VCS Audit – Vehicle cyber security in the automotive industry

Are you developing, manufacturing, or responsible for the long-term maintenance of VCS components that are integrated into a vehicle's cybersecurity architecture? If so, you need to demonstrate that you meet the contractually guaranteed requirements of ISA/SAE 21434 throughout the vehicle lifecycle.

As a participant in the VCS program, you can do this through appropriate audits that must be conducted every three years and for the duration of your contractual obligations. The VCS certification is applicable across all industries and defines requirements for your Cyber Security Management System (CSMS) across all relevant lifecycles of your VCS components. A prerequisite for the VCS audit is an Information Security Management System (ISMS) according to TISAX® and a Quality Management System (QMS).

  • Mutual recognition between all VCS participants
  • Suppliers and service providers gain more confidence in your audited company.
  • VCS certification audit only every three years
  • Membership in the VCS network saves time and money.

 

VCS is a common audit and exchange program for companies in the automotive industry. It is based on the Vehicle Cyber Security Audit (VCSA) questionnaire. VCS is an internationally standardized audit program and implements the essential aspects of the international standards ISO/SAE 21434 and ISO/PAS 5112 for Cy­ber Security Ma­nage­ment Sys­te­ms (CSMS).

Under UN R 155, manufacturers of road vehicles are required to take responsibility for the cybersecurity of their vehicles. In this context, cyber security refers to the security and reliability of all IT-based components of a vehicle. Unlike purely electronic or physically controlled components, VCS components are software-driven. This allows a vehicle to dynamically adapt its driving behavior to the driver and the environment, to park itself, or to initiate emergency braking. By-wire solutions, which have long been used in aviation, enable new design solutions for passenger compartments, easier maneuvering in city centers thanks to higher steering angles at low speeds (steer-by-wire), or fully automatic parking brakes (brake-by-wire).

The cyber security architecture of road vehicles is based on the effective interaction of many VCS components, which together implement the vehicle's functionalities and often come from external suppliers. With VCS, manufacturers can obtain proof from their suppliers that the VCS components can be designed, produced, and maintained securely over the long term under the effective rules of a CSMS. Even 10 years from now, it should still be possible for a contract supplier to provide an update to its components to address a new safety issue that has arisen. Our VCS audits are designed to verify this commitment.

Similar to TISAX®, VCS has an exchange mechanism for the results of ENX VCS audits. VCS is an audit mechanism of the ENX Association. An association of European automotive manufacturers, automotive suppliers and automotive associations that monitors the quality of VCS audits and controls the approval of VCS audit service providers.

 

What are the benefits of a VCS audit for your company?

As a service provider or supplier of VCS components, you assume responsibility towards the manufacturers for certain activities that determine the cyber security of the components. With a VCS audit, you not only receive proof of conformity from DQS, but also proactively engage in risk management. Particularly regarding very long-term obligations, we can help you to ensure that your measures are adequate in the long term. In the past, these audits were mainly carried out by the manufacturers themselves. Registered participants in the VCS network can select an audit service provider and commission a VCS audit via a common online platform. The advantages for companies outweigh the disadvantages:

  • Duplicate and multiple audits by different clients can be avoided, saving time and money.
  • Cross-company recognition of audits for VCS participants
  • Reliable results thanks to the harmonized VCSA audit catalog, which ensures a consistent audit process.
  • Increased trust in your audited organization with one or more VCS labels called "VCS Development", "VCS Production" or "VCS Operations & Maintenance".

 

After a successful audit, you will receive your VCS labels on the VCS online platform. These labels are comparable to certificates and serve to confirm your capabilities as a VCS supplier.

 

How does VCS work?

In VCS, participants can take on two different roles: the "Information Consumer" (passive), e.g. a manufacturer who wants to receive information about a supplier, and the "Information Contributor" (active), e.g. a VCS supplier or service provider who would like  to be audited for suitability in order to receive orders from manufacturers.

 

A company can also take on both participant roles. Anyone wishing to participate in VCS as an Information Contributor must take the following four main steps:

1. Register online at www.enx.com/VCS

2. Select an ENX-approved audit service provider such as DQS

3. Undergo an ENX VCS audit

4. Exchange the audit results on the VCS online platform

 

If a company is interested in your VCS results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current VCS status with them.

 

How does a VCS audit work?

