Advantages of ENX VCS
1:1 implementation of ISO 21434 and ISO/PAS 5112
The good news first is that anyone who has been following ISO 21434 and ISO/PAS 5112 in terms of automotive cybersecurity is already on the right track. The requirements of the two standards are - mathematically speaking - a genuine subset of the VCS specifications. This means that all the requirements of the two ISO standards can be found 1:1 in ENX VCS Vehicle Cyber Security.
Compared to the ISO audits, however, ENX VCS enables a comparable procedure model. In order to ensure comparable processes globally across all audit providers, ENX also published specific "Audit Provider Criteria & Assessment Requirements" (ACAR VCS 1.0) and a binding VCSA audit catalog 1.0 at the launch of the program. These include, among other things:
- The organizational audit of the CSMS regulations (primarily document and process audits),
- The creation of a risk-oriented sample of projects that deal with the cyber security of components,
- The sample of projects is used to check whether the CSMS regulations are consistently applied in VCS projects. It includes, for example, interviews with team members of the engineering team and the review of their work results.
Standardized competencies
ACAR also defines globally standardized competence requirements and role descriptions for auditors and experts:
- VCS Lead Auditor
- VCS Expert
The knowledge of a VCS expert must always be represented in the VCS audit team. During the interview phase, the expert takes over the conversation with the engineering teams to make a professional assessment of the activities and work results possible.
Role-oriented auditing
In the tradition of TISAX®, ENX VCS also considers the various roles that suppliers can play in providing cyber security-relevant components in the form of a new system for VCS labels. In this way, a supplier only has to meet those requirements of the VCSA assessment catalog that are appropriate to its respective role:
- VCS Development
- VCS Production
- VCS Operations & Maintenance
Comparable efforts
The ENX VCS labels are valid for three years and do not require surveillance audits. In contrast, audits in accordance with ISO/SAE 21434 require a (re-)certification audit over three years and two annual surveillance audits with corresponding travel expenses.
Agility
In contrast to the ISO standard, ENX VCS also promises greater agility when adapting to new requirements. The ACAR regulations are usually subject to a mandatory revision once a year, which must be implemented by all VCS audit providers.