2026-07-01 by Clemens Magić TISAX
On June 28th, 2016, almost exactly ten years ago, the first TISAX participants registered. What started as an initiative to establish a common and trusted approach to information security within our industry's supply chain has since evolved into a global standard. During this decade, TISAX has already driven a profound transformation across the industry. Organizations have established information security management structures, created dedicated teams and departments, developed new competencies, and embedded information security as a core business requirement.

The impact of this transformation is measurable. More than 21,000 locations have been assessed according to TISAX requirements, resulting in well over 100,000 identified and implemented security improvements. Today, more than 5,000 active users from more than ten vehicle manufacturers and thousands of suppliers of all sizes use TISAX Assessment Results to evaluate the security posture of business partners and suppliers.
Most importantly, these collective efforts have made our industry more resilient. At a time when cyber threats are becoming increasingly sophisticated, supply chains more interconnected, and regulatory expectations continue to increase, resilience has become a critical success factor. TISAX has helped organizations move from isolated security measures to systematic and continuously improving information security management. As a result, companies across the automotive ecosystem are better prepared to prevent, detect, respond to, and recover from security incidents.
At the same time, TISAX itself has continuously evolved. Thousands of experts from manufacturers, suppliers, audit providers, and industry associations have contributed to its development. Together, they have refined processes, improved assessment quality, expanded international adoption, and ensured that TISAX remains aligned with the rapidly changing threat landscape, technological developments, and business requirements.
One of the most significant areas of continuous improvement has always been the Information Security Assessment (ISA) catalogue. TISAX started in 2016 using ISA version 2.1.
The early versions of the ISA were heavily based on ISO/IEC 27001 and adapted the standard to the specific needs of our industry. In 2019, the ENX Working Group ISA took over authorship and maintenance of the catalogue from the VDA. This marked the beginning of a new phase in the evolution of the ISA.
With ISA 5, the catalogue had evolved into an independent industry standard in its own right. While maintaining alignment with ISO/IEC 27001 and other international information security standards, the ISA is no longer simply an industry-specific interpretation of existing frameworks. Instead, it is developed independently by industry experts to address the specific risks, requirements, and realities of organizations operating within our industry's value chains.
Since then, every version has contributed to raising the level of information security across the automotive ecosystem, continuously refining what the industry considers state of the art. The current version, ISA 6, was released in October 2023 and became effective for TISAX Assessments ordered from April 1st, 2024 onwards. Since then, the ENX Working Group ISA has been working intensively on the next generation of the catalogue, collecting industry feedback, reviewing assessment experience, and evaluating developments in information security and cybersecurity. ENX has finalized the next version, ISA2027, recently.
Today, we are excited to announce that the VDA has officially published the new version as VDA ISA2027. The official version of the ISA is available on the VDA website and can also be downloaded from the ENX website: https://www.enx.com/isa2027-en.xlsx.
Additional translations are currently being prepared and will be published over the coming months. In case of discrepancies, the English version remains authoritative.

With this release, we are introducing a completely new versioning scheme for the ISA catalogue. Instead of sequential version numbers, future releases will use the year in which they become mandatory for newly ordered TISAX Assessments. ISA2027 will therefore apply to all TISAX Assessments ordered from January 1st, 2027 onwards. This change is intended to make versioning easier to understand and provide greater transparency for all stakeholders.
ISA2027 also marks the start of a new annual release cycle. Future ISA catalogues will generally be published in summer and become effective on January 1st of the following year.
As a result:
The annual publication cycle does not affect the validity of TISAX labels. Existing labels remain valid for their full validity period, and future TISAX labels will continue to have a validity period of up to three years. The introduction of annual ISA releases therefore does not increase reassessment frequency. In practice, organizations will continue to skip multiple ISA generations between regular reassessments. The annual release cycle simply allows the catalogue to evolve in smaller, more predictable steps while maintaining the established lifecycle of TISAX assessments and labels.
ISA2027 continues the evolution of the catalogue with a focus on clarity, consistency, and the strengthening of security governance throughout the automotive ecosystem.
ISA2027 introduces a completely new release and versioning concept.
Instead of sequential version numbers, future ISA versions will be named after the year in which they become effective. Combined with the new annual release cycle, this provides greater transparency and predictability for organizations, assessors, and customers alike.

