TISAX® Requirements Explained: Understanding VDA ISA 6.0.3
Understand how VDA ISA 6.0.3 is structured, including the 9 core chapters and how TISAX® objectives like Prototype and Data Protection are applied.
Stop Thinking in “Three Areas”
You will often hear that TISAX® is structured into three areas:
Information Security
Prototype Protection
Data Protection
That statement is not wrong.
But it is incomplete.
And if you build your project on that understanding, you will run into problems later.
The Actual Structure of VDA ISA 6.0.3
The ISA catalogue is built on two distinct layers:
The 9 core chapters
The TISAX® assessment objectives (modules)
Understanding how these interact is critical.
Layer 1: The 9 Core Chapters (Your Baseline Framework)
These chapters define the full scope of information security requirements.
They include:
IS Policies and Organization
Organizational Security
Personnel Security
Physical and Environmental Security
Identity and Access Management
Network Security
Application Security
Data Security
Operational Security
This is the foundation of every TISAX® assessment.
Each chapter contains controls, and each control is evaluated against a maturity model.
This is where your ISMS is actually assessed.
Layer 2: The Objectives (How the Framework Is Applied)
On top of the 9 chapters, TISAX® introduces assessment objectives, often referred to as modules:
Information Security
Prototype Protection
Data Protection
These are not separate control sets.
They are context layers applied to the same underlying framework.
What That Means in Practice
Information Security
This is the baseline objective.
It applies the 9 chapters to evaluate your overall information security maturity.
Every TISAX® assessment includes this objective.
Prototype Protection
This objective increases the depth and strictness of selected controls.
It introduces additional expectations, especially in:
Physical security
Access restrictions
Handling of sensitive development assets
This is highly relevant for R&D environments, testing facilities, and any organization working with pre-series or confidential vehicle data.
Data Protection
This objective focuses on privacy and personal data handling.
It extends the same control framework with requirements related to:
Legal compliance
Processing of personal data
Data subject protection
For many organizations, this aligns closely with regulatory frameworks such as GDPR.
Why This Distinction Matters
The most common misunderstanding is this:
Companies think they are choosing between these three areas.
They are not.
You always implement the 9 chapters.
The objectives define:
Which controls are emphasized
How strict the expectations are
What evidence is required
This directly impacts:
Scope definition
Audit complexity
Effort and cost
The Role of Self-Assessment
Before any audit begins, organizations must assess themselves against the ISA controls.
This includes:
Evaluating maturity levels
Identifying gaps
Aligning controls with selected objectives
This step is not optional.
It is where the real preparation happens.
Where Most Projects Break Down
Not in documentation.
Not in tooling.
But in misunderstanding how the ISA is structured.
Typical issues include:
Treating objectives as separate frameworks
Ignoring how modules change control expectations
Underestimating the impact of Prototype Protection
Overlooking location-specific implications
Once these mistakes are made, they are difficult to correct without rework.
Final Thought
The ISA catalogue is not just a checklist.
It is a layered framework.
The 9 chapters define what is assessed
The objectives define how it is assessed
Once you understand that, TISAX® stops being abstract and becomes operational.