competence for Critical Infrastructures in Germany (KRITIS).

Loading...

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog
Loading...

Release of AIAG & VDA SPC Manual Ed 1

Blog
Loading...

ISA 2027's Information Security Module: A Control-by-Control Breakdown

Blog
Loading...

What the latest IATF updates reveal about audit expectations