VCS Audit – Vehicle cyber security in the automotive industry
Mutual recognition between all VCS participants
Suppliers and service providers gain more confidence in your audited company
VCS certification audit only every three years
Membership in the VCS network saves time and money
Basic information on VCS audits
Under UN R 155, manufacturers of road vehicles are required to take responsibility for the cyber security of their vehicles. In this context, cyber security refers to the security and reliability of all IT-based components of a vehicle. Unlike purely electronic or physically controlled components, VCS components are software-driven. This allows a vehicle to dynamically adapt its driving behavior to the driver and the environment, to park itself, or to initiate emergency braking. By-wire solutions, which have long been used in aviation, enable new design solutions for passenger compartments, easier maneuvering in city centers thanks to higher steering angles at low speeds (steer-by-wire), or fully automatic parking brakes (brake-by-wire).
Similar toTISAX®, VCS has an exchange mechanism for the results of ENX VCS audits. VCS is an audit mechanism of the ENX Association. An association of European automotive manufacturers, automotive suppliers and automotive associations that monitors the quality of VCS audits and controls the approval of VCS audit service providers.
What are the benefits of a VCS audit for your company?
- Duplicate and multiple audits by different clients can be avoided, saving time and money.
- Cross-company recognition of audits for VCS participants
- Reliable results thanks to the harmonized VCSA audit catalog, which ensures a consistent audit process.
- Increased trust in your audited organization with one or more VCS labels called "VCS Development", "VCS Production" or "VCS Operations & Maintenance".
After a successful audit, you will receive your VCS labels on the VCS online platform. These labels are comparable to certificates and serve to confirm your capabilities as a VCS supplier.
How does VCS work?
1. Register online at www.enx.com/VCS
2. Select an ENX-approved audit service provider such as DQS
3. Undergo an ENX VCS audit
4. Exchange the audit results on the VCS online platform
If a company is interested in your VCS results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current VCS status with them.
How does a VCS audit work?
Before you start with the VCS audit, your company must define a clear scope. This includes determining which VCS activities your company is responsible for. If these are VCS development activities, you must fulfill the requirements of "VCS Development". If your company is responsible for the secure production and basic configuration of VCS components, you must fulfill the requirements of "VCS Production". If your company is responsible for the long-term operation and maintenance of VCS components, you must fulfill the requirements of "VCS Operations & Maintenance".
The central Cyber Security Management System will be audited at the site that primarily controls the CSMS. The effectiveness of the central CSMS is audited at the sites where the VCS activities of the CSMS are performed. Therefore, all locations where these distributed VCS activities take place are included in the scope of the audit. However, during the course of the audit, a sample of VCS projects is taken to determine which sites are actually included in the audit. In principle, all sites in question must have a validTISAX® label at the time of the audit.
- In the first step, you select DQS as your approved audit provider.
- In the second step, a kick-off meeting is held to orient all responsible parties to the expectations of the audit team.
- In the third step, you perform a self-assessment of your central CSMS using the VCSA audit catalog and compile a package of documents referenced in the catalog that you make available to the audit team.
- In the fourth step, the lead auditor conducts a review of all documents provided.
- In the fifth step, your central CSMS is audited and assessed for compliance with the VCSA.
- In the sixth step, a random sample of your VCS projects is selected based on risk criteria.
- In the seventh step, the sampled VCS projects are audited to ensure that the CSMS requirements have been implemented. This is done by auditing the project team leaders and reviewing the work products required by ISO/SAE 21434.
The findings of the ENX VCS audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed period. This procedure ensures that all nonconformities identified are addressed effectively and promptly.
Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.
The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the VCS process with the corresponding labels.