German vehicle manufacturers association (VDA) is rolling out a VDA ISA 6.0, new and optimised version of its Information Security Assessment (ISA). This change becomes effective on 1 April 2024 and will make audits to the related ENX audit and exchange mechanism - Trusted Information Security Assessment Exchange (TISAX®) simpler and more streamlined.
Across all industries, information and cybersecurity are taking on a new importance. This is especially true for the automotive industry where supply chain security and confidentiality around new models and components are of paramount importance. Vehicle manufacturers therefore require that suppliers must demonstrate compliance with information security requirements, particularly with regard to confidentiality and an appropriate level of resilience against disruptions, both in the cyber realm and physical security.
To address this, VDA and ENX representing auto manufacturers, suppliers and organizations from across Europe have collaborated to jointly develop a standard with adequate protective measures. Two significant outcomes of this collaboration are the industry standard for information security assessments, the VDA Information Security Assessment (VDA-ISA) Catalogue, and the ENX audit and exchange mechanism Trusted Information Security Assessment Exchange (ENX TISAX).
“The new VDA ISA 6.0 brings positive changes to TISAX assessments,” says DNV’s Alexey Komlev, ICT Global Technical Hub Manager, and adds, “The update will lead to greater efficiency and accuracy to the assessment process, benefiting both our customers and auditors. As an official TISAX audit provider, we look forward to creating a safer future together."
According to VDA the two standards also serve as a significant foundation in the industry for compliance with legal regulations, such as the NIS 2 regulation of the European Union and other EU directives, as well as their national implementations in EU member states.
VDA ISA 6.0 introduces a number of improvements, the main one being a more precise focus on Information Technology (IT) and Operational Technology (OT) and new TISAX labels to better protect trade secrets. New labels addressing the availability of products were introduced earlier in 2023 and the changes from April 1, 2024, relate to confidentiality.
The changes to the TISAX labels will see the old "Info High" and "Info Very High" labels making way for "Confidential" and "Strictly Confidential." This transition clarifies security requirements for production parts and infrastructure providers to safeguard trade secrets.
TISAX assessments ordered before April 1, 2024, will continue using the old "Info" objectives. After this date, they will transition automatically to the new "Confidential" and "Strictly Confidential" labels.