TISAX® Transition from VDA ISA 5 to VDA ISA 6.0.3: What Companies Need to Know
Learn what changes with TISAX® VDA ISA 6.0.3, why the transition is more than a document update, and how companies can prepare.
TISAX® Transition from VDA ISA 5 to VDA ISA 6.0.3:
What Companies Need to Know
If your organization already holds a TISAX® label based on VDA ISA version 5, you may now be facing the transition to the latest version, VDA ISA 6.0.3.
At first glance, this may appear to be a routine update; in reality, many companies underestimate the effort involved.
The transition is not simply a matter of updating documents or changing version numbers. It introduces a stronger focus on governance, risk management, operational effectiveness, and evidence that security controls work consistently in practice.
For organizations in the Americas that support automotive customers, understanding these changes early can make the difference between a smooth transition and a stressful assessment cycle.
The Biggest Change: Risk-Based Thinking
One of the most noticeable shifts in VDA ISA 6.0.3 is the increased emphasis on risk-based thinking.
Organizations are expected to clearly demonstrate:
How risks are identified
How risks are evaluated
How treatment decisions are made
How those decisions are integrated into daily operations
How management remains involved in the process
This is an important distinction.
In previous years, some organizations focused heavily on implementing controls without maintaining a mature and repeatable risk management process.
Under VDA ISA 6.0.3, that approach becomes much harder to defend.
Risk management is no longer just a supporting activity. It is part of the foundation of the information security management system.
Maturity Matters More Than Ever
Another major change is the increased focus on maturity and consistency.
Many organizations still believe that if a policy exists, the requirement is satisfied.
That is not how TISAX® assessments work.
Assessors want to understand:
Is the process implemented?
Are employees following it?
Is management involved?
Is evidence available?
Is the process reviewed and improved?
In other words:
A document describes intent | Evidence demonstrates reality
This becomes especially important for organizations pursuing higher assessment levels such as AL3, where assessors expect mature, consistently operating processes rather than isolated examples.
Supplier Security and External Dependencies
Supplier management has also become more important.
Automotive companies increasingly rely on:
Cloud providers
Managed service providers
Engineering partners
Contract manufacturers
External development teams
Specialized software vendors
Each of these relationships can introduce security risks.
Under VDA ISA 6.0.3, organizations are expected to actively manage these risks rather than simply relying on contractual language.
Assessors may want to see:
Supplier security evaluations
Defined security requirements
Periodic reviews
Risk assessments
Monitoring activities
Escalation procedures
For many companies, this requires a more structured supplier security program than they previously maintained.
Operational Technology Becomes More Important
For manufacturing organizations, operational technology, or OT, can become one of the most challenging aspects of the transition.
Historically, some controls were interpreted more loosely in industrial environments.
VDA ISA 6.0.3 places greater emphasis on:
Asset ownership
Network segmentation
Access control
Change management
Monitoring
Defined responsibilities
Evidence of implementation
Organizations that operate production lines, test equipment, or industrial control systems should pay close attention to how OT environments fit into their TISAX® scope.
Documentation Must Match Reality
Another area that often creates findings is documentation quality.
Generic policies copied from templates may look impressive on paper.
But if employees cannot explain the process, if responsibilities are unclear, or if evidence does not exist, assessors will quickly recognize the disconnect.
Under VDA ISA 6.0.3, organizations should ensure:
Policies reflect actual operations
Responsibilities are clearly assigned
Procedures are followed consistently
Evidence is retained
Processes are periodically reviewed
Good documentation supports operations, it does not replace them.
Practical Steps for a Successful Transition
If your organization is preparing for the transition, several activities deserve immediate attention.
1. Perform a Structured Gap Analysis
Compare your current implementation against VDA ISA 6.0.3.
Look beyond documentation and evaluate how processes are actually operating.
2. Review Risk Management
Do not only review the risk register.
Review:
Risk ownership
Risk acceptance processes
Management involvement
Treatment effectiveness
Operational integration
3. Validate Controls in Practice
Ask yourself: Can we prove our controls are working?
Focus particularly on:
Access management
Operations security
Logging and monitoring
Supplier management
Change management
Incident handling
4. Verify Scope Consistency
For organizations with multiple locations, consistency becomes critical.
Differences between sites often become areas of concern during assessments.
Review:
Shared processes
Evidence availability
Local responsibilities
Physical security
Risk treatment approaches
The Key Takeaway
The transition to VDA ISA 6.0.3 is less about adding completely new controls. It is more about demonstrating that your existing controls actually work.
Organizations that focus on governance, risk management, operational consistency, and evidence will generally be much better prepared than organizations that simply update documentation.
The companies that succeed are often not the ones with the most policies.
They are the ones that can show their security program is alive, understood, and operating every day.
Final Thoughts
The move from VDA ISA 5 to VDA ISA 6.0.3 should be viewed as an opportunity.
It is a chance to strengthen processes, improve operational maturity, and align security activities more closely with business objectives.
The earlier companies begin preparing, the more flexibility they will have in managing the transition.
TISAXUSA.com continues to provide practical guidance, videos, and tools to help companies in the Americas better understand TISAX® and prepare with confidence.