ENX VCS FREQUENTLY ASKED QUESTIONS

General

What is the difference between VCS audit and CSMS audit?

There is no difference between ENX VCS audit and a CSMS audit. The ENX Vehicle Cyber Security Audit (ENX VCS) is a standardized certification for the suppliers of the automotive industry in accordance with the ISO/SAE 21434. ENX VCS allows automotive suppliers to provide standardized proof of an implemented cybersecurity management system (CSMS) in accordance with the ISO/SAE 21434 standard. Also, the ENX Association provides governance by managing the ENX VCS audit providers, maintaining the audit provider criteria catalogue, monitoring the quality of the audits and providing exchange mechanisms for the audit results.

Is VCS audit result expected or planned to become mandatory standardization in the future for suppliers?

ENX aims to provide standardised schemes for the benefit of the automotive industry. Similar to TISAX, ENX VCS audit is not mandatory. But an ENX VCS certification indicates that your organization has a CSMS that delivers consistent, continuous and a high level of cybersecurity performance in its products or solutions over the vehicle lifecycle. In due course of time, we expect it to become a best practice for auditing the CSMS of automotive suppliers in the industry.

What is the difference between ENX VCS audit and ISO/PAS 5112?

ISO/PAS 5112 provides guidelines on planning and conducting management system audits. ENX VCS has implemented the guidelines of the ISO/PAS 5112 and created a standardised third-party management system audit scheme aimed at automotive vehicle suppliers. A mapping of the ENX VCS Audit Criteria Catalogue with the Annexe Questionnaire of the ISO/PAS 5112 can be found here.

What are the benefits of ENX VCS?

Benefits of ENX VCS for Automotive Suppliers:

  • ENX VCS offers a standardized mechanism for demonstrating compliance with cybersecurity standard ISO/SAE 21434
  • It reduces costs and efforts associated with redundant audits and various proprietary certification schemes.
  • It aims to relieve OEMs from the need to create and maintain a list of acceptable assurances.
  • ENX provides governance through managing an approved pool of audit providers and monitoring audit quality.

What are the prerequisites for participating in ENX VCS audits?

The participant should have valid TISAX labels for all locations in the VCS audit scope at the time of performing the audit. If your organization does not have TISAX, please register for TISAX

Registration

What information do I need to provide during registration?

Assuming your company is registered in TISAX and has valid TISAX labels, you need to follow the following steps as mentioned in the ENX VCS Registration Guide

How much does the ENX VCS Registration cost?

During the ongoing introduction phase, registration for ENX VCS is free of charge.

What is the ENX VCS scope?

The ENX VCS scope includes every part of your company that is directly and indirectly involved in activities relevant to the security of the Protection objects. The Protection Objects include items or components, consisting of assets with cybersecurity properties, (confidentiality, integrity and availability) of your business partner. In the following pages you are going to provide the necessary information for your company to be audited. A well-defined VCS audit scope provides the audit provider with the information to perform cost calculations and send a suitable offer for this ENX VCS scope.

What is the process to add locations to a VCS scope?

An ENX VCS scope can include as many locations as needed (every ENX VCS scope must have at least one location), so long as all locations are:

  • performing cybersecurity activities for the V-CSMS.
  • relevant to the selected VCS audit objectives.
  • at least part of a TISAX scope (it has TISAX labels or is going to have them).

Audit

What are the documents that form the basis of the VCS audit?

Please refer to the ENX VCS audit criteria catalogue ENX_VCSA _1_0_EN.xlsx . This document is a questionnaire of control questions and requirements, which the CSMS of your organization is audited against.

Where do I find the ENX VCS Audit Criteria Catalogue?

The VCS Audit Criteria Catalogue can be downloaded from the Download page in the ENX VCS website in English

What is an ENX VCS Audit Objective?

The audit objective is determined by the type of cybersecurity activities your organization's CSMS is engaged in helping to build secure road vehicle products for the automotive industry. The ENX VCS Audit Objectives have been defined to accommodate different supplier profiles. The ENX VCS audit objectives – VCS Development, VCS Production, VCS Operations and Maintenance encompass the entire vehicle lifecycle.

Audit Objectives Description
VCS Development Concept phase, product development phase, integration, verification and validation.
VCS Production Production phase incl. injection of (SecOC) keys, secure booting of microcontrollers, flashing of TLS certificates etc...
VCS Operations and Maintenance Monitoring information; Event and weakness analysis; Vulnerability management; Incident response; Cybersecurity relevant updates and End-of-life activities (reliable deletion of keys and certificates during scrapping).

