VDA ISA Catalog: The Questionnaire

What Is the VDA ISA Catalog?

The VDA ISA (Information Security Assessment) is the official questionnaire underlying every TISAX assessment. It is published by the German Association of the Automotive Industry (VDA) and regularly updated. The current version 6.x comprises over 40 audit objectives across 9 chapters, supplemented by specific modules for prototype protection, data protection, and availability.

The ISA catalog is not a general security framework but an automotive-specific assessment instrument. It takes into account the particular requirements of the automotive industry: prototype protection, just-in-time supply chains, close supplier relationships, and the need to share information transparently via the ENX portal.

Chapters 1-9 in Detail

Chapter 1: IS Policies and Organization

Focus: Existence and quality of the information security policy. The catalog asks about management approval, regular reviews, communication to employees, and integration into the corporate strategy. Typical questions: "Does an IS policy exist that has been approved by management?", "Is the policy reviewed regularly (at least annually)?"

Chapter 2: Organizational Security

Focus: Organizational structure of information security. Questions cover the IS officer (CISO or equivalent), their involvement with management, segregation of duties, and handling of external parties (suppliers, service providers, cloud providers). The auditor expects a documented organizational chart with clearly defined security roles.

Chapter 3: Personnel Security

Focus: Security measures in human resources. The catalog distinguishes between pre-employment measures (background checks, confidentiality agreements), during employment (training, awareness programs, disciplinary measures), and post-employment (access rights revocation, return of work equipment, exit interviews). Demonstrable training programs are a mandatory requirement.

Chapter 4: Physical and Environmental Security

Focus: Protection of buildings, rooms, and facilities. This covers security zones (public, internal, restricted), access controls, visitor management, protection of server rooms and network infrastructure, clean desk policy, and handling of removable media. In AL3 assessments, this chapter is examined particularly intensively through the physical inspection.

Chapter 5: Identity and Access Management

Focus: Logical access control and cryptography. Questions cover authorization concepts (least-privilege principle), password policies, multi-factor authentication, privileged access management, regular access reviews, encryption standards, and key management. This area is technically demanding and requires detailed evidence of implemented controls.

Chapter 6: IT Security and Operations

Focus: Technical operation of IT infrastructure. Change management, patch management, malware protection, logging and monitoring, network segmentation, backup strategies, and vulnerability management are assessed. The auditor expects documented processes and evidence of their implementation — e.g., patch reports, scan results, and change logs.

Chapter 7: Detection and Response to Security Incidents

Focus: Incident management and response. The catalog asks about defined processes for detection, reporting, escalation, and remediation of security incidents. Lessons learned and continuous improvement of the incident management process are also evaluated. Evidence: incident response plan, escalation matrix, exercise protocols, incident reports.

Chapter 8: Business Continuity

Focus: Business continuity and disaster recovery. Business impact analyses, emergency plans, recovery procedures, RTO/RPO definitions, and regular emergency exercises are assessed. Since the introduction of the availability labels, this chapter has gained additional significance.

Chapter 9: Compliance and Data Protection

Focus: Adherence to legal and contractual requirements. GDPR compliance, license management, internal audits, and compliance with contractual security requirements are assessed. For data protection labels, additional modules cover data processing agreements, data subject rights, and data protection impact assessments.

New Modules in ISA 6.x

Version 6.x of the VDA ISA introduced significant enhancements over previous versions:

• Extended Data Protection: Dedicated audit objectives for data processing and special categories of personal data that go beyond basic GDPR requirements.
• Availability Modules: New labels "Availability high" and "Availability very high" with dedicated audit objectives for business continuity and disaster recovery.
• Updated Cryptography Requirements: Alignment with current standards (TLS 1.2+, AES-256, SHA-256+).
• Cloud Security: Extended requirements for cloud-based services and multi-tenant architectures.

Question Types: MUST vs. SHOULD

The VDA ISA distinguishes between two types of requirements:

MUST Requirements: These are mandatory. Every MUST requirement must achieve at least maturity level 3 for the assessment to pass. A maturity level below 3 on a MUST requirement results in a Major Non-Conformity, which requires remediation within 9 months.

SHOULD Requirements: These are recommended but not mandatory. A maturity level below 3 on a SHOULD requirement results in a Minor Non-Conformity, which is documented but does not block the assessment. However, if too many SHOULD requirements are not met, the auditor may question the overall maturity level.

Working Through the Catalog in Practice

The ISA catalog comprises over 40 audit objectives, each with multiple questions. A systematic approach is essential:

• Define scope: Not all audit objectives are relevant for every label. Define your scope and work through only the relevant modules.
• Assess current maturity level: Honestly evaluate the current maturity level for each audit objective. Overestimation will backfire during the audit.
• Collect evidence: For each maturity level claim, gather supporting evidence — documents, screenshots, process descriptions, audit logs.
• Identify gaps: Mark audit objectives with a maturity level below 3 as gaps and plan remediation measures.
• Implement measures: Close gaps in priority order, MUST requirements first.
• Re-assessment: After implementing measures, re-evaluate the maturity level and update evidence.

Maturity Documentation per Question

For each question in the ISA catalog, you must document: the current maturity level, the associated evidence, the responsible person, and any planned improvement measures. This documentation simultaneously serves as your audit preparation — the auditor works through the same catalog and verifies your assessments.

Kopexa has the ISA catalog preloaded: You do not need to manually transfer the catalog into Excel. In Kopexa, all audit objectives are already structured, supplemented by a controls catalog with concrete implementation guidance for each audit objective. You document maturity levels directly in the platform, upload evidence, and track your progress in real time. The complete TISAX Checklist shows you the entire process from scope to audit.