ISO/SAE 21434 Compliance:
Start analysing gaps now

With ISO/SAE 21434 Road Vehicles – Cybersecurity engineering, OEMs and Tier-N suppliers face the (type approval-relevant!) challenge of integrating cybersecurity principles into supply chains and the entire automobile-lifecycle. Be prepared for the new standard: Learn more about ISO/SAE 21434 Gap Analysis.

HOW DOES ISO/SAE 21434 GAP ANALYSIS WORK? FREE INFO WEBINAR ON APRIL 30, 2021

Get an overview of the methods behind our ISO/SAE 21434 gap analysis in this free information webinar. Take the first step towards ISO/SAE 21434 compliance and learn the structure and all fields of action of the standard to put your current cybersecurity efforts in your organization to the test.

When? Friday, 30 Apr 2021 at 2pm (UTC+2 / CET)
Where? Online / Remote (Live)

Your speaker will be, Manuel Sandler, Associate Partner at CYRES Consulting, co-developer of the ISO/SAE 21434 gap analysis and expert on applied cybersecurity in the automotive industry.

What does ISO/SAE 21434 imply for you in detail?

ISO/SAE 21434 is a abstract standard. It concerns the entire automobile ecosystem. The corresponding and, in many parts of the world, legally binding UNECE regulations increase the urgency to work in compliance with the standard.

The most significant questions at the moment, therefore, are:

Is what you are currently doing already sufficient to comply with ISO/SAE 21434?
Would your current measures also be considered to be adequate to withstand a future audit of compliance with ISO/SAE 21434?
Where are any gaps and what needs to be done differently?

Without the necessary quality perspective through the lens of regulatory requirements, cybersecurity measures may be a waste of time and money. Use the ISO/SAE 21434 Gap Analysis as an “independent snapshot”. You receive an assessment, which provides essential guidance for your organization, before it goes on to the official audits and assessments, in accordance with ISO/SAE 21434, ISO PAS 5112 and UNECE Reg. No. 155 (developed by UNECE WP.29 GRVA).

The product

Of course, the cybersecurity needs of your core product are of central importance. Nevertheless, this can no longer be considered only selectively or delimited from the entire ecosystem.

A look at your project

What about development-project-specific processes and the implementation of cybersecurity-relevant requirements at all levels involved? A systematic look is crucial here.

At the organizational level

ISO/SAE 21434 in correlation with UNR No. 155 stands for enforcing cybersecurity on an organizational level. The focus is also on compliance with the Cyber Security Management System (CSMS).

How do you benefit from ISO/SAE 21434 Gap Analysis by CYRES Consulting?

ISO/SAE 21434 affects the entire organization, development projects and, of course, all processes around the product. With our ISO/SAE 21434 gap analysis you can set your organization specific focus. (Please also note our defined modules, see below).

Are there specific OEM requirements that need to be reviewed? Is a development project already up and running, and possible corrections need to be identified? Or do you want to examine the organization or partial aspects? Depending on the needs, we can cover different topics and scopes with ISO/SAE 21434.

Your advantages:

Identification of possible flaws and gaps
Initiate the first approaches and concrete steps to find solutions, related to your initial situation
Readiness for the upcoming official audits and assessments (according to ISO/SAE 21434, ISO PAS 5112, UNECE Reg. No. 155 etc.)

Organizational Cybersecurity Management

The organization is the starting point and the center of all cybersecurity efforts. At the organization level, a number of aspects come together that need to be properly addressed in the various cybersecurity fields of action. In our ISO/SAE 21434 gap analysis, the following eight modules are subjected to a review at the organizational level and recommendations for action are provided.

O.1 Cybersecurity policy and processes

Definition and role-out of cybersecurity policy and processes as part of the company structure

O.2 Cybersecurity roles, resources and communication

Identification of globally needed roles and resources to establish cybersecurity in an organization. Make cybersecurity a relevant part of the company’s communication channels

O.3 Cybersecurity culture and competence management

Establishing cybersecurity as part of the daily work. Ensuring and demonstrating appropriate competences based on individual roles

O.4 Cybersecurity tool management

Providing the liable evidence that no weaknesses or vulnerabilities are introduced to the system through the used tool chain

O.5 Cybersecurity monitoring and event assessment

Continuous collection and observation of cybersecurity relevant information as well as evaluation for company’s products

O.6 Cybersecurity incident response (PSIRT)

Definition and establishment of processes, methods and ways of working to handle cybersecurity incidents in the field

O.7 SW update management system (SUMS acc. to UN R156)

Definition and establishment of processes, methods and ways of working to handle SW updates over the air

O.8 Type approval assessment

Assessing compliance to type approval requirements for the UN R155 and evaluation of processes

Project Cybersecurity Management

At the level of any development project, cybersecurity must be holistically integrated into all phases and involved functions of the project. The ISO/SAE 21434 gap analysis was developed to assess whether the application of ISO/SAE 21434 is sufficiently covered by using six different modules.