However, not all lifecycle phases apply to all suppliers. Hence, depending on the applicable lifecycle phase, the suppliers can select the relevant Audit Objectives for ENX VCS scope.

As per the selected Audit Objectives, the relevant Chapters, control questions and requirements from the ENX VCS Audit Criteria Catalogue are applicable as shown below

What is a VCS label?

The VCS Label is part of the VCS report. It labels what has been successfully assessed by the audit provider. You start with the "audit objectives" and if you pass the audit you receive the corresponding "ENX VCS labels".

What is a temporary VCS label?

If your overall audit result is “minor non-conform”, you receive temporary VCS labels. The benefit of temporary VCS labels is that your partner generally accepts them under the condition that you later receive permanent VCS labels. This may help you if proving the effectiveness of your CSMS to your partner is urgent. The prerequisite for temporary VCS labels is a corrective action plan audit report with the overall audit result “minor non-conform”. Regarding the validity period, temporary VCS labels:

  • expire nine months after the closing meeting of the initial audit.
  • are valid until all non-conformities are resolved. (This is established in the follow-up audit and documented in the follow-up audit report.)
  • can't be renewed.
  • Please note: The “corrective action plan audit” is optional. You can proceed straight to the follow-up audit if you:
  • don't need temporary VCS labels and
  • are confident to implement any corrective actions without getting your plan approved by your audit provider

Once you've completed all corrective actions, you should request the “follow-up audit”.

What are the steps needed to participate and finally pass the ENX VCS Audit?

Please go through the ENX VCS Registration guide. It includes all the steps starting from the registration process, getting to the audit process and finally ends with publishing the audit results and providing proof to your business partner about your organization's CSMS capability

What are the different phases of the Initial audit?

The initial audit is comprised of 3 different phases namely:

  1. Organizational check - It determines whether the CSMS is compliant with the requirements corresponding to the selected ENX VCS audit objectives and that the CSMS works across all cybersecurity related Protection Objects and across all locations/business units listed in the VCS scope.
  2. Determine Protection Object samples - Based on the information from the Organizational Check, an appropriate number of Protection Object(s) are sampled. The purpose of the sample checks is to verify the effective implementation of the CSMS across Protection Objects for the entire VCS scope.
  3. Perform Protection Object sample check - For every sampled Protection Object, it is verified that that the CSMS processes are applied consistently over its lifecycle. During this check, deviations, if any, are identified between the expectations generated by the Organizational Checks and the actual implementation for the Protection Objects. These deviations are reported as findings corresponding to the relevant control question in the ENX VCS audit criteria catalogue.

Exchange

What is the Exchange?

VCS enables you to exchange your audit results with other participants. For that the ENX Portal provides the necessary functions. Exchanging audit results is an integral part of VCS. You only have your CSMS assessed once, but now you can share your audit results with as many business partners as you like.

What does publication of an audit mean?

You can share your audit result with all other ENX VCS participants by publishing it within ENX VCS. Doing so allows all other VCS participants to access your audit result up to the shared level. The sharing levels for publishing your audit result on the exchange platform are limited to these options:

  • Do not share
  • Sharing level "A: audit Related information" (without VCS Labels)
  • Sharing level "A: audit-related information" + VCS Labels
  • Sharing level "A: audit-related information" + VCS Labels + B: audit Summary
  • These selectable options are based on the VCS report structure.

Who can access my audit results?

Your ENX VCS audit provider will upload the first two sections (A and B) of your VCS report. At this stage, the information is not visible to anyone except you. You can use the account created during the registration to access the ENX VCS Portal and share the results with other participants.

You retain complete control of all audit results at any time. Other participants can only access your audit results after you have created a publication- or sharing permission on the ENX Portal. You can share your audit result with all other VCS participants by publishing it within VCS. Doing so allows all other VCS participants to access your audit result up to the shared level. Besides, you can share it selectively with particular VCS participants with a higher sharing level.

What does sharing of an audit mean?

In order to share your audit results with your business partners you will need their Participant-ID. If you have not received your business partner's Participant-ID yet, please contact them. These selectable sharing options are based on the ENX VCS report structure.

What is the difference between a publication and sharing of an audit?

A publication of an audit result makes the audit result visible (depending of the sharing level) for the entire VCS community. All VCS participants can see the published audit result. The sharing permission on the other hand makes the given audit result selectively visible for a particular VCS participant. However, you can create both, the publication and a sharing permission for the same scope. For example, you publish a scope with Sharing level "A: audit-related information" (without VCS labels) for the entire VCS community and create a sharing permission selectively for a specific participant with a higher sharing level.