Skip to main content
Release: 24.03 (deprecated)

CX-0008 Relevant standards for conformity assessments v1.1.0

ABSTRACT

This standard is relevant for all partners that want to operate within the Catena-X network. The document defines the internal (e.g. CX Guidelines) and external (e.g. ISO) standards that a partner needs to fulfil before he/she can offer solutions (services or business applications) in the context of Catena-X. Those standards have been derived from common incoterms in the automotive industry and present the minimal basis so that software can be used within an automotive industry enterprise.

FOR WHOM IS THE STANDARD DESIGNED

This section is non-normative

  • Core Service Provider
  • Business Application Provider
  • Data Provider and Consumer
  • Enablement Service Provider
  • Onboarding Service Provider

COMPARISON WITH THE PREVIOUS VERSION OF THE STANDARD

This section is non-normative

The requirement for ISO 9001 certification, which was required in previous versions, meant a high effort for the affected companies and an improper focus for IT-oriented companies like e.g. IT outfitters. ISO 27001 and TISAX Infosec are considered suitable alternatives and therefore companies can now certify to ISO 27001 and/or TISAX Infosec and/or ISO 9001 alternatively. Furthermore, the certification period for a first certification is extended from 12 months to 24 months.

The Business Network Provider role has been replaced with the Onboarding Service Provider role.

1 INTRODUCTION

1.1 AUDIENCE & SCOPE

This section is non-normative

This document is relevant for all partners that want to operate within the Catena-X network. More specifically, this document is intended for the following roles

  • Core Service Provider
  • Business Application Provider
  • Data Provider and Consumer
  • Enablement Service Provider
  • Onboarding Service Provider

1.2 CONTEXT

This section is non-normative

This document defines the internal (e.g. CX Guidelines) and external (e.g. ISO) standards that a partner needs to fulfil before he/she can offer solutions (services or business apps) in the context of Catena-X. Those standards have been derived from common incoterms in the automotive industry and present the minimal basis so that software can be used within an automotive industry enterprise.

Requesting certain standards from partners secures that all customers that use solutions (services or business apps) are guaranteed a certain level of professionality, security, and trust.

Conformity with the basic standards for the roles listed above is not optional. Without a successful conformity assessment, the onboarding process cannot be completed. It's important to mention, that additionally to the conformity assessment of the partner itself, the solutions will later in the process also need to demonstrate conformity with e.g. use-case specific standards. However, this is not covered here but in the standards for each use-case. This document only deals with the use-case agnostic standards on a partner level.

If you are unsure about your company's role or if you need a general introduction to conformity assessment within Catena-X, please read the Operating Whitepaper.

1.3 CONFORMANCE AND PROOF OF CONFORMITY

This section is non-normative

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD and SHOULD NOT in this document document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

All participants and their solutions will need to prove, that they are conform with the Catena-X standards. To validate that the standards are applied correctly, Catena-X employs Conformity Assessment Bodies (CABs).

Depending on the role, the partner collects the self-assessments for internal and/or certificates for external standards and sends them to the responsible CAB. The responsible CABs can be found on the homepage of the association: www.catena-x.net.

The partner can finalize the onboarding only after successful verification of conformity.

2 RELEVANT STANDARDS FOR CONFORMITY ASSESSMENT

This section is normative

The following table lists the relevant internal and external standards per role and describes the necessary tasks to proof conformity with that standard. Details about each standard can be found on the homepage of the association: www.catena-x.net.

Note: Until further notice, partners will need to conduct an internal audit/self-assessment and validate that they fulfil the respective Catena-x internal standards. For Catena-X internal standards, a template for a self-assessment will be provided.

The CABs -- acting on behalf of the association -- can in specific cases allow deviation from the standards and still issue a certificate of conformity.

ID | Obligation | RoleStandard Name
01 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderISO 9001 – Quality Management Systems or ISO 27001 – Information Security (with regard to the scope of proposed services) or TISAX Level 1
Description
The respective roles must provide evidence that they are certified or in the process of being (re)certified to one of these standards at the time of the assessment. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months.
ID | Obligation | RoleStandard Name
02 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderISO27001 – Information Security or TISAX Level 1 or ISO 9001 - Quality Management Systems
Description
The respective roles need to provide a proof that they – at the time of the assessment – are ISO27001 or TISAX Level 1 or ISO 9001 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. To meet this requirement, a second certification must be demonstrated in addition to the certification referenced in obligation 01.
ID | Obligation | RoleStandard Name
03 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderISO270018 – Information Security
Description
The respective roles need to provide a proof that they – at the time of the assessment – are ISO27018 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months.
ID | Obligation | RoleStandard Name
04 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderISO20000-1 – IT Service Management
Description
The respective roles need to provide a proof that they – at the time of the assessment – are ISO20000-1 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months.
ID | Obligation | RoleStandard Name
05 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderISO22301 – Business Continuity Management
Description
The respective roles need to provide a proof that they – at the time of the assessment – are ISO22310 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months.

2.1 OUTLOOK

The following guidelines aren't published at the time of standard creation. As soon as they become available, there will be a transition period until the guidelines become mandatory.

ID | Obligation | RoleTitle
06 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderCatena-X internal guideline - Guideline Data Sovereignty.
Description
Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Guideline Data Sovereignty.
ID | Obligation | RoleTitle
07 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderCatena-X internal guideline - Leitlinie Informationssicherheit / Guideline Information Security
Description
Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Leitlinie Informationssicherheit / Guideline Information Security.
ID | Obligation | RoleTitle
08 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service ProviderCatena-X internal guideline - Leitlinie Datenverarbeitung / Guideline Data Processing
Description
Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Leitlinie Datenverarbeitung / Guideline Data Processing.

REVISIONS & UPDATE

  • v1.1.0 Added ISO 27001 and/or TISAX Level 1 as alternative to ISO 9001

Copyright © 2024 Catena-X Automotive Network e.V. All rights reserved. For more information, please visit here.