P.1 Cybersecurity project initiation

Establishing cybersecurity as full part of the project team and project documentation

P.2 Cybersecurity planning

Definition, planning, allocation and follow-up of cybersecurity activities, incl. creation of cybersecurity plan and schedule

P.3 Distributed Development (internal and external)

Evaluation of supplier capabilities, specification and negotiation of interface agreements as well as monitoring of joint cybersecurity activities between two parties

P.4 Cybersecurity case and further compliance proofs

Definition and evaluation of cybersecurity arguments and evidences (incl. Assessments)

P.5 Cybersecurity post-development activities

Definition and preparation of cybersecurity activities, beginning from start of production until decommissioning

P.6 Cybersecurity V&V strategy and planning

Approach to ensure verification and validation of product’s cybersecurity

Cybersecurity Engineering

At the operational level of engineering processes, ISO/SAE 21434 requires specific measures and process steps around cybersecurity. In six modules, the ISO/SAE 21434 gap analysis assesses the compliance of the product and product lifecycle: from the concept phase to the cybersecurity goals to the validation of the product.

E.1 Item definition and requirement elicitation

Cybersecurity stakeholder analysis, identification and elaboration of stakeholder requirement as well as collection of known cybersecurity information

E.2 Cybersecurity risk assessment (TARA) and cybersecurity concept

Identification of technical cybersecurity risks and derivation of strategies to mitigate them

E.3 Cybersecurity requirement specification and management

Derivation of cybersecurity requirements and integration of cybersecurity aspect into system, SW and HW architectural designs

E.4 Cybersecurity implementation on SW/HW level

Integration of COTS and establishing cybersecurity rules & needs for implementation

E.5 Cybersecurity Testing

Creation of cybersecurity related test specifications and evaluation of test results

E.6 Vulnerability Analysis

Identification and mitigation of vulnerabilities on system, software and hardware level

Cross comparison: 10 years of ISO 26262 Road Vehicles – Functional Safety

About ten years ago, ISO 26262 as a new standard for Functional Safety in the automotive industry provided a new level in tackling safety in electrical and electronic systems.

The ISO 26262 standard has defined clear requirements that must take into account safety-relevant functions of the system as well as processes and methods within the development.

It is still a tremendous challenge for many companies and development projects to integrate Functional Safety in accordance with ISO 26262 into projects in an organization-specific and holistic manner. One of the main reasons for this continues to be the shortage of practice-relevant and application-based expertise on ISO 26262.

Now, in addition, ISO/SAE 21434 presents the next major challenge for the automotive industry, which is the integration of state-of-the-art cybersecurity principles.

This makes it all the more important to put the assets of value chain, development projects and organizational structures to the test at an early stage in order to have an initial evaluation of the implementation of and future compliance with ISO/SAE 21434.

ISO/SAE 21434 for management

Obviously, management needs a full understanding of the impact that ISO/SAE 21434 plays in terms of cost, time, and quality of products and solutions. Cybersecurity must be embraced by decision makers as an integral part of all of the value chain’s processes.

ISO/SAE 21434 for Engineers

At the engineering level, in addition to the basics of standards and regulations, it is crucial to understand the actual requirements and necessary work outputs. This is about new tasks. What needs to be added? What can, should or must already be done differently?

Compliant to ISO/SAE 21434: Use our gap analysis to prepare for official certification

At present (beginning of 2021), ISO/SAE 21434 is still in DIS status, the final release is still pending. Nevertheless, a draft for the guidelines for the auditing standard of ISO/SAE 21434 already exists. CYRES Consulting is part of the DIN working group for ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering.

Considering the (future) official audits and certifications, we recommend our clients to already initiate measures now. It will pay off to start a review of the current compliance status at an early stage. Possible gaps can thus be identified earlier. This time advantage is of great benefit when it comes to initiating appropriate solution concepts, which usually cannot be implemented overnight. In this way, the general conditions for the official certification can be effectively improved in advance – resulting in a serious competitive advantage.

How complex is the Gap Analysis?

The Gap Analysis refers to a previously defined section. By default, Gap Analysis does not cover the entire scope of the ISO/SAE 21434 standard.

Is the Gap Analysis an official audit?

At this point in time, the related standard ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering is still in development. (CYRES Consulting is part of the related DIN working committee.) The Gap Analysis is to be seen here as an informal preparation for certification.

How granular can the Gap Analysis be?

Due to the limited time, the technical depth of the analysis always depends on the size and complexity of a project. Therefore respective priorities have to be agreed upon individually.

What about the implementation of the measures after the Gap Analysis?

The measures defined in the context of the Gap Analysis are presented in a tailored way for stakeholders and explained individually by CYRES Consulting. If required, CYRES Consulting also supports the implementation in the organization.

Send us your inquiry here.

Please note: The presented offer of CYRES Consulting Gap Analysis is a non-binding offer. Please use the form below for your first non-binding inquiry. In the following dialogue we will present you the scope of our specific services and define the organizational details together with you.

Phone: +49 (0) 89 9542 808 00
E-Mail: office (at) cyres-consulting.com