VDA ISA 6.0 for Automotive Suppliers: What Changed, and What Still Trips Up the 2026 Audits

Executive Summary

VDA ISA 6.0 has been mandatory for all new TISAX® assessments ordered since April 1, 2024. The catalogue added an "Availability" label to sit alongside "Confidentiality," and introduced five new controls covering software approval, event reporting, crisis management, IT service continuity, and backup and recovery.

It also aligned its references with ISO/IEC 27001:2022 and the NIST CSF. Suppliers still running on ISA 5.1 documentation are now watching that gap surface in their surveillance audits.

That mandatory date is more than two years behind us. And yet a good share of the supplier engagements we run still turn up ISMS documentation, evidence binders, and risk treatment plans written against ISA 5.1.

This isn't laziness. It's the normal rhythm of a framework transition in the automotive supply chain. The catalogue changes, the OEMs absorb it first, and the smaller Tier-2 and Tier-3 suppliers catch up later — usually when a customer audit forces the question.

If you're reading this because your last TISAX® label is still valid under ISA 5.1 and your next audit is coming up, this is the practical map: what changed, and what your evidence needs to look like now.

What Is the Current Version of the VDA ISA Catalogue?

The current version is VDA ISA 6.0.3. Version 6.0 was published by the VDA on October 16, 2023, and it became the mandatory basis for all new TISAX® assessments ordered from April 1, 2024 onward. Minor revisions have been folded in since, and 6.0.3 is where the catalogue sits today.

One naming change came with this version: it's now officially the "ISA Catalogue," not the "VDA ISA Catalogue." English is the leading language version, and every other language is a translation of the English master. Most of us still say "VDA ISA" out of habit.

If your current TISAX® label was issued before April 1, 2024, it stays valid until its expiration date. Your next assessment — whether that's recertification or a new scope — gets conducted against ISA 6.

What Changed from ISA 5.1 to ISA 6.0

There are five categories of change worth tracking, and we'll take each in turn. None of them is a full rewrite. But put together, the effect on your documentation, evidence, and day-to-day practice adds up.

1. New Labels: Availability Is Now Separate from Confidentiality

In ISA 5 and earlier, TISAX® assessment objectives leaned almost entirely on the confidentiality of information. The old labels — "Info high" and "Info very high" — bundled the protection level together with an implicit assumption about availability.

ISA 6 pulls them apart. The four current information security labels are:

• Confidentiality (high)
• Confidentiality (very high) — strictly confidential
• Availability (high)
• Availability (very high)

So the question has shifted. A scope that used to ask "how strictly do you protect this information from disclosure?" now also asks "if your operations went down, how badly would that hit your customers' production?" Those are two different questions, and they pull in different controls. A supplier whose protection levels were once organized around confidentiality may now have to evidence a separate set of controls for continuity and resilience.

If you're carrying older labels, the ENX portal maps them into the new scheme automatically. A supplier with "Information security high" under ISA 5 shows up with both "High information security" and "High availability" labels during the transition window. That mapping is administrative, not substantive. You still have to actually build the availability evidence.

2. Five New Controls Focused on Availability, Resilience, and Software Integrity

ISA 6 brings in five controls that didn't exist as standalone items in ISA 5.1. These are the gap areas we run into most during a transition.

Control 1.3.4 — Software approval. Only evaluated and approved software gets used for processing. The scope here is broad: firmware, operating systems, application software, drivers, and libraries all count. What it asks for in practice is a defensible approval process — documented evaluation criteria, an approved-software inventory, and a path for exceptions. The thing we see most often in a gap assessment is a missing approval workflow. The inventory exists, but there's no record of how anything got onto it.

Control 1.6.1 — Reporting of information security relevant events. ISA 5.1's incident reporting control has been reworked. 1.6.1 now covers the reporting of security-relevant events and observations — things that aren't confirmed incidents yet. That distinction shows up at audit. Auditors are testing whether your reporting threshold catches the pre-incident signals, not just the confirmed breaches. This is also where having incident response playbooks ready pays off.

Control 1.6.3 — Crisis management. This one absorbs material from the older ISA 5.1 control 3.1.2. It deals with running the business under crisis conditions: natural disasters, physical attacks, pandemics, major cyber incidents that take down critical infrastructure. What's expected is a documented crisis management framework with activation criteria, decision authorities, and communication paths. It's a separate thing from business continuity planning.

Control 5.2.8 — IT service continuity planning. This focuses narrowly on keeping IT services and systems running. It expects measures for shutdown, fallback to manual operation, alternative information flows, and defined modes of operation when something goes wrong. Some of this lived inside ISA 5.1 control 3.1.2 before, but it's been promoted to a dedicated and more demanding control.