Definition of the scope

Before you start with the VCS audit, your company must define a clear scope. This includes determining which VCS activities your company is responsible for. If these are VCS development activities, you must fulfill the requirements of "VCS Development". If your company is responsible for the secure production and basic configuration of VCS components, you must fulfill the requirements of "VCS Production". If your company is responsible for the long-term operation and maintenance of VCS components, you must fulfill the requirements of "VCS Operations & Maintenance".

The central Cyber Security Management System will be audited at the site that primarily controls the CSMS. The effectiveness of the central CSMS is audited at the sites where the VCS activities of the CSMS are performed. Therefore, all locations where these distributed VCS activities take place are included in the scope of the audit. However, during the course of the audit, a sample of VCS projects is taken to determine which sites are actually included in the audit. In principle, all sites in question must have a valid TISAX® label at the time of the audit.

 

Online registration as a VCS participant

As a VCS participant you must first register online. The scope ID will then be assigned by ENX. Please note that there are service fees associated with this registration process, which will be charged for each location within your scope.

During the introductory phase, registration for ENX VCS is free of charge.

 

Audit in seven steps

 

In the first step, you select DQS as your approved audit provider.

In the second step, a kick-off meeting is held to orient all responsible parties to the expectations of the audit team.

In the third step, you perform a self-assessment of your central CSMS using the VCSA audit catalog and compile a package of documents referenced in the catalog that you make available to the audit team.

In the fourth step, the lead auditor conducts a review of all documents provided.

In the fifth step, your central CSMS is audited and assessed for compliance with the VCSA.

In the sixth step, a random sample of your VCS projects is selected based on risk criteria.

In the seventh step, the sampled VCS projects are audited to ensure that the CSMS requirements have been implemented. This is done by auditing the project team leaders and reviewing the work products required by ISO/SAE 21434.

 

Interim report and, if necessary, definition of measures

The findings of the ENX VCS audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed period. This procedure ensures that all nonconformities identified are addressed effectively and promptly.

Closing non-conformities

 

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

 

Posting the final report

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the VCS process with the corresponding labels.

 

What does a VCS audit cost?

This in turn influences the scope of the audit and therefore the cost..As a result, the exact number of audit days required for a VCS audit will vary from organization to organization. Even during the audit, additional audit days may become necessary. This in turn influences the scope of the audit and therefore the cost.

The total number of VCS projects determines the minimum sample size. This determines which project teams at which locations will be audited.

 

What you can expect from us

  • DQS is an approved audit service provider of the ENX Association
  • Value-adding insight into the information security of your organization
  • Accreditations for all relevant automotive standards
  • Experienced auditors and experts from the automotive and information security industries
  • More than 35 years of experience in the certification of management systems and processes
  • Personal, seamless support from our specialists - regionally, nationally and internationally

Customized offers with flexible contract terms and no hidden costs

Mostrar más
Mostrar menos

Mutual recognition between all VCS participants

Suppliers and service providers gain more confidence in your audited company

VCS certification audit only every three years

Membership in the VCS network saves time and money

Beschreibung Standard/Regelwerk
Loading...

Basic information on VCS audits

VCS is a common audit and exchange program for companies in the automotive industry. It is based on the Vehicle Cyber Security Audit (VCSA) questionnaire. VCS is an internationally standardized audit program and implements the essential aspects of the international standards ISO/SAE 21434 and ISO/PAS 5112 for Cyber Security Management Systems (CSMS).

Under UN R 155, manufacturers of road vehicles are required to take responsibility for the cyber security of their vehicles. In this context, cyber security refers to the security and reliability of all IT-based components of a vehicle. Unlike purely electronic or physically controlled components, VCS components are software-driven. This allows a vehicle to dynamically adapt its driving behavior to the driver and the environment, to park itself, or to initiate emergency braking. By-wire solutions, which have long been used in aviation, enable new design solutions for passenger compartments, easier maneuvering in city centers thanks to higher steering angles at low speeds (steer-by-wire), or fully automatic parking brakes (brake-by-wire).

Similar to TISAX®, VCS has an exchange mechanism for the results of ENX VCS audits. VCS is an audit mechanism of the ENX Association. An association of European automotive manufacturers, automotive suppliers and automotive associations that monitors the quality of VCS audits and controls the approval of VCS audit service providers. 

Mostrar más
Mostrar menos
Mehrwert
Loading...

What are the benefits of a VCS audit for your company?

