ISO 27001 to VDA ISA 6.0.3 (TISAX): The Control-by-Control Mapping

Executive Summary

This is a practitioner crosswalk from ISO/IEC 27001:2022 Annex A to the VDA® Information Security Assessment (ISA) 6.0.3 catalogue that TISAX® runs on. The two share most of their information-security controls, which is why a certified ISMS satisfies roughly 70–80% of the ISA Information Security module. Below, that overlap is mapped area by area, with the ISO controls that carry each one, and the places where ISO 27001 simply runs out: prototype protection, data protection, and the maturity evidence TISAX grades you on.

Why ISO 27001 and VDA ISA line up in the first place

The ISA catalogue was built on ISO 27001 Annex A, and version 6.0 was realigned to the 2022 edition of the standard. The alignment is explicit: each control in the ISA workbook carries a "Reference to other standards" column that points back to the matching ISO/IEC 27001:2022 control. That column is the authoritative per-control reference. What follows here is a group-level crosswalk, organized by control area rather than by individual line, so you can see the shape of the overlap without opening the workbook.

The scale of the two is worth keeping in view. ISO 27001:2022 has 93 Annex A controls in four themes: 37 organizational, 8 people, 14 physical, and 34 technological, sitting on the clause 4–10 management-system requirements. The VDA ISA Information Security module has 45 controls and 297 individual requirements at the High protection level (AL2), with another 17 requirements for Very High protection (AL3). The ISA module is, in practice, a structured overlay on ISO 27001:2022 Annex A.

How to read the coverage column

Each area below is rated for how much a certified ISO 27001:2022 ISMS delivers toward it:

• Strong: an ISO 27001 ISMS usually satisfies most of the requirement; the remaining work is evidence and maturity, not new control.
• Partial: the control exists in both, but ISA pushes further (automotive weighting, availability, deeper evidence).
• Minimal: little to no ISO 27001 coverage; this is net-new work.
• None: no ISO 27001 equivalent; a structurally different requirement.

One caveat sits over the whole table: "maps to" is not "done." ISA scores every control on a 0–5 maturity scale and expects level 3 for AL2 and AL3. A control that maps cleanly to ISO 27001 still has to be evidenced as consistently practiced, which is where most of the real work lives.

Module 1: Information Security (the part that maps to ISO 27001)

The Information Security module is where the overlap is concentrated. Area by area:

• Information security policies and organization: maps to ISO clause 5 (Leadership) and Annex A 5.1–5.8. Coverage: strong.
• Asset management (including the software-approval control 1.3.4 added in ISA 6): maps to A.5.9–5.14. Coverage: strong.
• Information security risk management: maps to ISO clauses 6.1, 8.2, and 8.3, the risk core of the standard. Coverage: strong.
• Internal audit and assessments: maps to clause 9.2 and A.5.35–5.36. Coverage: strong.
• Incident and crisis management (1.6.1 reporting, 1.6.2 handling, 1.6.3 crisis): maps to A.5.24–5.28. Coverage: strong, though ISA 6's explicit crisis-handling step goes slightly beyond the ISO baseline.
• Human resources security: maps to A.6.1–6.8. Coverage: strong.
• Physical and environmental security: maps to A.7.1–7.14. Coverage: strong for general office and site context.
• Business continuity and availability (IT service continuity 5.2.8, backup and restore 5.2.9): maps to A.5.29–5.30 and A.8.13–8.14. Coverage: partial, because ISA 6 weights availability and resilience more heavily than a confidentiality-scoped ISMS.
• Identity and access management: maps to A.5.15–5.18 and A.8.2–8.5. Coverage: strong.
• Cryptography and key management: maps to A.8.24. Coverage: strong.
• Operations security (logging, malware protection, vulnerability and change management): maps to A.8.6–8.23. Coverage: strong in general, partial where ISA weights OT and manufacturing environments.
• System acquisition, development, and maintenance: maps to A.8.25–8.34. Coverage: strong.
• Supplier relationships: maps to A.5.19–5.23. Coverage: strong, and probed closely on both sides.
• Compliance: maps to A.5.31–5.36. Coverage: strong.

Across this module, a certified ISMS is not a head start so much as the substance of the requirement. This is where the 70–80% comes from.

Module 2: Prototype Protection (little ISO overlap)

Prototype Protection is a separate ISA module, assessed only when the OEM requires the label, and it has no direct equivalent in ISO 27001 Annex A.

• Physical protection of prototype parts, vehicles, and areas: the nearest ISO relatives are the physical security perimeter and entry controls, A.7.1–7.4. Coverage: minimal.
• Classification and handling of prototype data (CAD files, test results): nearest to asset classification and handling, A.5.9–5.13. Coverage: minimal.
• Secure test drives, camouflage, photo and film, transport and loan: no ISO 27001 equivalent. Coverage: none.

