In February 2020, the first draft version of the international standard ISO/SAE 21434 was publicly released. It forms the basis for a common standard and a state-of-the-art reference document for automotive cybersecurity. Today, one year later, the number of questions about compliance with the standard and the appropriate auditing are increasing.
- I. ISO 21434 audit: Applying the standard is just the beginning, the relevant audits will be the next big thing
- II. Guidance on the way to ISO/SAE 21434 audit: Hello ISO PAS 5112
- III. However, the point is perfectly clear: it is about applying the standard
- IV. Pre-audit prior to the audit: ISO/SAE 21434 Gap Analysis
More and more companies are already adopting the processes and requirements proposed by the ISO/SAE 21434. There are several reasons why organizations are currently pushing for ISO/SAE 21434 compliance.
On the one hand, the implementation is pushed by customers in terms of customer requirements. On the other hand, the ISO/SAE 21434 can serve as a starting point for establishing required processes and requirements in order to fulfill the high-level (and in large parts of the world legally binding!) requirements from the UN Regulation No. 155 (short: UN R155).
However, the most important reason is justification if something happens, such as hacks that could lead to harm, accidents, or beyond.
Working according to a standard, having the required work products in place, and demonstrating that those work products meet the required scope may be considered sufficient justification if something does happen or an unintentional anomaly arises.
ISO 21434 audit: Applying the standard is just the beginning, the relevant audits will be the next big thing
Therefore, audits and assessments are currently in everyone’s mind. They shall ensure that certain principles are adopted in the organization and project ecosystem.
Especially for audits, the ISO/SAE 21434 leaves some space for the scope definition and process.
This can lead to insufficient coverage and thus non-compliance to the ISO/SAE 21434 and possible loss of business when not fulfilling customer requirements. In addition, a lack of organizational cybersecurity processes can lead to isolated and uncoordinated solutions at the project level which is anything but efficient.
This is one reason, why the ISO Working Group 11 (or short WG11) wants to bring guidelines into life to ensure a consistent scope and provide a roadmap for such audits.
Guidance on the way to ISO/SAE 21434 audit: Hello ISO PAS 5112
This is where ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering comes into play.
PAS stands for publicly available specification which is a fast-track solution to bring up standardization and is often pushed by current market needs.
However, the PAS is by definition not a standard but can be seen more like a public requirement which get its importance and relevance through the standardization body which is working on it.
The WG11 finished (as of March 2021) reworking the ISO PAS 5112 in order to prepare the committee draft.
It was distributed to the SC32 which is the central secretary preparing the ballot for voting and commenting on this draft. The committee draft will be the last draft in terms of a PAS development before the document is finally released. Besides general changes also technical adaptions are expected.
However, the point is perfectly clear: it is about applying the standard
The lack of guidelines for performing an audit is not a purely theoretical problem.
In practice, we receive more and more inquiries from our clients as to whether their processes are ISO/SAE 21434 compliant. The main question is where to start?
Everything starts with the organization.
The existence of defined processes along ISO/SAE 21434 avoids isolated solutions and ensures a common way of working in all projects and processes. Project start-up is accelerated, and synergies can be leveraged. This not only ensures the required level of cybersecurity, but also saves time and costs in the end.
Pre-audit prior to the audit: ISO/SAE 21434 Gap Analysis
A pre-audit is a good starting point to check whether existing processes and procedures cover the principles of ISO/SAE 21434 and to help identify possible gaps.
With the CYRES Consulting Gap Analysis to ISO/SAE 21434 we have created a unique tool that not only provides assistance in identifying possible non-conformities to the standard. It also allows to derive clear recommendations for action and to set up a list of measures to ensure the necessary steps on the way to the correct application of the standard.
The ISO/SAE 21434 gap analysis covers not only principles from ISO/SAE 21434 and ISO PAS 5112, but also the scope of UN R155 and makes use of the best practices in the automotive industry.
Such pre-audits are also considered best practice in the context of ISO PAS 5112.
Learn more about the three dimensions
- development project
- and engineering processes
and about the 20 different modules on our page about the ISO/SAE 21434 Gap Analysis.
Felix Roth is Senior Consultant at CYRES Consulting. After his master’s degree in Management and Technology from the TU Munich and with several stops in different companies and fields including digitalization and industry 4.0, he joined CYRES Consulting back in 2019. At CYRES Consulting he is co-responsible for the CYRES Academy and is involved in different Cybersecurity projects. He is also member of the DIN NA 052-00-32-11 AK “Cybersecurity” and thus also of the ISO/TC 022/SC 32/WG 11 “Cybersecurity” covering the development of the ISO/SAE 21434 and ISO PAS 5112.