Update: VDA Information Security Assessment (ISA) Catalog Version 6 Now Available

Nov 22, 2023
The new version of the VDA ISA catalogue was published on 16.10.2023 by ENX and the German Association of the Automotive Industry. Use the available download
This updated VDA ISA catalog brings with it a variety of changes in requirements and controls. In the following lines, we would like to give you a brief overview of the changes and innovations.
In recent years, months, weeks, there has been a lot of news from and around automotive manufacturers and suppliers where there have been disruptions in supply chains. These include geopolitical conflicts, natural or environmental disasters, cyber attacks and failure of infrastructure such as production lines.
In all previous versions of the VDA ISA, the focus was on the "confidentiality" of information. With ISA 6, the label "Confidentiality" was supplemented by the label "Availability" of information, processes and systems. Due to new, more intense and serious cyber attacks on companies, the loss of information due to ransomware attacks or classic data theft is no longer the only threat you encounter in your day-to-day business.
We will now introduce you to the most important new features of ISA 6:
  • In addition to "confidentiality", there is now "availability" as a further focus in the assessment, to ensure the availability of IT resources and operational technology (OT).
  • The ISA 6 was compiled by an international team of experts, making English the leading language. The translation into other languages will take place at a later date.
  • Precise description of the requirements of each control, for a better understanding.
  • ISA 6 refers to other standards and frameworks such as ISO/IEC 27001:2022, ISA/IEC 62443-2 NIST Cyber Security Framework and the BSI Baseline Protection to exploit synergies.
  • The data protection catalogue has been completely revised. 4 controls became 12 controls.
  • In addition to examples, ISA 6 now also offers possible auditor questions and evidence that can be used for an audit.
With the new "Availability" label, a new focus is placed on uninterrupted production. This includes the consideration of the processes in production, as well as the safeguarding of production facilities in the company.
In the following, we will introduce you to the new controls from the Information Security Catalog in more detail. For reasons of comprehensibility, the Control headings will not be translated. ISA 6 is currently only available in English.
Control 1.3.4: To what extent is it ensured that only evaluated and approved software is used for processing
This control is about the implementation of procedures for the approval of software products in the company. This includes the consideration of firmware, operating systems, software, drivers and libraries (e.g. collection of software or frameworks).
Control 1.6.1: To what extent are information security relevant events or observations reported?
Control 1.6.2: To what extent are reported security events managed?
Control 1.6.3: To what extent is the organization prepared to handle crisis situations?
Control 5.2.8: To what extent is continuity planning for IT services in place?
Control 5.2.9: To what extent is the backup and recovery of data and IT services guaranteed?
In summary, it can be said that Control 3.1.2 from VDA ISA 5 is divided into the three new Controls 1.6.3, 5.2.8 and 5.2.9 from ISA Version 6. Due to the subdivision into the new controls, the topics of emergency management, business continuity management and backup and disaster recovery (BDR) are gaining massive importance for the ISMS in the company.
The new controls and requirements in ISA 6 are aimed at improving the availability of critical services, systems, processes, and information.
With the publication of ISA 6, the ENX and the VDA are reacting to the new events. For example, individual controls were dissolved and transferred to new controls and expanded with new requirements to improve availability.
The changes in ISA 6 are of great importance for a global economy that relies on high availability in the form of deliveries and provision of services.
Orders placed before 31.03.2024 can be checked according to VDA version 5.1. The assessment must be completed promptly, except for follow-ups and group examinations (SGA).
For further information and questions, please do not hesitate to contact us.