Update: The ISO/PAS 5112:2022 Road vehicles — Guidelines for auditing cybersecurity engineering has reached its final stage and been officially published by the International Organization for Standardization on March 31 2022.09:21
Whether you are already actively researching ISO PAS 5112:2022 Road Vehicles – Guidelines for auditing cybersecurity engineering or have not yet heard of the specification that will play a key role in auditing for ISO/SAE 21434, the following will provide you with an initial overview of ISO PAS 5112.
The objective of ISO PAS 5112 is to help organizations to audit the cybersecurity achieved for their own organization and along the supply chain. Among other things, it focuses on conducting an audit to determine the status of the successful establishment of a Cybersecurity Management System (CSMS).
- I. ISO PAS 5112 and CSMS – UN R155 and VDA ACSMS
- II. What does ISO PAS 5112 include?
- III. Sample Questions of ISO PAS 5112: What does ISO PAS 5112 contain?
- IV. The link between ISO PAS 5112 and ISO/SAE 21434
- V. And what about a “Certificate of ISO/SAE 21434 Compliance”?
- VI. Pre-audit prior to the audit: ISO/SAE 21434 Gap Analysis
ISO PAS 5112 and CSMS – UN R155 and VDA ACSMS
A brief side note: The UN Regulation No. 155 specifies that OEMs must prove the application of a CSMS with a Certificate of Compliance for CSMS (valid for a maximum of 3 years) – the associated assessment along the cybersecurity requirements is a prerequisite for type approval, and contractual partners along the value chain must also be taken into account, since the management of risks along the supply chain is part of the requirements of UN R155.
Meanwhile, the German Association of the Automotive Industry (VDA) has published the VDA volume Automotive Cybersecurity Management System Audit (ACSMS) December 2020, a questionnaire and evaluation scheme. This can be used for auditing the CSMS (both on the part of the OEMs and the contractual partners).
Back to ISO PAS 5112, which in its published version directly references the CSMS along UN R155, allowing ISO PAS 5112 to be used as a supporting guide to prepare for a UN R155 audit.
What does ISO PAS 5112 include?
First of all, ISO PAS 5112 provides guidelines for the general management of an audit program. Then, it contains input for the planning and execution of the actual audit. Last but not least, the competencies and the evaluation by the auditor are specified.
On the one hand, at its core, ISO PAS 5112 references to ISO 19011, the general standard for auditing a management system.
In addition to the general handling of audits, ISO PAS 5112 also provides exemplary sample questions based on the scope of ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering and which are closely linked to the questionnaire of the VDA ACSMS.
Sample Questions of ISO PAS 5112: What does ISO PAS 5112 contain?
On the other hand, the sample questions of ISO/PAS 5112 contain the aspect Cybersecurity Management (according to Clause 5 and 6 of ISO/SAE 21434), the point Continual Cybersecurity (along Clause 8), the important topic Risk Assessment (according to Clause 15) as well as Concept and Product Development (along Clause 9 and 10), Post Development (according to Clause 12, 13 and 14) and last but not least Distributed Development (according to Clause 7).
For each of the sample questions, ISO PAS 5112 contains dedicated guidelines for the auditor, e.g. with critical aspects that require special attention. At the same time, there are also specific guidelines for the auditee, that clarify which obligations the organization has to fulfill with regard to the provision of specific evidences (along the work products of ISO/SAE 21434).
This means that ISO PAS 5112 focuses on the overall organization along the entire product lifecycle.
Working according to a standard, having the required work products in place, and demonstrating that those work products meet the required scope may be considered sufficient justification if something does happen or an unintentional anomaly arises.
Therefore, audits and assessments are currently in everyone’s mind. They shall ensure that certain principles are adopted in the organization and project ecosystem.
Especially for audits, the ISO/SAE 21434 leaves some space for the scope definition and process.
This can lead to insufficient coverage and thus non-compliance to the ISO/SAE 21434 and possible loss of business when not fulfilling customer requirements. In addition, a lack of organizational cybersecurity processes can lead to isolated and uncoordinated solutions at the project level which is anything but efficient. This is one reason, why the ISO Working Group 11 (or short WG11) wants to bring guidelines into life to ensure a consistent scope and provide a roadmap for such audits. This is where ISO PAS 5112 Road vehicles – Guidelines for auditing cybersecurity engineering comes into play,
Additionally, one of the biggest challenges for the entire automotive industry with ISO/SAE 21434 is the fact that OEMs must ensure the application of the standard along the entire supply chain in order to guarantee end-to-end compliance. This already sounds difficult in theory and currently leads to all kinds of coordination requirements in practice (à la cybersecurity simply “as an add-on”).
