TISAX Requirements: What the VDA ISA 6.0 Actually Demands

Key Takeaways

• The VDA ISA 6.0 contains more than 300 requirements across 7 chapters. To receive a TISAX label, you need a consistent Maturity Level 3 – meaning processes that are demonstrably lived, not just documented on paper.
• Assessment Level 2 and Level 3 evaluate the same controls under the VDA ISA. The difference lies in audit depth: AL 2 is a remote assessment, AL 3 is an on-site audit with system verification and penetration testing.
• Around 60% of a TISAX project involves IT-related evidence. Companies without an up-to-date asset register, access control concept and patch records often fail as early as the self-assessment.

The VDA ISA 6.0 has been the binding audit framework for all TISAX assessments since April 2024. Any company working with an OEM in the automotive industry that handles confidential information needs a valid TISAX label – without one, collaboration is no longer possible. This article explains what the requirements catalogue demands in practice, how AL 2 and AL 3 differ, and what role IT documentation plays throughout.

What Does TISAX Assess – and Against Which Catalogue?

TISAX (Trusted Information Security Assessment Exchange) is based on the VDA ISA, the Information Security Assessment catalogue published by the German Association of the Automotive Industry (VDA). It is maintained by the ENX Association. The catalogue is the sole binding audit framework – no auditor deviates from it, and no OEM accepts alternative evidence in its place. As the automotive industry's dedicated TISAX standard, the VDA ISA functions as an accepted alternative to ISO 27001 certification: OEMs recognise a valid TISAX label as equivalent proof. The TISAX norm aligns explicitly with ISO/IEC 27001 – approximately 75% of its controls are identical.

Version 6.0.2 has applied since 1 April 2024 to all newly commissioned assessments. Labels issued under ISA 5.1 remain valid until their expiry date. The catalogue contains more than 300 requirement questions divided across three modules: Information Security (mandatory for all), Data Protection, and Prototype Protection – the latter two depending on the OEM's requirements.

How Is the VDA ISA 6.0 Structured – and What Does the TISAX ISMS Cover?

The mandatory Information Security module is divided into seven chapters, which together form the complete ISMS requirements profile for automotive suppliers:

1. Information Security Management – Policies, roles, responsibilities, ISMS documentation
2. Personnel Security – Employee screening, training, offboarding processes
3. Asset Management – Inventory, classification and handling of IT assets and information
4. Access Control – Access concept, need-to-know principle, MFA requirements
5. Cryptography and Physical Security – Data encryption, physical access control, zone model
6. IT Operations and Network Security – Patch management, network segmentation, backup
7. Incident Management and Business Continuity – Emergency processes, BCM, recovery plans

ISA 6.0 introduced five new controls for Business Continuity and Incident Management. This is a direct response to ransomware attacks on just-in-time supply chains that have brought several major automotive plants to a standstill in recent years. Additionally, a separate "Availability" label was introduced for the first time, extending beyond pure confidentiality requirements.

What Exactly Does a TISAX Audit Examine?

What exactly does a TISAX audit examine – and how deep does an auditor actually look? Many companies underestimate this. The audit is not a review of polished policies – it is a verification of evidence. A written ISMS manual alone is not sufficient – the auditor needs to see that processes actually function in day-to-day operations.

What an auditor examines in every assessment falls into three categories. First, ISMS documentation: the management handbook with risk assessment, an asset register classified by protection needs, and an access control matrix following the least-privilege principle. Second, operational evidence: patch logs with current operating system versions, training records for all in-scope personnel, and an incident log with documented events and responses. Third, contingency and supplier management: a business continuity plan with defined recovery times, and data processing agreements (DPAs) for external service providers.

The maturity standard is unambiguous: Maturity Level 3 means established, consistently followed and demonstrably tested during the audit. Maturity Level 0 or 1 is unacceptable for critical controls – even as an isolated case within an otherwise solid self-assessment.

In a TISAX assessment, only what is documented exists. Companies that cannot provide evidence receive no label. This applies above all to asset management and access control, where auditors routinely conduct spot checks to verify that documented reality matches actual practice.

What Changed in 2024 with ISA 6.0?

Companies already familiar with ISA 5.1 should pay close attention to four changes. For the first time, there is a separate "Availability" label: suppliers can now demonstrate compliance with availability requirements independently – a direct response to ransomware-driven production outages in automotive supply chains. Alongside this, five new BCM and Incident Management controls were added: IT service continuity, backup and recovery, and emergency management are now standalone audit points with their own maturity ratings.

The third and perhaps most consequential change is the OT requirements based on ISA/IEC 62443: production environments and industrial control systems must now be integrated into the ISMS for the first time. Companies that had previously excluded OT systems from their TISAX scope must now include them. Finally, ISA 6.0 now explicitly references ISO 27001:2022, the BSI IT-Grundschutz framework and the NIST Cyber Security Framework – significantly simplifying the integration of these standards into TISAX preparation.

The OT requirement in particular catches many manufacturing suppliers off guard. Any gap analysis based on ISA 6.0 should include OT systems from the outset, not as a last-minute addition before the audit.

TISAX Level 2 and Level 3: Same Requirements, Different Audit Depth

The most common misconception in TISAX preparation: Level 2 has easier requirements than Level 3. This is incorrect. All assessment levels evaluate the same controls under the VDA ISA – the difference lies exclusively in the audit method, not in the scope of requirements.

