Since October 1, 2020, the new VDA ISA Catalog 5.0 has applied to all new TISAX® assessments. According to the VDA, the previous version 4.1.1 has been "fundamentally revised and optimized in terms of content". Working with the newTISAX® 5.0 test catalog should now be easier and more efficient - for users and assessors alike. Read more now.


VDA ISA 5.0 - Major changes

Most of the changes in the VDA Information Security Assessment (ISA) catalog have been made to the "Information Security" module. Here, a restructuring has been carried out according to subject areas. This also includes minor adjustments such as new numbering and assignments, which unfortunately makes comparison with the previous version somewhat difficult.

Some formulations have been changed from 'should' to 'shall' character, the term "may" has been completely abolished in connection with the fulfillment of requirements.

Additional requirements have been included with a view to prototype protection.

The module "Connection of third parties" will be omitted in the future.

The following three controls (measures) have been added:

  • Suitability of employees (2.1.1)
  • Mobile working (2.1.4)
  • Dealing with means of identification (4.1.1)

In addition to the three new controls, a number of controls that were previously listed individually have been integrated into other controls.

VDA ISA CATALOG 5.0 - "Third-party connection" no longer a separate module

One of the most important changes will be that the "third party connection" module is no longer included in the new version. The previous VDA ISA Catalog 4.1.1 still contained the following four modules: Information Security, Third Party Connection, Data Protection and Prototype Protection. The respective test objectives were assigned to these four modules (also known as criteria catalogs).

With version TISAX® 5.0, the content of the "Third-party connection" module, including the audit objectives, has now been integrated into the "Information security" module. As a result, there are currently only three modules:

  1. Information Security
  2. Data protection
  3. Prototype protection

The term "third party connection" describes the situation in which aTISAX® user has its own site on the premises of a partner and can access (via direct network connections) the partner's systems. According to the VDA, "Not only were all the requirements of the "Information Security" module checked with regard to the current state of the art and appropriateness, but redundancies were also removed."

What are the deadlines for users?

For companies that use or want to introduce TISAX®, the publication of version 5.0 results in the following situation: As of October 1, 2020, the new version 5.0 will be applied to all newTISAX® assessments. For all assessments commissioned up to the aforementioned date, version 4.1.1 will still be applied until March 31, 2021 (last audit day). After that, users will have another nine months to close possible deviations according to the old version (until December 31, 2021).

TISAX® - Information security in the automotive industry

For suppliers or service providers in the automotive
supply chain ★ Proof of information security ★ Recognized by all participants in the TISAX network

More information about TISAX®

VDA ISA/TISAX® - Background information

TISAX® is based on the VDA ISA catalog developed by the German Association of the Automotive Industry (VDA), a comprehensive questionnaire that is essentially based on the so-called "controls", the reference measures from Annex A of the information security standard ISO 27001, and adapted to automotive-specific concerns.

ISO 27001- Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

TISAX® is primarily aimed at companies that want or need to demonstrate a certain level (Level 1 to 3) of information security in order to work with a (participating) automotive manufacturer. The ENX Association, based in Frankfurt am Main and Paris, is entrusted with the implementation and monitoring of the procedure. ENX is an association of European automotive manufacturers, suppliers and four national automotive associations, including the German ENX founder VDA.

DQS - The right partner from the start

DQS is approved as an audit service provider by ENX and can therefore perform TISAX® assessments worldwide. All our TISAX® auditors are also approved auditors for the international standard ISO 27001, which means that both standards can be assessed by DQS at the same time and with less additional effort. We look forward to talking to you.

fragen-antwort-dqs-fragezeichen auf wuerfeln aus holz auf tisch


Do you have any questions?
Find out more. Without obligation and free of charge, we will gladly show you the procedure.

Access toTISAX® is gained by registering as a participant online on theTISAX® portal. This is the prerequisite for being able to commission an approved audit service provider such as DQS.

André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.