ISO/SAE 21434 Compliance:
Start analysing gaps now

With ISO/SAE 21434 Road Vehicles – Cybersecurity engineering, OEMs and Tier-N suppliers face the (type approval-relevant!) challenge of integrating cybersecurity principles into supply chains and the entire automobile-lifecycle. Don’t worry! With a preliminary status review, you will be prepared for the new standard. Learn more about our ISO/SAE 21434 Gap Analysis.

Get started

What does ISO/SAE 21434 imply for you in detail?

As you know, ISO/SAE 21434 is a abstract standard. It concerns the entire automobile ecosystem. The related UNECE regulations increase the urgency to work in compliance with the standard. At the same time, cybersecurity is not new territory when it comes to development; your customers’ cybersecurity expectations are also well known.

The most significant questions at the moment, therefore, are:

  • Is what you are currently doing already sufficient to comply with ISO/SAE 21434?
  • Would your current measures also be considered to be adequate to withstand a future audit of compliance with ISO/SAE 21434?
  • Where are any gaps and what needs to be done differently / better?

Without the necessary quality perspective through the lens of regulatory requirements, cybersecurity measures may be a waste of time and money. With an “independent snapshot”, you receive an assessment at this stage, which provides essential guidance for your organization, before it goes on to the official audits and assessments, in accordance with ISO/SAE 21434, ISO PAS 5112 and UNECE Reg. No. 155 (developed by UNECE WP.29 GRVA).

The product

Of course, the cybersecurity needs of your core product are of central importance. Nevertheless, this can no longer be considered only selectively or delimited from the entire ecosystem.

A look at your project

What about development-project-specific processes and the implementation of cybersecurity-relevant requirements at all levels involved? A systematic look is crucial here.

At the organizational level

ISO/SAE 21434 in correlation with UNR No. 155 stands for enforcing cybersecurity on an organizational level. The focus is also on compliance with the Cyber Security Management System (CSMS).

Overview of the ISO/SAE 21434 Gap Analysis by CYRES Consulting

ISO/SAE 21434 is becoming the new reference point for the automotive industry in cybersecurity issues. With our gap analysis, we align with your organization-specific priorities.

Are there specific OEM requirements that need to be reviewed? Is a development project already up and running, and possible corrections need to be identified? Or do you want to examine the organization or partial aspects? Depending on the needs, we can cover different topics and scopes with ISO/SAE 21434.

Your advantages:

  • Identification of possible flaws and gaps
  • Initiate the first approaches and concrete steps to find solutions, related to your initial situation
  • Readiness for the upcoming official audits and assessments (according to ISO/SAE 21434, ISO PAS 5112, UNECE Reg. No. 155 etc.)

To be more specific: What happens during the ISO/SAE 21434 Gap Analysis?

  1. We analyze your relevant documents by our cybersecurity consultants to create an initial holistic overview.
  2. We schedule a highly efficient workshop (on-site/online) with relevant stakeholders. Based on the preceding analysis, we clarify organization- and project-specific coherences, taking into account the technical background. Using the CYRES questionnaire (based on ISO/SAE 21434, UNECE WP.29, ISO PAS 5112 and additionally considering automotive standards, e.g. ASPICE, IATF 16949) we come to an evaluation of the current status.
  3. We create your organization-specific CYRES Cybersecurity Report that identifies potential points of improvement and gaps while defining feasible remediation measures.
ISO 26262

Cross comparison: 10 years of ISO 26262 Road Vehicles – Functional Safety

About ten years ago, ISO 26262 as a new standard for Functional Safety in the automotive industry provided a new level in tackling safety in electrical and electronic systems.

The ISO 26262 standard has defined clear requirements that must take into account safety-relevant functions of the system as well as processes and methods within the development.

It is still a tremendous challenge for many companies and development projects to integrate Functional Safety in accordance with ISO 26262 into projects in an organization-specific and holistic manner. One of the main reasons for this continues to be the shortage of practice-relevant and application-based expertise on ISO 26262.

In addition, ISO/SAE 21434 presents the next major challenge for the automotive industry, which is the integration of state-of-the-art cybersecurity principles.

This makes it all the more important to put the assets of value chain, development projects and organizational structures to the test at an early stage in order to have an initial evaluation of the implementation of and future compliance with ISO/SAE 21434.

ISO/SAE 21434 for management

Obviously, management needs a full understanding of the impact that ISO/SAE 21434 plays in terms of cost, time, and quality of products and solutions. Cybersecurity must be embraced by decision makers as an integral part of all of the value chain’s processes.

ISO/SAE 21434 for Engineers

At the engineering level, in addition to the basics of standards and regulations, it is crucial to understand the actual requirements and necessary work outputs. This is about new tasks. What needs to be added? What can, should or must already be done differently?


Compliant to ISO/SAE 21434: Use our gap analysis to prepare for official certification

At present (beginning of 2021), ISO/SAE 21434 is still in DIS status, the final release is still pending. Nevertheless, a draft for the guidelines for the auditing standard of ISO/SAE 21434 already exists. CYRES Consulting is part of the DIN working group for ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering.

Considering the (future) official audits and certifications, we recommend our clients to already initiate measures now. It will pay off to start a review of the current compliance status at an early stage. Possible gaps can thus be identified earlier. This time advantage is of great benefit when it comes to initiating appropriate solution concepts, which usually cannot be implemented overnight. In this way, the general conditions for the official certification can be effectively improved in advance – resulting in a serious competitive advantage.

How complex is the Gap Analysis?

The Gap Analysis refers to a previously defined section. By default, Gap Analysis does not cover the entire scope of the ISO/SAE 21434 standard.

Is the Gap Analysis an official audit?

At this point in time, the related standard ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering is still in development. (CYRES Consulting is part of the related DIN working committee.) The Gap Analysis is to be seen here as an informal preparation for certification.


How granular can the Gap Analysis be?

Due to the limited time, the technical depth of the analysis always depends on the size and complexity of a project. Therefore respective priorities have to be agreed upon individually.

What about the implementation of the measures after the Gap Analysis?

The measures defined in the context of the Gap Analysis are presented in a tailored way for stakeholders and explained individually by CYRES Consulting. If required, CYRES Consulting also supports the implementation in the organization.

Send us your inquiry here.

    Please note: The presented offer of CYRES Consulting Gap Analysis is a non-binding offer. Please use the form below for your first non-binding inquiry. In the following dialogue we will present you the scope of our specific services and define the organizational details together with you.


    Phone: +49 (0) 89 9542 808 00
    E-Mail: office (at)