How does the ISO/SAE 21434 Gap Analysis work? Learn about why it is so important to check the overall organization, the development projects and the engineering at an early stage with regard to the maturity of the type approval.
Manuel Sandler, Associate Partner at CYRES Consulting, presents the method and the detailed procedure of the ISO/SAE 21434 Gap Analysis in our info webinar.
Watch as video recording now online on our new CYRES Academy Online Learn Platform
ISO/SAE 21434 is a abstract standard. It concerns the entire automobile ecosystem. The corresponding and, in many parts of the world, legally binding UNECE regulations increase the urgency to work in compliance with the standard.
The most significant questions at the moment, therefore, are:
Without the necessary quality perspective through the lens of regulatory requirements, cybersecurity measures may be a waste of time and money. Use the ISO/SAE 21434 Gap Analysis as an “independent snapshot”. You receive an assessment, which provides essential guidance for your organization, before it goes on to the official audits and assessments, in accordance with ISO/SAE 21434, ISO PAS 5112 and UNECE Reg. No. 155 (developed by UNECE WP.29 GRVA).
Of course, the cybersecurity needs of your core product are of central importance. Nevertheless, this can no longer be considered only selectively or delimited from the entire ecosystem.
What about development-project-specific processes and the implementation of cybersecurity-relevant requirements at all levels involved? A systematic look is crucial here.
ISO/SAE 21434 in correlation with UNR No. 155 stands for enforcing cybersecurity on an organizational level. The focus is also on compliance with the Cyber Security Management System (CSMS).
ISO/SAE 21434 affects the entire organization, development projects and, of course, all processes around the product. With our ISO/SAE 21434 gap analysis you can set your organization specific focus. (Please also note our defined modules, see below).
Are there specific OEM requirements that need to be reviewed? Is a development project already up and running, and possible corrections need to be identified? Or do you want to examine the organization or partial aspects? Depending on the needs, we can cover different topics and scopes with ISO/SAE 21434.
Your advantages:
The organization is the starting point and the center of all cybersecurity efforts. At the organization level, a number of aspects come together that need to be properly addressed in the various cybersecurity fields of action. In our ISO/SAE 21434 gap analysis, the following eight modules are subjected to a review at the organizational level and recommendations for action are provided.
Definition and role-out of cybersecurity policy and processes as part of the company structure
Identification of globally needed roles and resources to establish cybersecurity in an organization. Make cybersecurity a relevant part of the company’s communication channels
Establishing cybersecurity as part of the daily work. Ensuring and demonstrating appropriate competences based on individual roles
Providing the liable evidence that no weaknesses or vulnerabilities are introduced to the system through the used tool chain
Continuous collection and observation of cybersecurity relevant information as well as evaluation for company’s products
Definition and establishment of processes, methods and ways of working to handle cybersecurity incidents in the field
Definition and establishment of processes, methods and ways of working to handle SW updates over the air
Assessing compliance to type approval requirements for the UN R155 and evaluation of processes
At the level of any development project, cybersecurity must be holistically integrated into all phases and involved functions of the project. The ISO/SAE 21434 gap analysis was developed to assess whether the application of ISO/SAE 21434 is sufficiently covered by using six different modules.
Establishing cybersecurity as full part of the project team and project documentation
Definition, planning, allocation and follow-up of cybersecurity activities, incl. creation of cybersecurity plan and schedule
Evaluation of supplier capabilities, specification and negotiation of interface agreements as well as monitoring of joint cybersecurity activities between two parties
Definition and evaluation of cybersecurity arguments and evidences (incl. Assessments)
Definition and preparation of cybersecurity activities, beginning from start of production until decommissioning
Approach to ensure verification and validation of product’s cybersecurity
At the operational level of engineering processes, ISO/SAE 21434 requires specific measures and process steps around cybersecurity. In six modules, the ISO/SAE 21434 gap analysis assesses the compliance of the product and product lifecycle: from the concept phase to the cybersecurity goals to the validation of the product.
Cybersecurity stakeholder analysis, identification and elaboration of stakeholder requirement as well as collection of known cybersecurity information
Identification of technical cybersecurity risks and derivation of strategies to mitigate them
Derivation of cybersecurity requirements and integration of cybersecurity aspect into system, SW and HW architectural designs
Integration of COTS and establishing cybersecurity rules & needs for implementation
Creation of cybersecurity related test specifications and evaluation of test results
Identification and mitigation of vulnerabilities on system, software and hardware level
About ten years ago, ISO 26262 as a new standard for Functional Safety in the automotive industry provided a new level in tackling safety in electrical and electronic systems.
The ISO 26262 standard has defined clear requirements that must take into account safety-relevant functions of the system as well as processes and methods within the development.
It is still a tremendous challenge for many companies and development projects to integrate Functional Safety in accordance with ISO 26262 into projects in an organization-specific and holistic manner. One of the main reasons for this continues to be the shortage of practice-relevant and application-based expertise on ISO 26262.
Now, in addition, ISO/SAE 21434 presents the next major challenge for the automotive industry, which is the integration of state-of-the-art cybersecurity principles.
This makes it all the more important to put the assets of value chain, development projects and organizational structures to the test at an early stage in order to have an initial evaluation of the implementation of and future compliance with ISO/SAE 21434.
Obviously, management needs a full understanding of the impact that ISO/SAE 21434 plays in terms of cost, time, and quality of products and solutions. Cybersecurity must be embraced by decision makers as an integral part of all of the value chain’s processes.
At the engineering level, in addition to the basics of standards and regulations, it is crucial to understand the actual requirements and necessary work outputs. This is about new tasks. What needs to be added? What can, should or must already be done differently?
At present (beginning of 2021), ISO/SAE 21434 is still in DIS status, the final release is still pending. Nevertheless, a draft for the guidelines for the auditing standard of ISO/SAE 21434 already exists. CYRES Consulting is part of the DIN working group for ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering.
Considering the (future) official audits and certifications, we recommend our clients to already initiate measures now. It will pay off to start a review of the current compliance status at an early stage. Possible gaps can thus be identified earlier. This time advantage is of great benefit when it comes to initiating appropriate solution concepts, which usually cannot be implemented overnight. In this way, the general conditions for the official certification can be effectively improved in advance – resulting in a serious competitive advantage.
The Gap Analysis refers to a previously defined section. By default, Gap Analysis does not cover the entire scope of the ISO/SAE 21434 standard.
At this point in time, the related standard ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering is still in development. (CYRES Consulting is part of the related DIN working committee.) The Gap Analysis is to be seen here as an informal preparation for certification.
Due to the limited time, the technical depth of the analysis always depends on the size and complexity of a project. Therefore respective priorities have to be agreed upon individually.
The measures defined in the context of the Gap Analysis are presented in a tailored way for stakeholders and explained individually by CYRES Consulting. If required, CYRES Consulting also supports the implementation in the organization.
Please note: The presented offer of CYRES Consulting Gap Analysis is a non-binding offer. Please use the form below for your first non-binding inquiry. In the following dialogue we will present you the scope of our specific services and define the organizational details together with you.
Phone: +49 (0) 89 9542 808 00
E-Mail: office (at) cyres-consulting.com
