CX-0008 Relevant Standards for Conformity Assessments v1.1.0
ABSTRACT
This standard is relevant for all partners that want to operate within the Catena-X network. The document defines the internal (e.g. CX Guidelines) and external (e.g. ISO) standards that a partner needs to fulfil before he/she can offer solutions (services or business applications) in the context of Catena-X. Those standards have been derived from common incoterms in the automotive industry and present the minimal basis so that software can be used within an automotive industry enterprise.
FOR WHOM IS THE STANDARD DESIGNED
This section is non-normative
- Core Service Provider
- Business Application Provider
- Data Provider and Consumer
- Enablement Service Provider
- Onboarding Service Provider
COMPARISON WITH THE PREVIOUS VERSION OF THE STANDARD
This section is non-normative
The requirement for ISO 9001 certification, which was required in previous versions, meant a high effort for the affected companies and an improper focus for IT-oriented companies like e.g. IT outfitters. ISO 27001 and TISAX Infosec are considered suitable alternatives and therefore companies can now certify to ISO 27001 and/or TISAX Infosec and/or ISO 9001 alternatively. Furthermore, the certification period for a first certification is extended from 12 months to 24 months.
The Business Network Provider role has been replaced with the Onboarding Service Provider role.
1 INTRODUCTION
1.1 AUDIENCE & SCOPE
This section is non-normative
This document is relevant for all partners that want to operate within the Catena-X network. More specifically, this document is intended for the following roles
- Core Service Provider
- Business Application Provider
- Data Provider and Consumer
- Enablement Service Provider
- Onboarding Service Provider
1.2 CONTEXT
This section is non-normative
This document defines the internal (e.g. CX Guidelines) and external (e.g. ISO) standards that a partner needs to fulfil before he/she can offer solutions (services or business apps) in the context of Catena-X. Those standards have been derived from common incoterms in the automotive industry and present the minimal basis so that software can be used within an automotive industry enterprise.
Requesting certain standards from partners secures that all customers that use solutions (services or business apps) are guaranteed a certain level of professionality, security, and trust.
Conformity with the basic standards for the roles listed above is not optional. Without a successful conformity assessment, the onboarding process cannot be completed. It's important to mention, that additionally to the conformity assessment of the partner itself, the solutions will later in the process also need to demonstrate conformity with e.g. use-case specific standards. However, this is not covered here but in the standards for each use-case. This document only deals with the use-case agnostic standards on a partner level.
If you are unsure about your company's role or if you need a general introduction to conformity assessment within Catena-X, please read the Operating Whitepaper.
1.3 CONFORMANCE AND PROOF OF CONFORMITY
This section is non-normative
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD and SHOULD NOT in this document document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
All participants and their solutions will need to prove, that they are conform with the Catena-X standards. To validate that the standards are applied correctly, Catena-X employs Conformity Assessment Bodies (CABs).
Depending on the role, the partner collects the self-assessments for internal and/or certificates for external standards and sends them to the responsible CAB. The responsible CABs can be found on the homepage of the association: www.catena-x.net.
The partner can finalize the onboarding only after successful verification of conformity.
2 RELEVANT STANDARDS FOR CONFORMITY ASSESSMENT
This section is normative
The following table lists the relevant internal and external standards per role and describes the necessary tasks to proof conformity with that standard. Details about each standard can be found on the homepage of the association: www.catena-x.net.
Note: Until further notice, partners will need to conduct an internal audit/self-assessment and validate that they fulfil the respective Catena-x internal standards. For Catena-X internal standards, a template for a self-assessment will be provided.
The CABs -- acting on behalf of the association -- can in specific cases allow deviation from the standards and still issue a certificate of conformity.
| ID | Obligation | Role | Standard Name |
|---|---|
| 01 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | ISO 9001 – Quality Management Systems or ISO 27001 – Information Security (with regard to the scope of proposed services) or TISAX Level 1 |
| Description | |
| The respective roles must provide evidence that they are certified or in the process of being (re)certified to one of these standards at the time of the assessment. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. |
| ID | Obligation | Role | Standard Name |
|---|---|
| 02 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | ISO27001 – Information Security or TISAX Level 1 or ISO 9001 - Quality Management Systems |
| Description | |
| The respective roles need to provide a proof that they – at the time of the assessment – are ISO27001 or TISAX Level 1 or ISO 9001 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. To meet this requirement, a second certification must be demonstrated in addition to the certification referenced in obligation 01. |
| ID | Obligation | Role | Standard Name |
|---|---|
| 03 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | ISO270018 – Information Security |
| Description | |
| The respective roles need to provide a proof that they – at the time of the assessment – are ISO27018 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. |
| ID | Obligation | Role | Standard Name |
|---|---|
| 04 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | ISO20000-1 – IT Service Management |
| Description | |
| The respective roles need to provide a proof that they – at the time of the assessment – are ISO20000-1 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. |
| ID | Obligation | Role | Standard Name |
|---|---|
| 05 | Recommended | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | ISO22301 – Business Continuity Management |
| Description | |
| The respective roles need to provide a proof that they – at the time of the assessment – are ISO22310 certified or are in the process of receiving a (re-)certification. If they fail to achieve a (re-)certification within twelve/twenty-four months – starting from the date of an initial application for Catena-X Certification - , they will be offboarded from Catena-X immediately. The first certification period is twenty-four months, and the following certification periods are twelve months. |
2.1 OUTLOOK
The following guidelines aren't published at the time of standard creation. As soon as they become available, there will be a transition period until the guidelines become mandatory.
| ID | Obligation | Role | Title |
|---|---|
| 06 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | Catena-X internal guideline - Guideline Data Sovereignty. |
| Description | |
| Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Guideline Data Sovereignty. |
| ID | Obligation | Role | Title |
|---|---|
| 07 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | Catena-X internal guideline - Leitlinie Informationssicherheit / Guideline Information Security |
| Description | |
| Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Leitlinie Informationssicherheit / Guideline Information Security. |
| ID | Obligation | Role | Title |
|---|---|
| 08 | Mandatory | Core Service Provider, Enablement Service Provider, Business Application Provider, Onboarding Service Provider | Catena-X internal guideline - Leitlinie Datenverarbeitung / Guideline Data Processing |
| Description | |
| Not available yet. The respective roles need to conduct an internal audit and provide a self-assessment, that they follow the Leitlinie Datenverarbeitung / Guideline Data Processing. |
REVISIONS & UPDATE
- v1.1.0 Added ISO 27001 and/or TISAX Level 1 as alternative to ISO 9001
Legal
Copyright © 2024 Catena-X Automotive Network e.V. All rights reserved. For more information, please visit here.