VCS Audit – Vehicle cyber security in the automotive industry

Are you developing, manufacturing, or responsible for the long-term maintenance of VCS components that are integrated into a vehicle's cybersecurity architecture? If so, you need to demonstrate that you meet the contractually guaranteed requirements of ISA/SAE 21434 throughout the vehicle lifecycle.

As a participant in the VCS program, you can do this through appropriate audits that must be conducted every three years and for the duration of your contractual obligations. The VCS certification is applicable across all industries and defines requirements for your Cyber Security Management System (CSMS) across all relevant lifecycles of your VCS components. A prerequisite for the VCS audit is an Information Security Management System (ISMS) according to TISAX® and a Quality Management System (QMS).

Mutual recognition between all VCS participants

Suppliers and service providers gain more confidence in your audited company

VCS certification audit only every three years

Membership in the VCS network saves time and money

Beschreibung Standard/Regelwerk

Basic information on VCS audits

VCS is a common audit and exchange program for companies in the automotive industry. It is based on the Vehicle Cyber Security Audit (VCSA) questionnaire. VCS is an internationally standardized audit program and implements the essential aspects of the international standards ISO/SAE 21434 and ISO/PAS 5112 for Cyber Security Management Systems (CSMS).

Analog zuTISAX® besitzt auch VCS einen Austauschmechanismus für die Ergebnisse von ENX VCS Audits. VCS ist ein Prüfmechanismus der ENX Association. Ein Zusammenschluss europäischer Automobilhersteller, Automobilzulieferer und Automobilverbände, der die Qualität der VCS Audits überwacht und die Zulassung der VCS Prüfdienstleister steuert.

Under UN R 155, manufacturers of road vehicles are required to take responsibility for the cyber security of their vehicles. In this context, cyber security refers to the security and reliability of all IT-based components of a vehicle. Unlike purely electronic or physically controlled components, VCS components are software-driven. This allows a vehicle to dynamically adapt its driving behavior to the driver and the environment, to park itself, or to initiate emergency braking. By-wire solutions, which have long been used in aviation, enable new design solutions for passenger compartments, easier maneuvering in city centers thanks to higher steering angles at low speeds (steer-by-wire), or fully automatic parking brakes (brake-by-wire).

Similar toTISAX®, VCS has an exchange mechanism for the results of ENX VCS audits. VCS is an audit mechanism of the ENX Association. An association of European automotive manufacturers, automotive suppliers and automotive associations that monitors the quality of VCS audits and controls the approval of VCS audit service providers.

Show more
Show less

What are the benefits of a VCS audit for your company?

As a service provider or supplier of VCS components, you assume responsibility towards the manufacturers for certain activities that determine the cyber security of the components. With a VCS audit, you not only receive proof of conformity from DQS, but also proactively engage in risk management. Particularly regarding very long-term obligations, we can help you to ensure that your measures are adequate in the long term. In the past, these audits were mainly carried out by the manufacturers themselves. Registered participants in the VCS network can select an audit service provider and commission a VCS audit via a common online platform. The advantages for companies outweigh the disadvantages:

  • Duplicate and multiple audits by different clients can be avoided, saving time and money.
  • Cross-company recognition of audits for VCS participants
  • Reliable results thanks to the harmonized VCSA audit catalog, which ensures a consistent audit process.
  • Increased trust in your audited organization with one or more VCS labels called "VCS Development", "VCS Production" or "VCS Operations & Maintenance".

After a successful audit, you will receive your VCS labels on the VCS online platform. These labels are comparable to certificates and serve to confirm your capabilities as a VCS supplier.

Show more
Show less
Wie funktioniert

How does VCS work?

In VCS, participants can take on two different roles: the "Information Consumer" (passive), e.g. a manufacturer who wants to receive information about a supplier, and the "Information Contributor" (active), e.g. a VCS supplier or service provider who would like to be audited for suitability in order to receive orders from manufacturers.

A company can also take on both participant roles. Anyone wishing to participate in VCS as an Information Contributor must take the following four main steps:

1. Register online at

2. Select an ENX-approved audit service provider such as DQS

3. Undergo an ENX VCS audit

4. Exchange the audit results on the VCS online platform

If a company is interested in your VCS results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current VCS status with them.

Show more
Show less

How does a VCS audit work?

Before you start with the VCS audit, your company must define a clear scope. This includes determining which VCS activities your company is responsible for. If these are VCS development activities, you must fulfill the requirements of "VCS Development". If your company is responsible for the secure production and basic configuration of VCS components, you must fulfill the requirements of "VCS Production". If your company is responsible for the long-term operation and maintenance of VCS components, you must fulfill the requirements of "VCS Operations & Maintenance".

The central Cyber Security Management System will be audited at the site that primarily controls the CSMS. The effectiveness of the central CSMS is audited at the sites where the VCS activities of the CSMS are performed. Therefore, all locations where these distributed VCS activities take place are included in the scope of the audit. However, during the course of the audit, a sample of VCS projects is taken to determine which sites are actually included in the audit. In principle, all sites in question must have a validTISAX® label at the time of the audit.

As a VCS participant you must first register online. The scope ID will then be assigned by ENX. Please note that there are service fees associated with this registration process, which will be charged for each location within your scope.

During the introductory phase, registration for ENX VCS is free of charge.

  • In the first step, you select DQS as your approved audit provider.
  • In the second step, a kick-off meeting is held to orient all responsible parties to the expectations of the audit team.
  • In the third step, you perform a self-assessment of your central CSMS using the VCSA audit catalog and compile a package of documents referenced in the catalog that you make available to the audit team.
  • In the fourth step, the lead auditor conducts a review of all documents provided.
  • In the fifth step, your central CSMS is audited and assessed for compliance with the VCSA.
  • In the sixth step, a random sample of your VCS projects is selected based on risk criteria.
  • In the seventh step, the sampled VCS projects are audited to ensure that the CSMS requirements have been implemented. This is done by auditing the project team leaders and reviewing the work products required by ISO/SAE 21434.

The findings of the ENX VCS audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed period. This procedure ensures that all nonconformities identified are addressed effectively and promptly.

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the VCS process with the corresponding labels.


What does a VCS audit cost?

As a result, the exact number of audit days required for a VCS audit will vary from organization to organization. Even during the audit, additional audit days may become necessary. This in turn influences the scope of the audit and therefore the cost.

The total number of VCS projects determines the minimum sample size. This determines which project teams at which locations will be audited.


What you can expect from us

  • DQS is an approved audit service provider of the ENX Association
  • Value-adding insight into the information security of your organization
  • Accreditations for all relevant automotive standards
  • Experienced auditors and experts from the automotive and information security industries
  • More than 35 years of experience in the certification of management systems and processes
  • Personal, seamless support from our specialists - regionally, nationally and internationally
  • Customized offers with flexible contract terms and no hidden costs
contact-japan-dqs-a japanese woman with headset smiles at the camera

Request a quote

Your local point of contact

We will be happy to provide you with a customized offer for your ENX VCS audit.