VDA ISA 6 – The Most Important Changes in the Catalog

March 1, 2025 / By
VDA ISA 6 - The Most Important Changes in the Catalog

Templates for TISAX 

Information security in the automotive industry is about to undergo a significant change as TISAX® has brought a new level of security to the industry. For years, TISAX® has served as an important standard for information and cybersecurity in the automotive industry. Now, the German Association of the Automotive Industry (VDA) has updated the catalog, and from 1 April 2024, version 6.0 will replace version 5.1.

This new VDA questionnaire expands the TISAX requirements and increases the level of information security, especially in the areas of incident management, crisis management, business continuity, and backup/restore, as well as the complete revised data protection catalog.

As information security experts at 360 Digital Transformation GmbH, we would like to offer you comprehensive guidance on how you can efficiently manage this transition and how you can upgrade your existing ISMS to the new version 6 according to TISAX 5.1 or start directly with the implementation of an ISMS (Information Security Management System) according to TISAX VDA 6.0.

What's new in the VDA ISA catalog version 6?

The new revision of the VDA 6.0 catalog includes significant changes and enhancements that affect the scope and specific controls.

New controls and requirements

There are new controls, requirements, and additions to wording. The new topics have an extended focus on IOT/OT, including IT systems and IT services, software management, incident and crisis management, security incident reporting, security incident management, handling crises, IT service continuity planning, BCM, and backup and recovery.

Updating the "Data protection" module

The module has been completely revised and now contains 12 controls that consider the requirements of the GDPR and other data protection regulations.

New labelling

With the introduction of VDA 6.0, the previous TISAX® labels “Info High” and “Info Very High” were split to present the safety levels more clearly and specifically. The new labels are:

  • High Availability: For systems where availability is of crucial importance.
  • Confidential: For systems that contain confidential information.
  • Very High Availability: For systems that require very high availability.
  • Strictly Confidential: For systems with strictly confidential information.

This new structure enables a more precise categorization of security requirements and helps companies implement their information security measures in a better-targeted way.

When will VDA ISA catalog 6.0 become valid?

The official transition to VDA 6.0 begins on April 1, 2024. Companies that have already completed an Audit following VDA 5.1 must switch to new version 6.0 to keep their TISAX label.

What is eliminated with the VDA ISA catalog 6.0?

With the introduction of VDA 6.0, some existing controls from VDA 5.1 were removed or replaced. Particularly noteworthy is the deletion of control 3.1.2, covered by the new controls 1.6.3, 5.2.8, and 5.2.9. The ISA 4 compatibility tab has also been removed to create space for updated and more relevant requirements.

Facts and numbers for version 6.0 compared to 5.1

For a clearer picture of the changes, here are some key figures:

  • VDA 5.1: 41 controls, 271 requirements (Info High/AL2), 5 requirements (Info Very High/AL3).
  • VDA 6.0: 45 controls, 297 requirements (Info High/AL2), 17 requirements (Info Very High/AL3).

Here, you can see in terms of numbers that the AL2 requirements (Info High) have increased by about 10%. AL3 requirements (Info Very High) have been increased quite a bit, but it now depends on which label (Confidentiality, Availability, or both) it is.

Overall, the number of requirements has increased by around 12%. However, this does not mean that the effort required for an ISMS by VDA 6.0 is 12% higher. We estimate 20-25% additional effort for implementation, depending on the complexity of the extended requirements.

New controls and requirements for revision 6.0 in detail

The new and revised controls in VDA 6.0 affect numerous areas:

