TISAX® ISA2027 Explained

Learn what changes with TISAX® ISA2027, the new annual release cycle, and what automotive suppliers in the Americas should prepare for.

ISA2027 SERIES

Daniel McLain

7/9/20263 min read

TISAX® Turns 10: What ISA2027 Means for Automotive Suppliers in the Americas

Ten years ago, the first organizations registered for TISAX®. What started as an industry initiative to standardize information security across the automotive supply chain has grown into a globally recognized assessment framework.

Today, more than 21,000 locations have been assessed, resulting in well over 100,000 implemented security improvements across the automotive ecosystem.

At the same time, the framework continues to evolve.

The latest milestone is the publication of VDA ISA2027, introducing a new versioning approach, annual catalogue updates, stronger supply chain expectations, and several important clarifications for future TISAX® assessments.

For companies in the United States, Canada, and Mexico, the announcement is more than industry news. It provides an early look at where automotive information security is heading.

A New Versioning Model

Perhaps the most visible change is the new naming convention. Instead of sequential version numbers such as ISA 5 or ISA 6.0.3, future catalogues will use the year in which they become mandatory for newly ordered TISAX® assessments.

For example:

  • ISA2027 becomes mandatory for assessments ordered from January 1, 2027

  • ISA2028 will be published during 2027 and become effective in 2028

This creates a predictable annual release cycle that should make planning easier for participants, assessors, and customers alike.

Importantly, this does not change the validity of TISAX® labels. Labels will continue to remain valid for up to three years. Organizations will not suddenly need annual reassessments simply because a new catalogue is released.

Greater Focus on Clarity

ISA2027 is not about introducing dozens of new controls, instead, one of its primary objectives is improving clarity and consistency.

The catalogue has been reviewed to remove ambiguous wording, improve formatting, strengthen definitions, and provide more consistent interpretation for assessors and participating organizations.

One notable clarification concerns the phrase "The following aspects are considered."

Historically, organizations and assessors sometimes interpreted this wording differently. ISA2027 now makes it clear that every listed aspect should be consciously evaluated and that organizations should be able to explain their implementation decisions during an assessment.

While this may appear to be a minor editorial change, it should help create more consistent assessments across the industry.

Supply Chain Security Continues to Grow

One of the most significant themes throughout ISA2027 is supply chain security. Organizations handling information with higher protection needs will be expected to place greater emphasis on documenting, reviewing, and monitoring supplier compliance with security requirements.

For suppliers handling particularly sensitive information, additional assurance may be expected through a TISAX® label, an equivalent third-party assessment, or an appropriate supplier audit.

This reflects a reality already familiar to many automotive companies.

Information security no longer stops at organizational boundaries.

Every supplier, engineering partner, cloud provider, and service provider becomes part of the overall security posture.

Prototype Protection Receives Its Biggest Update

ISA2027 also introduces the largest restructuring of the Prototype Protection module since it was first introduced.

The previous five control groups have been simplified into two broader domains:

  • Organizational Requirements

  • Physical and Environmental Security

New expectations have also been added for lifecycle traceability and the disposal, recycling, or return of protected vehicles, components, and related tools according to customer requirements.

For organizations involved in prototype development or testing, these changes deserve early attention.

Why Companies in the Americas Should Care

Many suppliers in North America still associate TISAX® primarily with European OEMs - that perception is changing.

As global automotive supply chains become increasingly connected, information security expectations continue to expand across regions.

Even organizations that are not planning a TISAX® assessment in the immediate future can benefit from understanding the direction the framework is taking.

ISA2027 emphasizes clearer governance, stronger supplier oversight, improved consistency, and practical implementation rather than simply expanding the list of requirements.

Those themes align with broader developments across cybersecurity, risk management, and regulatory expectations worldwide.

Free TISAX® Tools Already Updated for ISA2027

To help organizations prepare for the upcoming changes, all free TISAX® tools available on tisaxusa.com have already been reviewed and updated to align with the new ISA2027 catalogue.

TISAX® Quick Start

TISAX® Readiness- Radar

TISAX® Express- GAP

This includes updates to the assessment logic, terminology, and guidance where applicable, allowing users to begin evaluating their readiness using the latest published requirements.

Whether you are just starting your TISAX® journey or preparing for a future assessment, you can use these tools at no cost to:

  • Understand where your organization currently stands

  • Identify potential gaps before an assessment

  • Better understand the expectations of ISA2027

  • Begin planning your transition with confidence

As TISAX® continues to evolve, the goal of tisaxusa.com remains the same: provide practical, plain-English guidance and free resources that help organizations in the Americas navigate TISAX® with confidence.

Key Takeaways

  • TISAX® has now reached its tenth anniversary and continues to evolve

  • More than 21,000 locations have been assessed worldwide

  • ISA2027 introduces a new year-based versioning system and predictable annual release cycle

  • Existing TISAX® labels remain valid for up to three years

  • Greater emphasis is placed on supply chain security, clarity, and consistent implementation

  • Prototype Protection receives its most significant restructuring to date

Final Thoughts

ISA2027 is less about reinventing TISAX® and more about refining it. After ten years of practical experience, the framework continues to mature alongside the automotive industry it supports.

For suppliers in the Americas, now is a good time to become familiar with these changes, especially if TISAX® requirements are already appearing in customer conversations or future business opportunities.

At tisaxusa.com, we'll continue breaking down ISA2027 into practical, plain-English guidance, helping organizations understand not just what changed, but what those changes mean in day-to-day operations.

Copyright © 2026 TISAX® USA - All Rights Reserved.