Insights

Insights in TISAX®

VDA® ISA 7.0: What Changes for TISAX® in 2027

Christopher Eller
Christopher Eller
Founder of Valiido and TÜV® SÜD certified ISO® 27001 Auditor
VDA® ISA 7.0: What Changes for TISAX® in 2027

On July 1, 2026 the VDA® published the successor of ISA 6 (official announcement by the VDA®) - the new version of the questionnaire behind every TISAX® assessment. Many expected it to be called ISA 7.0; officially it is named ISA 2027, because the VDA® switched to year-based version names. We compared the official catalogs line by line - ISA 6 against ISA 2027 - and classified every single control change. This article summarizes what actually changes; the full catalog diff, control by control, is free to use.

The key facts in numbers

  • Version naming changes: the catalog is now named by year (2027) instead of a version number (7.0). It is dated July 1, 2026.
  • Information security: 46 controls before, 46 after. No control explosion - but 44 of the 46 controls were edited. Most edits are clarifications; 25 controls gain, lose or move at least one requirement.
  • Prototype protection: 22 controls become 20, and the module is completely restructured: five sections (8.1 to 8.5) become two (8.1 organizational, 8.2 physical security).
  • Data protection: unchanged. All 12 controls of chapter 9 are identical to ISA 6.
  • New framework mapping: ISA 2027 maps to NIST CSF 2.0 and ISO/IEC 27001:2022; the old ISO 27001:2013 references are gone.
Get notified when ISA 2027 takes effect:

Chapter by chapter: where things really change

ChapterWhat changesOur rating
1 - IS PoliciesNew crisis management (1.6.3), policy duties now mandatory (1.1.1)Major Change
2 - Human ResourcesTeleworking rewritten with concrete must-requirements (2.1.4)Major Change
3 - Physical SecurityA few requirements clarifiedMinor Change
4 - Access ManagementPassword and login rules tightenedMinor Change
5 - IT SecurityMany small edits, some additions for high protection needsMinor Change
6 - SuppliersSupplier verification duties tightened, 1.2.4 becomes 6.1.3Major Change
7 - ComplianceRewording onlyMinor Change
8 - Prototype ProtectionFully restructured, 22 controls become 20Major Change
9 - Data ProtectionNo changesUnchanged

Every rating links back to evidence: our interactive catalog diff shows the exact wording changes for each control, with removed text struck through and new text highlighted.

Open the full catalog diff - every control, every change

Already on Valiido? Then ISA 2027 is not on your to-do list: Valiido updates the catalog and all content for TISAX® automatically, in time for the switchover. You keep working, we take care of the new version. See how Valiido prepares you for TISAX®

From recommendations to obligations

The most consequential pattern in ISA 2027 is quiet: requirements move from the should-level to the must-level. Two examples from our comparison:

  • Control 1.1.1: making security policies available to employees, and informing employees and external business partners about relevant changes, used to be should-requirements. In ISA 2027 they are must-requirements - auditors will treat them as mandatory.
  • Control 4.1.2: passwords according to the state of the art move from a side note into the regular should-requirements.

If your information security management system (ISMS) was built to just clear the must-bar of ISA 6, these promotions are where new gaps will appear first. For the current catalog, our detailed breakdown of VDA® ISA catalogue 6 remains the reference until the switchover.

The supply chain moves into focus

Control 1.2.4 (external IT service providers) moves into chapter 6 as the new control 6.1.3 - a signal in itself. The duty to evaluate and document the applicability of the ISA controls per IT service provider stays as it was in ISA 6; the catalog's change history now labels it a Supplier Statement of Applicability (Supplier SoA) for the first time. The real tightening is in 6.1.1: for high protection needs, supplier security evidence must now be documented and reviewed regularly and on changes - and for very high protection needs, a third-party audit or an adequate TISAX® label of the supplier is expected. Supplier management thus becomes one of the areas where preparation effort will visibly grow.

Prototype protection: rebuilt, not extended

The prototype protection module is the biggest structural change: the five sections of ISA 6 (8.1 to 8.5) are reorganized into two (8.1 organizational requirements, 8.2 physical and environmental security), controls are merged, and outdated content is removed. The absolute count drops from 22 to 20 controls. If your assessment scope includes prototype protection, your documentation structure will need remapping even where the underlying measures stay the same.