  • Section 1:
    • New and revised requirements for software release and incident management
    • 1.6 “Incident and crisis management”: Renamed and expanded to create a clear structure for managing security incidents and crises.
    • New control:
    • 1.3.4 “Software approval”: This new control ensures that only approved software is used, including software release, licensing, and patch management.
    • 1.6.2 “Management of security incidents”: New control for an orderly and timely response to security incidents.
    • 1.6.3 “Dealing with crises”: This control replaces the previous control 3.1.2 and aims to prepare organizations for crises.
  • Section 3:
    • This chapter has been renamed to “Physical Security”, mainly due to the deletion of “Control”. 3.1.2.
  • Section 4:
    • Extensions and additional requirements for access controls (4.1.1, 4.1.2, 4.1.3, 4.2.1).
  • Section 5:
    •  5.2.8 “IT service continuity planning”: Focuses on IT service continuity planning, including redundancy and recovery of key systems.
    • 5.2.9 “Backup and recovery”: Ensures organizations are prepared to recover data and systems after security incidents.
    • New and revised requirements for IT services and IT audits (5.1.1, 5.1.2, 5.2.6, 5.2.7, 5.3.1)

New control:

  • Data protection module:
    • 9.1.1 (Data Protection Policies)
    • 9.2.1 (Organization of Data Protection)
    • 9.3.1 (Processing directory)
    • 9.4.1 (Data protection impact assessment)
    • 9.5.1-9.5.2-9.5.3 (Data transfers)
    • 9.6.1-9.6.2 (Handling requests and incidents)
    • 9.7.1-9.7.2 (Human Resources)
    • 9.8.1 (Instructions)

What does the transition process look like for existing companies in the automotive industry?

The transition from VDA 5.1 to VDA 6.0 requires careful planning and implementation. Here are the steps you should consider:

  1. Conduct a GAP analysis: Identify the differences between your current implementation and the new requirements of VDA 6.0. That will help you to detect gaps in your existing ISMS.
  2. Updating the documentation: Adapt your safety documentation to the new controls and requirements.
  3. Implement the new controls: Implement the new controls and ensure that all necessary actions are taken.
  4. Training and awareness: Ensure that your team understands the changes and the new requirements.
  5. Internal audits: Conduct internal audits to verify the effectiveness of the new controls.
  6. Management review: Conduct a management review to ensure that management understands and supports the customized ISMS.
  7. TISAX audit: Finally, the adapted ISMS must be audited by an approved TISAX audit company.

Direct implementation of an ISMS for information security according to TISAX® with VDA ISA 6

Direct implementation of VDA 6.0 offers an excellent opportunity to meet the latest requirements from the start if you have not yet implemented an ISMS. Here is an overview of the process:

  1. GAP analysis: Determine the current status of your company
  2. Initial planning: Plan measures based on the GAP analysis for implementing the ISMS.
  3. Risk assessment: Conduct a detailed risk assessment to identify the specific security risks your organization is exposed to.
  4. Security policy development: Create comprehensive security policies and procedures that meet the requirements of VDA 6.0.
  5. Implement the controls: Implement the necessary technical and organizational controls to mitigate the identified risks.
  6. Training and awareness: Train your employees regularly on the new security guidelines and procedures.
  7. Monitoring and assessment: Continuously monitor the effectiveness of implemented controls and conduct regular assessments to identify opportunities for improvement.
  8. Preparation for the TISAX assessment: Ensure that all required documents and evidence for the TISAX assessment are in place.

Support from 360 Digital Transformation GmbH

We offer comprehensive support to guide your company through the transition to VDA 6.0. Our approach includes:

  1. GAP analysis: We identify the gaps between your current security situation and the ISA catalog version 6 requirements.
  2. Consulting and implementation: Our experts support you in implementing the new controls and requirements.
  3. Training courses: We offer customized training programs in German or English to prepare your team for the new requirements.
  4. Internal audits and preparation for the TISAX assessment: We help you to carry out internal audits and prepare optimally for the TISAX assessment.
  5. Ongoing support: Our team will still support you after the transition to ensure that your ISMS meets the latest standards and is improving constantly.

What is the outcome for TISAX® users?

The transition from VDA 5.1 to VDA 6.0 entails numerous changes and new requirements that companies should implement carefully. With our extensive expertise and comprehensive services, we support you in making this transition smoothly and successfully implementing your information security management system as per TISAX®.

Arrange your free initial consultation

About the Author

VDA ISA 6 - The Most Important Changes in the Catalog

Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.