With ISO/SAE 21434 Road Vehicles – Cybersecurity engineering, OEMs and Tier-N suppliers face the (type approval-relevant!) challenge of integrating cybersecurity principles into supply chains and the entire automobile-lifecycle. Be prepared for the new standard: Learn more about ISO/SAE 21434 Gap Analysis.
How does the ISO/SAE 21434 Gap Analysis work? Learn about why it is so important to check the overall organization, the development projects and the engineering at an early stage with regard to the maturity of the type approval.
Manuel Sandler, Partner at CYRES Consulting, presents the method and the detailed procedure of the ISO/SAE 21434 Gap Analysis in our info webinar.
Watch as video recording now online on our new CYRES Academy Online Learn Platform
What does ISO/SAE 21434 imply for you in detail?
ISO/SAE 21434 is a abstract standard. It concerns the entire automobile ecosystem. The corresponding and, in many parts of the world, legally binding UNECE regulations increase the urgency to work in compliance with the standard.
The most significant questions at the moment, therefore, are:
- Is what you are currently doing already sufficient to comply with ISO/SAE 21434?
- Would your current measures also be considered to be adequate to withstand a future audit of compliance with ISO/SAE 21434?
- Where are any gaps and what needs to be done differently?
Without the necessary quality perspective through the lens of regulatory requirements, cybersecurity measures may be a waste of time and money. Use the ISO/SAE 21434 Gap Analysis as an “independent snapshot”. You receive an assessment, which provides essential guidance for your organization, before it goes on to the official audits and assessments, in accordance with ISO/SAE 21434, ISO PAS 5112 and UNECE Reg. No. 155 (developed by UNECE WP.29 GRVA).
Of course, the cybersecurity needs of your core product are of central importance. Nevertheless, this can no longer be considered only selectively or delimited from the entire ecosystem.
A look at your project
What about development-project-specific processes and the implementation of cybersecurity-relevant requirements at all levels involved? A systematic look is crucial here.
At the organizational level
ISO/SAE 21434 in correlation with UNR No. 155 stands for enforcing cybersecurity on an organizational level. The focus is also on compliance with the Cyber Security Management System (CSMS).
How do you benefit from ISO/SAE 21434 Gap Analysis by CYRES Consulting?
ISO/SAE 21434 affects the entire organization, development projects and, of course, all processes around the product. With our ISO/SAE 21434 gap analysis you can set your organization specific focus. (Please also note our defined modules, see below).
Are there specific OEM requirements that need to be reviewed? Is a development project already up and running, and possible corrections need to be identified? Or do you want to examine the organization or partial aspects? Depending on the needs, we can cover different topics and scopes with ISO/SAE 21434.
- Identification of possible flaws and gaps
- Initiate the first approaches and concrete steps to find solutions, related to your initial situation
- Readiness for the upcoming official audits and assessments (according to ISO/SAE 21434, ISO PAS 5112, UNECE Reg. No. 155 etc.)
Organizational Cybersecurity Management
The organization is the starting point and the center of all cybersecurity efforts. At the organization level, a number of aspects come together that need to be properly addressed in the various cybersecurity fields of action. In our ISO/SAE 21434 gap analysis, the following eight modules are subjected to a review at the organizational level and recommendations for action are provided.
- O.1 Cybersecurity policy and processes
- O.2 Cybersecurity roles, resources and communication
- O.3 Cybersecurity culture and competence management
- O.4 Cybersecurity tool management
- O.5 Cybersecurity monitoring and event assessment
- O.6 Cybersecurity incident response (PSIRT)
- O.7 SW update management system (SUMS acc. to UN R156)
- O.8 Type approval assessment
Definition and role-out of cybersecurity policy and processes as part of the company structure
Identification of globally needed roles and resources to establish cybersecurity in an organization. Make cybersecurity a relevant part of the company’s communication channels
Establishing cybersecurity as part of the daily work. Ensuring and demonstrating appropriate competences based on individual roles
Providing the liable evidence that no weaknesses or vulnerabilities are introduced to the system through the used tool chain
Continuous collection and observation of cybersecurity relevant information as well as evaluation for company’s products
Definition and establishment of processes, methods and ways of working to handle cybersecurity incidents in the field
Definition and establishment of processes, methods and ways of working to handle SW updates over the air
Assessing compliance to type approval requirements for the UN R155 and evaluation of processes
Project Cybersecurity Management
At the level of any development project, cybersecurity must be holistically integrated into all phases and involved functions of the project. The ISO/SAE 21434 gap analysis was developed to assess whether the application of ISO/SAE 21434 is sufficiently covered by using six different modules.