What stays calm: data protection

Chapter 9 (data protection) is untouched - all 12 controls are word-for-word identical to ISA 6. If your scope includes the data protection module, nothing changes there.

When does ISA 2027 apply?

The catalog itself does not contain a transition date - the binding switchover for TISAX® assessments is set by ENX®. For the predecessor ISA 6, roughly six months passed between catalog publication and mandatory use for new assessments. Until ENX® announces the date, current assessments continue to run on ISA 6.

Get notified when ISA 2027 takes effect:

What you should do now

  • No panic migration: ISA 6 remains the assessed catalog until ENX® sets the transition date.
  • Review the substantial chapters first: chapters 1, 2, 6 and 8 carry the real changes - crisis management, teleworking, supplier management and prototype protection.
  • Check the should-to-must promotions: requirements you previously treated as optional may now be mandatory.
  • Use the diff instead of working through the whole spreadsheet: the catalog comparison shows only what actually changed, classified by severity.

Valiido customers: the catalog update is our job

If your ISMS runs on Valiido, ISA 2027 is not your project - it is ours. We track the catalog, work the changes into the platform, and update the content for TISAX® in time for the switchover, so you do not have to read new catalogs, remap documentation or start a migration project. The Guide keeps walking you through every requirement for TISAX® and ISO® 27001 in its updated form, and AuditMagic checks your documentation against ISO® 27001, TISAX® and Valiido best practices - so a new catalog version becomes a short review, not a restart. See how Valiido prepares you for TISAX®.

Frequently Asked Questions

Is there a VDA® ISA 7.0?

No. The VDA® switched to year-based version names: the successor of ISA 6 is officially called ISA 2027, published on July 1, 2026. If you are looking for ISA 7.0, ISA 2027 is the catalog you mean.

What is the VDA® ISA 2027?

The VDA® ISA is the questionnaire that all TISAX® assessments are based on. ISA 2027 is the successor of ISA 6, published by the VDA® on July 1, 2026, with a new year-based naming scheme, updated requirements and mappings to ISO/IEC 27001:2022 and NIST CSF 2.0.

When does ISA 2027 become mandatory for TISAX® assessments?

The binding transition date is set by ENX® and was not yet announced at the time of writing. For ISA 6, roughly six months passed between publication and mandatory use for new assessments. Until then, assessments run on ISA 6.

How many controls does ISA 2027 have?

Information security keeps 46 controls (as in ISA 6), prototype protection drops from 22 to 20 controls in a fully restructured module, and data protection keeps its 12 controls unchanged.

What changes in prototype protection?

The module is completely restructured: five sections become two (organizational and physical security), controls are merged and outdated content removed. Companies with prototype protection in scope need to remap their documentation.

Do I have to rebuild my ISMS for ISA 2027?

No. The information security module keeps its structure and control count; most changes are clarifications, promotions from should to must, and targeted additions - concentrated in chapters 1, 2, 5, 6 and 8. A gap review against the changed controls is enough for a well-maintained ISMS - and Valiido customers get the catalog update done for them as part of the platform.

Conclusion

ISA 2027 is an evolution with teeth: the structure stays, but requirements get more binding, the supply chain gets more weight, and prototype protection is rebuilt. Companies that review the substantial chapters early will handle the transition as routine maintenance. If you are new to the process, read our guide to the TISAX® assessment.

See every change in the full catalog diff

Valiido is not affiliated with ISO®, TISAX®, ENX® or VDA®. These trademarks belong to their respective owners.

How we evaluated & sources

The analysis is based on an automated line-by-line comparison of the official English catalog versions ISA 6.0.3 and ISA 2027 (July 2026), covering the requirement fields of all controls in the information security, prototype protection and data protection modules. Every change was classified (substantial / major / minor) by whether requirement lines were added, removed or moved between must/should/protection-need levels; the full evidence is public in our catalog diff. Only the original catalogs by VDA®/ENX® are authoritative.

Your ISMS for ISO® 27001 and TISAX®

Valiido bundles everything you need - policies, 1-Click examples, 10+ modules, and a guided path - into a single platform with unlimited support.

Implement your ISMS yourself for a fraction of what a consulting project costs.

Pick a plan and start today.

  • Expert Pre-Audit Review included in Pro
  • Pay by credit card or SEPA - instant access
  • Unlimited support by email and chat

Related posts

Christopher Eller, founder of Valiido Christopher, Founder Questions? Message me.