The ISO PAS 5112 guide to conducting audits provides a solid framework that covers just these points to verify the application of the principles of ISO/SAE 21434 to all contractors and suppliers involved.
ISO PAS 5112 also supports suppliers in conducting audits independently on their own or with assistance, simply to ensure that the required compliance on their side – as demanded in the business relationships along the value chain – is also given at all times and in its entirety.
And what about a “Certificate of ISO/SAE 21434 Compliance”?
In addition to the execution of audits (and the associated certifications of the successfully completed audit), the question of an ISO/SAE 21434 certificate also arises, especially on the suppliers’ side.
So – to put it simply – just put a badge in front of the entrance door of the organization or the corresponding divisions stating “We are certified along ISO/SAE 21434. All good.”
This would most likely be very beneficial for OEMs, as supplier evaluation could become easier, at least at the level of cybersecurity compliance. The need to perform own audits and assessments could be eliminated or at least the effort could be minimized. The “badge” of the “ISO/SAE 21434 certificate” would become a strong evaluation criterion for suppliers in negotiations with OEMs.
The idea is not totally out of place: a similar approach already exists in the automotive industry in the area of information security with the TISAX certificate.
In practice, the question of an ISO/SAE 21434 certificate has not yet been finally resolved at present (as of September 2021). But it may not be as simple as described by the example.
If we draw a comparison, for example, with the Certificate of Compliance for CSMS along the UN R155 – then it becomes clear: The rights of the Approval Authority, for example to withdraw the certificate if the established processes are not further fulfilled, are far-reaching. At the same time, the obligations on the part of the OEMs are also very significant: if relevant aspects have changed, the manufacturer is obliged to inform the Approval Authority in order to check the necessity of renewed checks.
Along the fast-moving dimensions that ISO/SAE 21434 addresses around cybersecurity at the level of the organization, development projects, and engineering processes, as well as in relation to the product throughout the product lifecycle, issuing a blanket certificate will not be a simple undertaking.
This makes it all the more important to conduct far-reaching preparatory discussions already now, e.g. as part of pre-audits using our ISO/SAE 21434 Gap Analysis. Learn more about in our dedicated ISO/PAS 5112 informational webcast recorded on April 8th, 2022:
Pre-audit prior to the audit: ISO/SAE 21434 Gap Analysis
The lack of guidelines for performing an audit is not a purely theoretical problem.
In practice, we receive more and more inquiries from our clients as to whether their processes are ISO/SAE 21434 compliant. The main question is where to start?
A pre-audit is a good starting point to check whether existing processes and procedures cover the principles of ISO/SAE 21434 and to help identify possible gaps.
With the CYRES Consulting Gap Analysis to ISO/SAE 21434 we have created a unique tool that not only provides assistance in identifying possible non-conformities to the standard. It also allows to derive clear recommendations for action and to set up a list of measures to ensure the necessary steps on the way to the correct application of the standard.
The ISO/SAE 21434 gap analysis covers not only principles from ISO/SAE 21434 and ISO PAS 5112, but also the scope of UN R155 and makes use of the best practices in the automotive industry.
Such pre-audits are also considered best practice in the context of ISO PAS 5112.
Learn more about the three dimensions
- development project
- and engineering processes
and about the 20 different modules on our page about the ISO/SAE 21434 Gap Analysis.
- Learn more: On the new CYRES Academy Online Learning Platform in our video training course “Cybersecurity Automotive Standards and Regulations apart ISO/SAE 21434” “Guidance for auditing ISO/SAE 21434: ISO PAS 5112“and “Overview ISO/SAE 21434” temporarily free of charge)
- On the official ISO website you can get a rough overview of the timeline of the development and publication of ISO PAS 5112
- Create the appropriate awareness among decision-makers in the organization with our Automotive Cybersecurity for Executives and Managers Awareness Sessions
Philipp Veronesi is founder and managing director of CYRES Consulting, one of the leading automotive cybersecurity consultancies. He has many years of practical experience not only in engineering but also in the management of technically challenging development projects for leading players in the automotive industry, including BMW, Audi, Rolls Royce, and others.