If your asset register stops at information assets and never reached the physical prototype, this whole module is net-new work.

Module 3: Data Protection (GDPR, not ISO 27001)

The Data Protection module was expanded in ISA 6 to reflect GDPR obligations for suppliers acting as data processors. It is rooted in Regulation (EU) 2016/679, and the closest standards-based alignment is ISO/IEC 27701, the privacy extension to 27001, not 27001 itself.

• Legal basis, records of processing, data-subject rights, DPIAs, technical and organizational measures (Article 32), breach notification, international transfers: ISO 27001 touches this only indirectly, through A.5.34. Coverage: minimal. In practice this is a data-protection programme, not a handful of extra controls.

The gaps that are not controls: maturity, scope, mechanism

Three differences sit outside the control mapping entirely, and they are the reason an ISO 27001 certificate is never accepted in place of a TISAX label.

• The maturity model. ISA scores every applicable control 0–5 and targets level 3 for AL2 and AL3. ISO 27001 is conformity-based: a control conforms or it does not. There is no ISO equivalent to the maturity grade. Coverage: none.
• The scope. An ISO 27001 scope is defined by the organization. A TISAX scope is driven by the OEM's exchange request and the labels it demands. The ISA cover sheet maps loosely to the context-of-the-organization requirement in ISO clause 4, but the logic is different.
• The mechanism. ISO 27001 produces a certificate over a scope you define. TISAX produces labels, shared through the ENX portal, that partners read directly. A label is not a certificate, and it produces no Statement of Applicability.

How to use this mapping for a gap analysis

The fastest way to turn this into a plan is to start from what you already have and work outward. Take your ISO 27001 Statement of Applicability, walk it against the Module 1 areas above, and the strong rows will largely take care of themselves on paper. Then spend your time on three things the mapping flags as net-new: the availability and OT weighting inside Module 1, the prototype protection and data protection modules if your OEM requires those labels, and the maturity evidence for every control, certified or not.

If you would rather see your own gaps scored automatically, two self-service tools return a control-by-control gap report without a call: the ISO 27001 audit hub checks your ISMS against Annex A, and the TISAX audit hub walks the VDA ISA controls. For the narrative behind this table, including why suppliers end up needing both frameworks, see our companion piece on whether ISO 27001 covers TISAX.

What this mapping is not

It is a practitioner crosswalk, not the official catalogue. The authoritative per-control reference is the "Reference to other standards" column in the current VDA ISA 6.0.3 workbook, and the assessment itself is conducted against that workbook by an ENX-approved audit provider. Treat this page as a way to scope and plan, not as evidence. Control numbering and label scope can change with minor ISA revisions, so check the live workbook before you commit a programme to it.

How ITIS-Secure helps

Our gap assessments start from exactly this crosswalk. We take your current ISO 27001 ISMS, map it against the specific TISAX labels your OEM requires, mark every area as strong, partial, or net-new, and hand you a scoped plan rather than a percentage. If you are weighing TISAX preparation, already hold ISO 27001, or are building both, we can show you where the work actually is.

Book your free gap assessment and we will map your posture against your target labels and give you a clear, honest roadmap.

No commitment required • GDPR compliant • Strategy confirmed via secure link

Frequently asked questions

Is there an official ISO 27001 to VDA ISA mapping?

Yes, in a sense. The VDA ISA 6.0.3 workbook includes a "Reference to other standards" column that maps each control to the matching ISO/IEC 27001:2022 control, alongside references to other frameworks. That column is the authoritative per-control source. The crosswalk on this page is a group-level summary of it.

How many ISO 27001 controls map to TISAX?

Most of the ISA Information Security module maps to ISO 27001:2022 Annex A, which is why a certified ISMS covers roughly 70–80% of that module. ISO 27001:2022 has 93 Annex A controls; the ISA Information Security module has 45 controls and 297 requirements at AL2.

Which TISAX controls have no ISO 27001 equivalent?

The Prototype Protection module and most of the Data Protection module sit outside ISO 27001, along with the maturity-evidence model. Prototype protection's nearest ISO relatives are A.5.9–5.13 and A.7.1–7.4, but those are starting points, not coverage.

Can I reuse my ISO 27001 Statement of Applicability for TISAX?

As an input, yes. The SoA is the best starting point for an ISA gap analysis because it already records your Annex A decisions. It is not a substitute for the ISA workbook, and it does not address prototype protection, data protection, or the maturity evidence TISAX requires.

Does ISO 27001 certification reduce TISAX effort?

Considerably. The shared Information Security controls are already in place, so preparation focuses on the automotive-specific modules and the maturity evidence. Running both programmes together, rather than in sequence, typically saves 20–30% of effort.

This article is general information about ISO 27001 and TISAX, not legal or certification advice. The current VDA ISA 6.0.3 workbook and your OEM's exchange request determine exactly which controls and labels apply to you.