As a service provider or supplier of VCS components, you assume responsibility towards the manufacturers for certain activities that determine the cyber security of the components. With a VCS audit, you not only receive proof of conformity from DQS, but also proactively engage in risk management. Particularly regarding very long-term obligations, we can help you to ensure that your measures are adequate in the long term. In the past, these audits were mainly carried out by the manufacturers themselves. Registered participants in the VCS network can select an audit service provider and commission a VCS audit via a common online platform. The advantages for companies outweigh the disadvantages:

  • Duplicate and multiple audits by different clients can be avoided, saving time and money.
  • Cross-company recognition of audits for VCS participants
  • Reliable results thanks to the harmonized VCSA audit catalog, which ensures a consistent audit process.
  • Increased trust in your audited organization with one or more VCS labels called "VCS Development", "VCS Production" or "VCS Operations & Maintenance".

After a successful audit, you will receive your VCS labels on the VCS online platform. These labels are comparable to certificates and serve to confirm your capabilities as a VCS supplier.

Mostrar más
Mostrar menos
Wie funktioniert
Loading...

How does VCS work?

In VCS, participants can take on two different roles: the "Information Consumer" (passive), e.g. a manufacturer who wants to receive information about a supplier, and the "Information Contributor" (active), e.g. a VCS supplier or service provider who would like to be audited for suitability in order to receive orders from manufacturers.

A company can also take on both participant roles. Anyone wishing to participate in VCS as an Information Contributor must take the following four main steps:

1. Register online at www.enx.com/VCS

2. Select an ENX-approved audit service provider such as DQS

3. Undergo an ENX VCS audit

4. Exchange the audit results on the VCS online platform 

If a company is interested in your VCS results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current VCS status with them.

Mostrar más
Mostrar menos
Business28.png
Loading...

How does a VCS audit work?

Before you start with the VCS audit, your company must define a clear scope. This includes determining which VCS activities your company is responsible for. If these are VCS development activities, you must fulfill the requirements of "VCS Development". If your company is responsible for the secure production and basic configuration of VCS components, you must fulfill the requirements of "VCS Production". If your company is responsible for the long-term operation and maintenance of VCS components, you must fulfill the requirements of "VCS Operations & Maintenance".

The central Cyber Security Management System will be audited at the site that primarily controls the CSMS. The effectiveness of the central CSMS is audited at the sites where the VCS activities of the CSMS are performed. Therefore, all locations where these distributed VCS activities take place are included in the scope of the audit. However, during the course of the audit, a sample of VCS projects is taken to determine which sites are actually included in the audit. In principle, all sites in question must have a valid TISAX® label at the time of the audit.

  • In the first step, you select DQS as your approved audit provider.
  • In the second step, a kick-off meeting is held to orient all responsible parties to the expectations of the audit team. 
  • In the third step, you perform a self-assessment of your central CSMS using the VCSA audit catalog and compile a package of documents referenced in the catalog that you make available to the audit team.
  • In the fourth step, the lead auditor conducts a review of all documents provided.
  • In the fifth step, your central CSMS is audited and assessed for compliance with the VCSA.
  • In the sixth step, a random sample of your VCS projects is selected based on risk criteria.
  • In the seventh step, the sampled VCS projects are audited to ensure that the CSMS requirements have been implemented. This is done by auditing the project team leaders and reviewing the work products required by ISO/SAE 21434.

The findings of the ENX VCS audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed period. This procedure ensures that all nonconformities identified are addressed effectively and promptly.

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the VCS process with the corresponding labels.

Banking13.png
Loading...

What does a VCS audit cost?

As a result, the exact number of audit days required for a VCS audit will vary from organization to organization. Even during the audit, additional audit days may become necessary. This in turn influences the scope of the audit and therefore the cost. 

The total number of VCS projects determines the minimum sample size. This determines which project teams at which locations will be audited.

Business2.png
Loading...

What you can expect from us

  • DQS is an approved audit service provider of the ENX Association
  • Value-adding insight into the information security of your organization
  • Accreditations for all relevant automotive standards
  • Experienced auditors and experts from the automotive and information security industries
  • More than 35 years of experience in the certification of management systems and processes
  • Personal, seamless support from our specialists - regionally, nationally and internationally
  • Customized offers with flexible contract terms and no hidden costs
contact-japan-dqs-a japanese woman with headset smiles at the camera
Loading...

Request a quote

Your local point of contact

We will be happy to provide you with a customized offer for your ENX VCS audit.