Cybersecurity in the automotive industry: VDA ISA 6.0 as the new basic standard

In an increasingly digital and interconnected industrial sector, information security is no longer a competitive differentiating factor, but a fundamental condition for operating. In this context, the VDA ISA 6.0 version, the basis of the TISAX assessment questionnaire, has established itself as the main benchmark for organizations that need to demonstrate their ability to protect sensitive data, guarantee operational continuity and face complex cyber threats.

The VDA ISA (Information Security Assessment) is a structured set of requirements developed by the Association of the German Automotive Industry (VDA). This set makes it possible to assess information security in companies in the sector. It is implemented through the TISAX (Trusted Information Security Assessment Exchange) scheme, which is internationally recognized in the sector.

Version 6.0, in force since April 2024, is not a simple revision, but a strategic adaptation of the standard that reinforces its solidity, aligning it with international normative frameworks such as ISO/IEC 27001:2022 and the NIST Cybersecurity Framework 1.1, giving it greater robustness and relevance.

VDA ISA 6.0 maintains a modular structure, facilitating assessments adapted to the type of organization and its role in the supply chain. The main modules include:

• General Information Security
• Prototype Protection
• Personal Data Protection
• Security in Connectivity with Third Parties
• Operational Technology (OT) Security

Each module contains controls grouped by objective and classified according to the level of protection required (such as confidential, highly confidential, or critical availability). This allows assessments to be proportionate to the real impact of a security breach.

One of the great strengths of this standard is its practical orientation. Unlike other theoretical frameworks, VDA ISA 6.0 is not a simple checklist, but rather concrete guidance for organizations to implement verifiable measures. Some of the key points include:

• Risk assessment customized according to the type of information and process
• Secure management of software installed on client systems
• Formal incident and crisis response procedures
• Business continuity and operational resilience testing

In addition, the inclusion of OT (operational technology) environments as an integral part of the security management system recognizes the importance of environments such as interconnected factories, SCADA systems and industrial robotics, which were not previously a priority in IT security policies.

For organizations that operate or intend to operate in the European automotive supply chain, complying with VDA ISA 6.0 is not just a contractual requirement, but a guarantee of organizational robustness. Implementing this standard correctly involves

• Developing or updating an Information Security Management System (ISMS) in line with the requirements of the standard
• Documenting practices, training teams and automating key controls
• Passing a TISAX-accredited audit and maintaining a continuous cycle of improvement

In our experience as a specialist consultancy, the implementation process is not just about complying with standards. It represents an opportunity to strengthen internal structures, identify hidden risks and demonstrate reliability to strategic clients.

At Ariol Consulting, we don’t just interpret the standard, we live it with you. As specialists in information security consulting and auditing, we accompany companies in the automotive sector through all stages of the TISAX process, from the initial diagnosis to passing the final audit.

Our experience enables us to translate the requirements of VDA ISA 6.0 into clear, efficient actions adapted to your operational reality, whether you are a technology start-up, an engineering company or an industry with complex OT environments.