The references and mappings to international standards have been reviewed and updated throughout the catalogue.
Key improvements include:
These updates improve the quality and accuracy of the reference mappings provided within the catalogue.
A major focus of ISA2027 was improving readability, usability, and consistency throughout the catalogue.
The Working Group ISA conducted a comprehensive review of wording, translations, formatting, and requirement structures. Numerous ambiguities and historical inconsistencies were removed, resulting in a catalogue that is easier to understand and more consistent to assess.
One particularly important change is the introduction of a formal definition for the phrase "The following aspects are considered." The phrase had historically been interpreted differently by organizations and assessors. ISA2027 now clearly defines that each listed aspect must be consciously considered and that the rationale behind the implementation decision must be explainable during an assessment.
Additional definitions have also been added or clarified, including a broader definition of Project and clearer differentiation between events and incidents.
The catalogue also clarifies that managers and organizational leaders are included as a dedicated target group for information security awareness and training activities. While this does not introduce a new expectation, it improves transparency and better aligns the catalogue with evolving regulatory requirements and industry practices.
One of the most significant areas of change is supplier and supply chain security.
Organizations with high protection needs are now required to place greater emphasis on documenting, reviewing, and monitoring supplier compliance with security requirements and associated evidence. Reviews must also consider significant changes affecting suppliers or supply chain structures.
For organizations handling information with very high protection needs, assurance requirements have been strengthened further. Suppliers are expected to demonstrate an adequate level of information security through a TISAX label, an equivalent third-party assessment, or an appropriate supplier audit.
These changes reflect the growing importance of managing risk not only within organizations, but across increasingly interconnected supply chains. As an industry, we rely on complex networks of suppliers, service providers, and technology partners. A supply chain is only as secure as its weakest link, and vulnerabilities deep within the supply chain can ultimately affect customers, suppliers, and manufacturers alike.
As a result, ISA2027 places an even stronger emphasis on supplier security management and the verification of security requirements for suppliers. The objective is to strengthen the cascading of information security requirements throughout the supply chain. By requiring every organization to appropriately manage and verify the information security of its suppliers, the industry can establish a consistent level of assurance throughout increasingly interconnected supply chains and further strengthen overall resilience.
ISA2027 also includes the most substantial revision of the Prototype Protection (PTS) module since its introduction.
The previous structure of five separate control groups has been consolidated into two overarching domains:
This restructuring simplifies the catalogue and provides a clearer distinction between baseline organizational requirements and enhanced physical protection requirements. It also supports a more streamlined assessment model for Prototype Protection assessments.
In addition, ISA2027 introduces new controls covering:
These new requirements strengthen accountability and protection throughout the entire prototype lifecycle.
ISA2027 continues to define the state of the art for information security from an industry perspective. Built on ten years of operational experience, thousands of assessment procedures, and the combined expertise of manufacturers, suppliers, assessment providers, and industry associations, it provides an updated benchmark for managing information security in an increasingly connected world. At the same time, it reflects the reality that information security is not a destination, but a continuous process of adaptation and improvement.
While ISA2027 marks the beginning of annual catalogue releases, the established three-year validity of TISAX labels remains unchanged, ensuring stability and planning reliability for participants while allowing the industry's state of the art to evolve more continuously.
Over the coming weeks and months, we will publish dedicated articles highlighting individual changes in greater detail, explaining the rationale behind them, and providing practical guidance for organizations preparing for future TISAX Assessments based on ISA2027.
As we celebrate ten years of TISAX, ISA2027 marks another milestone in the ongoing development of our industry's common approach to information security. The challenges facing our industry will continue to evolve, and so will TISAX. Through the continued collaboration of manufacturers, suppliers, assessment providers, and the expert working groups, we will keep refining the framework to ensure it remains relevant, practical, and effective for the years ahead.