Which level a company requires is determined by the OEM in the supply contract – not by the company itself. AL 2 is a remote assessment involving document review and video interviews. AL 3 is an on-site audit with direct system verification and penetration testing. AL 1 does not result in a TISAX label – OEMs do not accept it as evidence of a completed TISAX audit.

What this means for requirements preparation: TISAX Level 2 requirements and TISAX Level 3 requirements are identical – AL 3 requires the same controls to be met as AL 2, but the auditor verifies on-site whether systems actually behave as the documentation claims. Gaps between documented policies and lived practice will be identified in an AL 3 audit, without exception.

Why IT Documentation Is Decisive in a TISAX Assessment

Around 60% of a TISAX project involves the IT side. Behind this are concrete VDA ISA requirements: fully inventoried assets classified by protection needs, an up-to-date access control concept, verifiable patch records and current network documentation.

In practice, the most frequent audit findings relate not to missing policies but to outdated or incomplete documentation. An asset register from the previous quarter, active accounts belonging to former employees, network documentation that no longer reflects the current state – these are the typical weaknesses that surface during an assessment.

What IT teams need to prepare for the assessment concretely:

• Asset Management: All IT assets fully inventoried, classified and assigned to a responsible owner – including applications, endpoints and physical media
• Access Control Concept: Access rights based on the least-privilege principle, regularly reviewed and free of outdated accounts
• Patch Management: Current operating system and software versions with a documented patch process and exception records
• Network Security: Segmentation, firewall rules and encryption documented with up-to-date network diagrams
• Contingency Planning: Documented recovery plans for business-critical systems with defined recovery time objectives

Which VDA ISA Requirements Does IT Documentation Software Cover in Practice?

The direct connection between VDA ISA controls and IT documentation is often unclear in practice. Chapter 3 (Asset Management) requires a complete, up-to-date inventory of all IT assets with protection-level classification – delivered agentlessly, without rollout to the target systems. Chapter 4 (Access Control) requires a least-privilege access matrix with an active account overview, including analysis across Active Directory, file shares and cloud services with direct identification of stale accounts. For Chapter 6 (IT Operations and Network Security), network diagrams and patch status reports are generated automatically from the inventory. Chapter 1 (Information Security Management) is supported through asset owner assignment and exportable ISMS reports.

Auditors do not accept live system screenshots as evidence – they expect structured, timestamped documentation that demonstrates regular maintenance. That is the difference between an asset tracking tool and an IT documentation solution. The solution page shows how Docusnap is used for TISAX preparation.

How to Prepare Systematically for the Assessment

Realistic preparation follows four steps. Starting too late creates time pressure – and time pressure is the most common reason why policies get created but never actually followed.

Step 1: Define the scope. Which locations, systems and processes come into contact with the information subject to the assessment? A scope defined too narrowly leads to subsequent demands; too broadly and the effort becomes unmanageable.

Step 2: Conduct a gap analysis based on ISA 6.0. Map the current state against the requirements. Prioritise critical gaps with Maturity Level 0 or 1 immediately – these are the assessment-critical areas requiring the most lead time.

Step 3: Bring the TISAX ISMS to Maturity Level 3. Policies, processes and evidence must not only exist – they need to be regularly applied and reviewed. The TISAX Information Security Management System (ISMS) follows the same core principles as ISO 27001. An ISMS manual that nobody knows and nobody follows will receive Maturity Level 1 in the audit.

Step 4: Make IT documentation audit-ready. The asset register, access control matrix, patch logs and network diagrams must be current at the time of the audit – and demonstrably maintained on a regular basis.

Typical preparation time: 8–12 weeks for SMEs without an existing ISMS, 6–8 weeks with an ISO 27001 foundation in place. Automating inventory and documentation reduces manual effort by several days per cycle, based on reported user experience.

A common planning mistake: companies underestimate the time required to consolidate existing documentation. Policies often exist in multiple versions across different storage systems. The auditor does not evaluate the best version – they evaluate the one actually in use. Creating a single source of truth early avoids last-minute scrambling before the audit.

The self-assessment should not be treated as a formality either. It is the first honest picture of the organisation's current maturity level – and it identifies exactly which controls are not yet at Level 3. A thorough self-assessment means no surprises in the actual audit. The complete process of a TISAX audit – from ENX registration through self-assessment to label issuance – is covered in the dedicated article.

For companies with an existing ISO 27001 foundation: TISAX requirements under VDA ISA 6.0 overlap with around 75% of ISO 27001 controls. An integrated implementation of both standards saves an estimated 30–50% of the effort compared to separate implementations.

NIS-2 and TISAX – Relevant for Companies That Need to Satisfy Both Frameworks

NIS-2 and TISAX in combination: organisations that have already built a NIS-2-compliant ISMS cover a substantial portion of their TISAX compliance requirements. Both frameworks place comparable demands on information security: asset management, access control concepts, incident response processes and documented risk assessments are mandatory in both. The key difference lies in the verification method: TISAX guidelines and security requirements are verified by an accredited audit service provider, while NIS-2 evidence is submitted to the relevant national authority. Automotive supply chain companies that fall under both frameworks should plan their implementation jointly from the outset – the overlap makes this significantly more efficient.

The VDA ISA 6.0 is not an abstract set of rules – it describes very concretely what must be on the table during the audit. Companies that understand the requirements and align their IT documentation accordingly will have no surprises in the assessment. The rest is preparation.