Control 5.2.9 — Backup and recovery. Backup and recovery is its own control now, lifted out of the broader continuity discussion. The expectation is a defined backup strategy with documented recovery time objectives (RTOs) and recovery point objectives (RPOs), regular tested recovery, and — this part is getting more attention at audit — air-gapped or immutable backup copies that ransomware can't encrypt along with everything else.

3. Restructuring of Access Control and IT Services

Several controls in section 4 (Access Controls — 4.1.1, 4.1.2, 4.1.3, 4.2.1) picked up additional requirements. The direction matches where the wider industry is heading: tighter access for privileged accounts, stronger identity verification, more rigorous review cycles for access rights. Suppliers whose IAM was "good enough" under ISA 5.1 are now finding the expanded requirements push them toward documented periodic access reviews and a clearer separation of duties for admin actions. A focused security audit is often the fastest way to surface where those gaps sit.

Section 5 controls covering IT services and IT audits (5.1.1, 5.1.2, 5.2.6, 5.2.7, 5.3.1) got similar updates. The substance: document the IT service delivery model more explicitly, especially when third parties like managed service providers or cloud providers are in the picture.

4. Complete Rewrite of the Data Protection Module

The data protection module — the one that matters for assessments targeting the "Data" or "Special data" labels — was completely revised by the VDA Data Protection working group. The new requirements are clearer, better organized, and more demanding on personal data processing inside the automotive supply chain.

If your scope includes a data protection label, treat this module as new and budget for a focused review. The structural changes alone mean updated documentation. The substantive changes mean you'll have to verify it operationally too, and align it with your wider GDPR obligations.

5. Aligned References to ISO/IEC 27001:2022 and NIST CSF v1.1

ISA 6 now references ISO/IEC 27001:2022 (whose transition deadline passed on October 31, 2025) and the NIST Cybersecurity Framework v1.1. The implementation guidance points to BSI IT-Grundschutz and NIST SP 800-53 as well, where they're relevant.

For suppliers who hold both TISAX® and ISO 27001, this alignment is a quiet win. The control mappings between the two are tighter than they were when ISA 5.1 referenced ISO 27001:2013. Shared documentation that was already in place will keep satisfying both, as long as your ISO 27001:2022 documentation has itself been updated to the 2022 version. If you're still weighing which path fits your business, our TISAX® vs. ISO 27001 comparison walks through the trade-offs.

What the Volume of Change Actually Means in Practice

Industry analysis puts the overall number of requirements under ISA 6 about 12% higher than ISA 5.1. AL2 (formerly "Info high") requirements went up around 10%. AL3 climbed more steeply, with the exact figure depending on which label combinations are in scope.

That headline number undersells the real lift. In our prep work, a supplier moving from a clean ISA 5.1 ISMS to defensible ISA 6 readiness is usually looking at something closer to 20–25% additional effort. The cost isn't really in the new controls. It's in the evidence trail behind them. A backup strategy that passed under ISA 5.1 might now need recovery-time testing, verification of an air-gapped copy, and documented restoration drills before it satisfies ISA 6.

The Common Gap Patterns We See at Supplier Sites

Across the gap analyses we run for suppliers moving to ISA 6, three patterns keep showing up.

1. Documentation that "works" but doesn't match the new control structure. The supplier's ISMS still maps to ISA 5.1 numbering. The controls themselves are mostly implemented. But the auditor opens the documentation and finds the evidence trail organized against the old catalogue — control 3.1.2 cited where they're now testing against 1.6.3, 5.2.8, and 5.2.9. The substance is largely there. The structure isn't. Findings follow.

2. Treating the new controls as old controls "with a different name." This is the trap. Control 5.2.9 (backup and recovery) is not the same conversation as the backup language buried inside the old ISA 5.1 control 3.1.2. It's a tougher expectation with specific things the auditor will test for: immutable copies, tested recovery, defined RTO/RPO. Suppliers who treat the migration as relabeling rather than re-implementing tend to find that auditors notice.

3. An availability label scope that nobody defined. Suppliers who used to be confidentiality-focused are now in scope for availability labels, but the scope statement never got updated. The first audit interview surfaces the mismatch, and from there the audit either expands scope mid-flight (the good outcome) or comes back with findings on documentation inconsistency (the more common one).

How to Approach the Transition: The 95-Day Path

For a supplier facing an upcoming TISAX® assessment under ISA 6, first-time or recertification, the path is structured. It breaks into roughly four phases.

