There is no difference between ENX VCS audit and a CSMS audit. The ENX Vehicle Cyber Security Audit (ENX VCS) is a standardized certification for the suppliers of the automotive industry in accordance with the ISO/SAE 21434. ENX VCS allows automotive suppliers to provide standardized proof of an implemented cybersecurity management system (CSMS) in accordance with the ISO/SAE 21434 standard. Also, the ENX Association provides governance by managing the ENX VCS audit providers, maintaining the audit provider criteria catalogue, monitoring the quality of the audits and providing exchange mechanisms for the audit results.
ENX aims to provide standardised schemes for the benefit of the automotive industry. Similar to TISAX, ENX VCS audit is not mandatory. But an ENX VCS certification indicates that your organization has a CSMS that delivers consistent, continuous and a high level of cybersecurity performance in its products or solutions over the vehicle lifecycle. In due course of time, we expect it to become a best practice for auditing the CSMS of automotive suppliers in the industry.
ISO/PAS 5112 provides guidelines on planning and conducting management system audits. ENX VCS has implemented the guidelines of the ISO/PAS 5112 and created a standardised third-party management system audit scheme aimed at automotive vehicle suppliers. A mapping of the ENX VCS Audit Criteria Catalogue with the Annexe Questionnaire of the ISO/PAS 5112 can be found here.
Benefits of ENX VCS for Automotive Suppliers:
The participant should have valid TISAX labels for all locations in the VCS audit scope at the time of performing the audit. If your organization does not have TISAX, please register for TISAX
Assuming your company is registered in TISAX and has valid TISAX labels, you need to follow the following steps as mentioned in the ENX VCS Registration Guide
During the ongoing introduction phase, registration for ENX VCS is free of charge.
The ENX VCS scope includes every part of your company that is directly and indirectly involved in activities relevant to the security of the Protection objects. The Protection Objects include items or components, consisting of assets with cybersecurity properties, (confidentiality, integrity and availability) of your business partner. In the following pages you are going to provide the necessary information for your company to be audited. A well-defined VCS audit scope provides the audit provider with the information to perform cost calculations and send a suitable offer for this ENX VCS scope.
An ENX VCS scope can include as many locations as needed (every ENX VCS scope must have at least one location), so long as all locations are:
Please refer to the ENX VCS audit criteria catalogue ENX_VCSA _1_0_EN.xlsx . This document is a questionnaire of control questions and requirements, which the CSMS of your organization is audited against.
The VCS Audit Criteria Catalogue can be downloaded from the Download page in the ENX VCS website in English
The audit objective is determined by the type of cybersecurity activities your organization's CSMS is engaged in helping to build secure road vehicle products for the automotive industry. The ENX VCS Audit Objectives have been defined to accommodate different supplier profiles. The ENX VCS audit objectives – VCS Development, VCS Production, VCS Operations and Maintenance encompass the entire vehicle lifecycle.
Audit Objectives | Description |
---|---|
VCS Development | Concept phase, product development phase, integration, verification and validation. |
VCS Production | Production phase incl. injection of (SecOC) keys, secure booting of microcontrollers, flashing of TLS certificates etc... |
VCS Operations and Maintenance | Monitoring information; Event and weakness analysis; Vulnerability management; Incident response; Cybersecurity relevant updates and End-of-life activities (reliable deletion of keys and certificates during scrapping). |
However, not all lifecycle phases apply to all suppliers. Hence, depending on the applicable lifecycle phase, the suppliers can select the relevant Audit Objectives for ENX VCS scope.
As per the selected Audit Objectives, the relevant Chapters, control questions and requirements from the ENX VCS Audit Criteria Catalogue are applicable as shown below
The VCS Label is part of the VCS report. It labels what has been successfully assessed by the audit provider. You start with the "audit objectives" and if you pass the audit you receive the corresponding "ENX VCS labels".
If your overall audit result is “minor non-conform”, you receive temporary VCS labels. The benefit of temporary VCS labels is that your partner generally accepts them under the condition that you later receive permanent VCS labels. This may help you if proving the effectiveness of your CSMS to your partner is urgent. The prerequisite for temporary VCS labels is a corrective action plan audit report with the overall audit result “minor non-conform”. Regarding the validity period, temporary VCS labels:
Once you've completed all corrective actions, you should request the “follow-up audit”.
Please go through the ENX VCS Registration guide. It includes all the steps starting from the registration process, getting to the audit process and finally ends with publishing the audit results and providing proof to your business partner about your organization's CSMS capability
The initial audit is comprised of 3 different phases namely:
VCS enables you to exchange your audit results with other participants. For that the ENX Portal provides the necessary functions. Exchanging audit results is an integral part of VCS. You only have your CSMS assessed once, but now you can share your audit results with as many business partners as you like.
You can share your audit result with all other ENX VCS participants by publishing it within ENX VCS. Doing so allows all other VCS participants to access your audit result up to the shared level. The sharing levels for publishing your audit result on the exchange platform are limited to these options:
Your ENX VCS audit provider will upload the first two sections (A and B) of your VCS report. At this stage, the information is not visible to anyone except you. You can use the account created during the registration to access the ENX VCS Portal and share the results with other participants.
You retain complete control of all audit results at any time. Other participants can only access your audit results after you have created a publication- or sharing permission on the ENX Portal. You can share your audit result with all other VCS participants by publishing it within VCS. Doing so allows all other VCS participants to access your audit result up to the shared level. Besides, you can share it selectively with particular VCS participants with a higher sharing level.
In order to share your audit results with your business partners you will need their Participant-ID. If you have not received your business partner's Participant-ID yet, please contact them. These selectable sharing options are based on the ENX VCS report structure.
A publication of an audit result makes the audit result visible (depending of the sharing level) for the entire VCS community. All VCS participants can see the published audit result. The sharing permission on the other hand makes the given audit result selectively visible for a particular VCS participant. However, you can create both, the publication and a sharing permission for the same scope. For example, you publish a scope with Sharing level "A: audit-related information" (without VCS labels) for the entire VCS community and create a sharing permission selectively for a specific participant with a higher sharing level.