Since 2022, the new VDA ISA catalog 5.1 has applied to all new TISAX® assessments. According to the VDA, there have only been minor changes to version 5.0. Work with the new TISAX® 5.1 test catalog is to be further simplified and made more efficient - for users and testers alike.  Read more now.


VDA ISA 5.0 - Major changes

Most of the changes in the VDA Information Security Assessment (ISA) catalog have been made to the "Information Security" module. Here, a restructuring has been carried out according to subject areas. This also includes minor adjustments such as new numbering and assignments, which unfortunately makes comparison with the previous version somewhat difficult.

Some formulations have been changed from 'should' to 'shall' character, the term "may" has been completely abolished in connection with the fulfillment of requirements.

Additional requirements have been included with a view to prototype protection.

The module "Connection of third parties" will be omitted in the future.

The following three controls (measures) have been added:

  • Suitability of employees (2.1.1)
  • Mobile working (2.1.4)
  • Dealing with means of identification (4.1.1)

In addition to the three new controls, a number of controls that were previously listed individually have been integrated into other controls.

VDA ISA CATALOG 5.0 - "Third-party connection" no longer a separate module

One of the most important changes will be that the "third party connection" module is no longer included in the new version. The previous VDA ISA Catalog 4.1.1 still contained the following four modules: Information Security, Third Party Connection, Data Protection and Prototype Protection. The respective test objectives were assigned to these four modules (also known as criteria catalogs).

With version TISAX® 5.0, the content of the "Third-party connection" module, including the audit objectives, has now been integrated into the "Information security" module. As a result, there are currently only three modules:

  1. Information Security
  2. Data protection
  3. Prototype protection

The term "third party connection" describes the situation in which a TISAX® user has its own site on the premises of a partner and can access (via direct network connections) the partner's systems. According to the VDA, "Not only were all the requirements of the "Information Security" module checked with regard to the current state of the art and appropriateness, but redundancies were also removed."

What are the deadlines for users?

For companies that use or want to introduce TISAX®, the publication of version 5.0 results in the following situation: As of October 1, 2020, the new version 5.0 will be applied to all new TISAX® assessments. For all assessments commissioned up to the aforementioned date, version 4.1.1 still applied until March 31, 2021 (last audit day). 

TISAX® - Information security in the automotive industry

For suppliers or service providers in the automotive
supply chain ★ Proof of information security ★ Recognized by all participants in the TISAX network

More information about TISAX®

VDA ISA /TISAX® - Background information

TISAX® is based on the VDA ISA catalog developed by the German Association of the Automotive Industry (VDA), a comprehensive questionnaire that is essentially based on the so-called "controls", the reference measures from Annex A of the information security standard ISO 27001, and adapted to automotive-specific concerns.

In the meantime, ISO 27001 has been revised and republished on October 25, 2022. The revision mainly applies to Annex A. However, TISAX® 5.1 still refers to the old version of Annex A of ISO 27001:2017. A corresponding adaptation to the new controls is expected for the next version of the catalog.

ISO 27001- Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

TISAX® is primarily aimed at companies that want or need to demonstrate a certain level (Level 1 to 3) of information security in order to work with a (participating) automotive manufacturer. The ENX Association, based in Frankfurt am Main and Paris, is entrusted with the implementation and monitoring of the procedure. ENX is an association of European automotive manufacturers, suppliers and four national automotive associations, including the German ENX founder VDA.

DQS - The right partner from the start

DQS is approved as an audit service provider by ENX and can therefore perform TISAX® assessments worldwide. All our TISAX® auditors are also approved auditors for the international standard ISO 27001, which means that both standards can be assessed by DQS at the same time and with less additional effort. We look forward to talking to you.

dqs-question-answer-question mark on wooden cubes on table


Do you have any questions?
Find out more. Without obligation and free of charge, we will gladly show you the procedure.

Access to TISAX® is gained by registering as a participant online on the ENX® portal. This is the prerequisite for being able to commission an approved audit service provider such as DQS.

Holger Schmeken

Product manager and expert for information security and software development. Holger Schmeken also contributes his expertise as an auditor for ISO 27001 with KRITIS audit procedure competence and Chief Information Security Officer of DQS BIT GmbH.