Manage Cybersecurity Competencies and Culture: with the ACP Framework

ISO/SAE 21434 and UN Regulation No. 155 face the automotive industry with a variety of challenges in embedding cybersecurity within the organization, the projects, and the roles and functions involved. This includes holistic competence management, the establishment of a cybersecurity culture and evidence obligations. The Automotive Cyber-Security Professional (ACP) Framework establishes the industry standard to meet these challenges.
ACP Framework

Why is a cybersecurity competence framework needed in the automotive industry?

Clarity of the requirements, harmonization of the terminology and standardization of all the relevant disciplines involved:

  • ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering
  • and UN Regulation No. 155

stand for the ambition of a consistent standardization in the field of automotive cybersecurity. This also affects the levels of cybersecurity competence and cybersecurity culture.

A major challenge here is not only developing the necessary skills and awareness (e.g., through training), but also providing the corresponding, reliable evidence of these skills.

For instance, ISO/SAE 21434 specifically points out that the evidence of a practiced competence management becomes as necessary as the evidence of the continuous establishment of a cybersecurity culture. Organizations are obliged to meet these documentation requirements with a framework that is applicable throughout the organization and well established in the industry, such as the ACP Framework of the CYRES Academy.

For the role

At the level of individual roles, it must be ensured that individuals involved in cybersecurity matters within the organization have the associated competencies and awareness of cybersecurity to adequately fulfill their responsibilities.

For the project

At the project level, it shall be guaranteed that the awareness as well as the required competencies around cybersecurity are given along the necessities of the project. This includes not only providing resources and expertise, but also creating awareness.

For the organization

The organization is not only responsible for defining and applying the cybersecurity policy and the associated organization-specific rules: it must also ensure that the cybersecurity culture is fostered and maintained, and provide documentary evidence of this.

The path to the official ACP certificate

How does the certification procedure work? Due to increased demand, the certification process will soon be extended by an institutionalized procedure with an external certification partner. Updated information on the current process will be published here.

The current process as outlined:

  • Fulfilling the prerequisites: Along the defined ACP framework levels (Foundation, Advanced and Expert) the respective prerequisites have to be fulfilled in order to be admitted to the respective exam.
  • Identification: The identification of the examinee (via ID/camera) is required to take the exam.
  • Performance of the test: The test questions must be answered within the specified time period. An appropriate percentage of correct answers is to be achieved, the test result is indicated in the certificate.
  • Issuance of certificates: upon passing the test, the respective certificates are issued and made available (digital/analog) to the certificate holders.
  • Security checks: Additional security features are used to prove the uniqueness of the certificates issued.
  • Organizational: The fees for the examination are to be paid along the certification regulations (on request), issued certificates are only valid for a limited period of time.

The dates for the examination are scheduled regularly and at short intervals. We will publish the upcoming exam dates on our websites, if required, please contact us directly about it.

ACP Framework
ACP Framework

Organization-specific custom content (training and ACP framework)

Holistic cybersecurity competence management means that, in addition to standardized state-of-the-art technical knowledge, organization-specific cybersecurity application know-how (such as policies, regulations, processes, etc.) must also be included to the required extent. Thus, in the trainings of the CYRES Academy, the adaptation and enhancement of the learning curriculums is easily possible. The Automotive Cybersecurity Professional Framework also offers the possibility for customer-specific adjustments at all certification levels.

Automotive Cybersecurity Professional Framework by CYRES

Cybersecurity certification tailored to roles and functions

From OEM to Tier-N supplier, all involved actors in the automotive value chain have touch points with cybersecurity. Every single role along the entire product lifecycle has specific cybersecurity competency and awareness requirements to meet. The organization has an obligation not only to develop this (e.g., in the form of training), but also to provide the evidence required.

The ACP Framework provides the holistic competency management framework for this:

  • ACP Level 1 Foundation: This level is the basis for cybersecurity in the automotive industry. It is aimed at everyone with interfaces to cybersecurity activities.
  • ACP Level 2 Advanced: This level is more in-depth for employees who are directly involved in cybersecurity issues or are required to cooperate accordingly.
  • ACP Level 3 Expert: This level (divided into engineering and management) is for employees with broad and deep cybersecurity responsibilities. (Relevant work experience is part of the prerequisites).

Detailed information on the certification regulations will be available here shortly, in advance only on request.


automotive specialists trained in ACP trainings

The Automotive Cybersecurity Professional training courses of the CYRES Academy in Munich stand for field-proven cybersecurity courses – designed with more than 70 experts from the automotive industry. Whether as on-site training or virtual live training (1 day / 4 days): In Q1/2021, 200+ participants have already gone through the training programs.

More than

exams taken / certificates issued

In parallel to the delivery of trainings, CYRES Academy realizes along the ACP examination and certification regulations also the related taking of examinations as well as the organization of issuing the certificates. With additional security measures, all exams can be performed without any difficulties even in the current remote-first situation.

How do I book a training for the ACP Framework?

In addition to certification within the ACP Framework, the CYRES Academy also offers its own automotive cybersecurity trainings, as public trainings as well as organization-specific variants. More information can be found at CYRES Academy.

How do I get an ACP Framework certificate?

Depending on the certification level along the ACP Framework (Foundation, Advanced and Expert), certain requirements have to be met, such as participation in the corresponding training, passing the exam or professional experience (Expert level).

What is the ACP Framework?

The Automotive Cybersecurity Professional Framework establishes an industry standard to meet (along ISO/SAE 21434, UN R155 and beyond) the evidence requirement for organization-wide automotive cybersecurity competence management.

How can I get started with the ACP framework?

At the training and certification level, you will find all the information you need on these pages. You want to actively support the further development and establishment of the ACP Framework? Become part of the ACP Framework Initiative. For more information, see below.

The CYRES Academy Virtual Live Training is a solid basis to continue with the learning path up to the Automotive Cybersecurity Professional Expert Level.
Sven SchranProduct Security Officer at Robert Bosch (🇩🇪)
The ISO/SAE 21434 standard explicitly indicates that the automotive industry is in need of a cross-organizational cybersecurity competence framework.
Egon ZankHead of Academy at CYRES Consulting (🇩🇪)

A holistic, organization-wide framework for building cybersecurity competencies and culture: Learn more about the ACP Framework now. Contact us.

    Be part of the ACP Framework Initiative!

    In the ACP Framework Initiative, relevant players in the automotive industry (from OEMs to Tier-N suppliers as well as other suppliers along the value chain) are committed to establishing a standardized competence management and certification framework in the field of automotive cybersecurity.

    The work of the ACP Framework Initiative is intended to promote the practice-oriented further development and long-term implementation of the Automotive Cybersecurity Professional (ACP) Framework in the automotive industry.

    Acceptance as a partner of the initiative, continuous exchange of experience, participation in the advisory board as well as special benefits for partners of the ACP Framework Initiative: Request your information material on the partnership agreement now. We are pleased about your interest.

    Phone: +49 (0) 89 9542 808 00

    E-Mail: academy (at)