Establishing cybersecurity as full part of the project team and project documentation
Definition, planning, allocation and follow-up of cybersecurity activities, incl. creation of cybersecurity plan and schedule
Evaluation of supplier capabilities, specification and negotiation of interface agreements as well as monitoring of joint cybersecurity activities between two parties
Definition and evaluation of cybersecurity arguments and evidences (incl. Assessments)
Definition and preparation of cybersecurity activities, beginning from start of production until decommissioning
Approach to ensure verification and validation of product’s cybersecurity
At the operational level of engineering processes, ISO/SAE 21434 requires specific measures and process steps around cybersecurity. In six modules, the ISO/SAE 21434 gap analysis assesses the compliance of the product and product lifecycle: from the concept phase to the cybersecurity goals to the validation of the product.
Cybersecurity stakeholder analysis, identification and elaboration of stakeholder requirement as well as collection of known cybersecurity information
Identification of technical cybersecurity risks and derivation of strategies to mitigate them
Derivation of cybersecurity requirements and integration of cybersecurity aspect into system, SW and HW architectural designs
Integration of COTS and establishing cybersecurity rules & needs for implementation
Creation of cybersecurity related test specifications and evaluation of test results
Identification and mitigation of vulnerabilities on system, software and hardware level
Cross comparison: 10 years of ISO 26262 Road Vehicles – Functional Safety
About ten years ago, ISO 26262 as a new standard for Functional Safety in the automotive industry provided a new level in tackling safety in electrical and electronic systems.
The ISO 26262 standard has defined clear requirements that must take into account safety-relevant functions of the system as well as processes and methods within the development.
It is still a tremendous challenge for many companies and development projects to integrate Functional Safety in accordance with ISO 26262 into projects in an organization-specific and holistic manner. One of the main reasons for this continues to be the shortage of practice-relevant and application-based expertise on ISO 26262.
Now, in addition, ISO/SAE 21434 presents the next major challenge for the automotive industry, which is the integration of state-of-the-art cybersecurity principles.
This makes it all the more important to put the assets of value chain, development projects and organizational structures to the test at an early stage in order to have an initial evaluation of the implementation of and future compliance with ISO/SAE 21434.
ISO/SAE 21434 for management
Obviously, management needs a full understanding of the impact that ISO/SAE 21434 plays in terms of cost, time, and quality of products and solutions. Cybersecurity must be embraced by decision makers as an integral part of all of the value chain’s processes.
ISO/SAE 21434 for Engineers
At the engineering level, in addition to the basics of standards and regulations, it is crucial to understand the actual requirements and necessary work outputs. This is about new tasks. What needs to be added? What can, should or must already be done differently?
Compliant to ISO/SAE 21434: Use our gap analysis to prepare for official certification
The ISO/SAE 21434 has been released. Since March 2022, guidelines for auditing the ISO/SAE 21434 standard already exists. CYRES Consulting was a part of the DIN working group for ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering.
Considering the (future) official audits and certifications, we recommend our clients to already initiate measures now. It will pay off to start a review of the current compliance status at an early stage. Possible gaps can thus be identified earlier. This time advantage is of great benefit when it comes to initiating appropriate solution concepts, which usually cannot be implemented overnight. In this way, the general conditions for the official certification can be effectively improved in advance – resulting in a serious competitive advantage.
How complex is the Gap Analysis?
The Gap Analysis refers to a previously defined section. By default, Gap Analysis does not cover the entire scope of the ISO/SAE 21434 standard.
Is the Gap Analysis an official audit?
At this point in time, the related standard ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering has been published end of March 2022. (CYRES Consulting was part of the related DIN working committee.) The Gap Analysis is to be seen here as an informal preparation for certification.
How granular can the Gap Analysis be?
Due to the limited time, the technical depth of the analysis always depends on the size and complexity of a project. Therefore respective priorities have to be agreed upon individually.
What about the implementation of the measures after the Gap Analysis?
The measures defined in the context of the Gap Analysis are presented in a tailored way for stakeholders and explained individually by CYRES Consulting. If required, CYRES Consulting also supports the implementation in the organization.
Send us your inquiry here.
Please note: The presented offer of CYRES Consulting Gap Analysis is a non-binding offer. Please use the form below for your first non-binding inquiry. In the following dialogue we will present you the scope of our specific services and define the organizational details together with you.