Phase 1: Gap analysis (weeks 1–2). A control-by-control mapping of your current ISMS documentation and evidence against the ISA 6 catalogue. You come out with a prioritized gap list and effort estimates.

Phase 2: Documentation update (weeks 3–6). Restructure the ISMS documentation to match ISA 6 numbering. Rewrite the policies and procedures the new controls touch. Update the Statement of Applicability if you hold combined ISO 27001 + TISAX scope. This is the heart of our ISMS implementation work.

Phase 3: Operational implementation (weeks 5–10). The new controls need new operational practice behind them: documented software approval workflows, tested backup recovery, crisis management activation drills, IT service continuity exercises. This work can run alongside the documentation, though it usually stretches further into the timeline.

Phase 4: Internal audit and assessment readiness (weeks 11–13). Internal audit against ISA 6, remediation of whatever it turns up, evidence binder prep, and a mock assessment if AL3 is in scope.

That's the structure behind our 95-day TISAX® preparation methodology. The timeline assumes you're starting from a working ISA 5.1 ISMS with a competent internal team, not a green-field build. If you're early in the journey, our TISAX® readiness guide for 2026 covers the groundwork.

Moving from ISA 5.1 to ISA 6 is restructuring work, not a rebuild. Book a free gap assessment and we will map your current ISMS against the 6.0.3 catalogue, show you where the new controls leave you exposed, and give you a realistic timeline to a defensible assessment.

A Note on the Older Labels

If you're still carrying ISA 5.1-issued labels, they stay valid until they expire. Nothing about the catalogue change triggers an automatic re-assessment. The change kicks in on your next cycle, whether that's renewal, a scope expansion, or a new customer audit driven by procurement.

We still encourage suppliers to start ISA 6 alignment at least 6 months before the next assessment is scheduled, whatever the expiry date on the existing label says. Customer audit pressure has picked up — OEM procurement reviewing supplier security postures, often alongside NIS2 supply chain expectations — and suppliers who wait for the formal assessment date often find an OEM-initiated review gets there first.

Common Questions About VDA ISA 6.0

Q: When did VDA ISA 6.0 become mandatory? ISA 6 has been mandatory for all new TISAX® assessments ordered from April 1, 2024 onward. Assessments ordered before that date may still finish under ISA 5.1, within the audit body's transition rules.

Q: Does my existing ISA 5.1 TISAX® label expire because of ISA 6? No. Existing labels stay valid through their three-year cycle. The new catalogue applies at your next assessment.

Q: Will my ISO 27001 ISMS satisfy VDA ISA 6 requirements automatically? A well-implemented ISO/IEC 27001:2022 ISMS gives you a strong foundation, but it isn't sufficient on its own. ISA 6 includes automotive-specific controls (prototype protection, OEM-specific data handling) and stricter evidence expectations than the ISO 27001 baseline. Plan for an integration step, not a one-to-one mapping — our automotive cybersecurity guide on ISO/SAE 21434 and TISAX goes deeper here.

Q: What's the biggest single change suppliers underestimate? In our experience, the backup and recovery control (5.2.9) — specifically the audit expectations around tested recovery, RTO/RPO documentation, and immutable or air-gapped copies. Plenty of suppliers have backups. Few have an evidence trail that holds up to the level of testing now expected.

Q: Should we wait for ISA 7 before doing a major update? No. There's no announced ISA 7 timeline that would justify delaying ISA 6 readiness. The next assessment your customers require will be against ISA 6 (current revision 6.0.3). Prepare for the current standard.

How ITIS-Secure Helps Suppliers Transition to VDA ISA 6.0

Our preparation methodology is built specifically for automotive suppliers heading into TISAX® assessments. We run gap analyses against the current ISA catalogue, restructure ISMS documentation to match what auditors are testing for, implement the operational controls ISA 6 newly requires, and stay alongside our clients through the assessment itself.

The 95-day path above is the shape of a typical engagement. The audit body certifies; our job is to get you ready so the assessment passes on the first attempt.

If your next TISAX® assessment is coming up and you're not yet confident in your ISA 6 readiness, the gap assessment is the place to start. It's free, takes less than a day, and gives you a clear picture of where you stand against the current catalogue and how much work sits between you and a defensible assessment posture.

Book Free Gap Assessment →

No commitment required · GDPR compliant · Strategy confirmed via secure link

TISAX® is a registered trademark of ENX Association. VDA® is a registered trademark of Verband der Automobilindustrie e.V. ITIS-Secure is an independent preparation firm; TISAX assessments are conducted and labels issued by ENX-approved audit providers.