Whether you are already actively researching ISO PAS 5112 Road Vehicles – Guidelines for auditing cybersecurity engineering or have not yet heard of the specification that will play a key role in auditing for ISO/SAE 21434, the following will provide you with an initial overview of ISO PAS 5112.
The objective of ISO PAS 5112 is to help organizations to audit the cybersecurity achieved for their own organization and along the supply chain. Among other things, it focuses on conducting an audit to determine the status of the successful establishment of a Cybersecurity Management System (CSMS).
ISO PAS 5112 and CSMS – UN R155 and VDA ACSMS
A brief side note: The UN Regulation No. 155 specifies that OEMs must prove the application of a CSMS with a Certificate of Compliance for CSMS (valid for a maximum of 3 years) – the associated assessment along the cybersecurity requirements is a prerequisite for type approval, and contractual partners along the value chain must also be taken into account, since the management of risks along the supply chain is part of the requirements of UN R155.
Meanwhile, the German Association of the Automotive Industry (VDA) has published the VDA volume Automotive Cybersecurity Management System Audit (ACSMS) December 2020, a questionnaire and evaluation scheme. This can be used for auditing the CSMS (both on the part of the OEMs and the contractual partners).
Back to ISO PAS 5112, which in its current version (CD = committee draft) directly references the CSMS along UN R155, allowing ISO PAS 5112 to be used as a supporting guide to prepare for a UN R155 audit.
What does ISO PAS 5112 include?
First of all, ISO PAS 5112 provides guidelines for the general management of an audit program. Then, it contains input for the planning and execution of the actual audit. Last but not least, the competencies and the evaluation by the auditor are specified.
On the one hand, at its core, ISO PAS 5112 references to ISO 19011, the general standard for auditing a management system.
In addition to the general handling of audits, ISO PAS 5112 also provides exemplary sample questions based on the scope of ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering and which are closely linked to the questionnaire of the VDA ACSMS.
Sample Questions of ISO PAS 5112: What does ISO PAS 5112 contain?
On the other hand, the sample questions of ISO/PAS 5112 contain the aspect Cybersecurity Management (according to Clause 5 and 6 of ISO/SAE DIS 21434), the point Continual Cybersecurity (along Clause 7), the important topic Risk Assessment (according to Clause 8) as well as Concept and Product Development (along Clause 9 and 10), Post Development (according to Clause 12, 13 and 14) and last but not least Distributed Development (according to Clause 15).
For each of the sample questions, ISO PAS 5112 contains dedicated guidelines for the auditor, e.g. with critical aspects that require special attention. At the same time, there are also specific guidelines for the auditee, that clarify which obligations the organization has to fulfill with regard to the provision of specific evidences (along the work products of ISO/SAE 21434).
This means that ISO PAS 5112 focuses on the overall organization along the entire product lifecycle.
One of the biggest challenges for the entire automotive industry with ISO/SAE 21434 is the fact that OEMs must ensure the application of the standard along the entire supply chain in order to guarantee end-to-end compliance. This already sounds difficult in theory and currently leads to all kinds of coordination requirements in practice (à la cybersecurity simply “as an add-on”).
The ISO PAS 5112 guide to conducting audits provides a solid framework that covers just these points to verify the application of the principles of ISO/SAE 21434 to all contractors and suppliers involved.
ISO PAS 5112 also supports suppliers in conducting audits independently on their own or with assistance, simply to ensure that the required compliance on their side – as demanded in the business relationships along the value chain – is also given at all times and in its entirety.
And what about a “Certificate of ISO/SAE 21434 Compliance”?
In addition to the execution of audits (and the associated certifications of the successfully completed audit), the question of an ISO/SAE 21434 certificate also arises, especially on the suppliers’ side.
So – to put it simply – just put a badge in front of the entrance door of the organization or the corresponding divisions stating “We are certified along ISO/SAE 21434. All good.”
This would most likely be very beneficial for OEMs, as supplier evaluation could become easier, at least at the level of cybersecurity compliance. The need to perform own audits and assessments could be eliminated or at least the effort could be minimized. The “badge” of the “ISO/SAE 21434 certificate” would become a strong evaluation criterion for suppliers in negotiations with OEMs.
The idea is not totally out of place: a similar approach already exists in the automotive industry in the area of information security with the TISAX certificate.
In practice, the question of an ISO/SAE 21434 certificate has not yet been finally resolved at present (as of June 2021). But it may not be as simple as described by the example.
If we draw a comparison, for example, with the Certificate of Compliance for CSMS along the UN R155 – then it becomes clear: The rights of the Approval Authority, for example to withdraw the certificate if the established processes are not further fulfilled, are far-reaching. At the same time, the obligations on the part of the OEMs are also very significant: if relevant aspects have changed, the manufacturer is obliged to inform the Approval Authority in order to check the necessity of renewed checks.
Along the fast-moving dimensions that ISO/SAE 21434 addresses around cybersecurity at the level of the organization, development projects, and engineering processes, as well as in relation to the product throughout the product lifecycle, issuing a blanket certificate will not be a simple undertaking.
This makes it all the more important to conduct far-reaching preparatory discussions already now, e.g. as part of pre-audits using our ISO/SAE 21434 Gap Analysis.
- In preparation for future audits, we recommend to start early with an ISO/SAE 21434 Gap Analysis
- Learn more: On the new CYRES Academy Online Learning Platform in our video training course “Standards and Regulations apart ISO/SAE 21434” (temporarily free of charge)
- On the official ISO website you can get a rough overview of the timeline of the development and publication of ISO PAS 5112
Felix Roth is Senior Consultant at CYRES Consulting. After his master’s degree in Management and Technology from the TU Munich and with several stops in different companies and fields including digitalization and industry 4.0, he joined CYRES Consulting back in 2019. At CYRES Consulting he is co-responsible for the CYRES Academy and is involved in different Cybersecurity projects. He is also member of the DIN NA 052-00-32-11 AK “Cybersecurity” and thus also of the ISO/TC 022/SC 32/WG 11 “Cybersecurity” covering the development of the ISO/SAE 21434 and ISO PAS 5112.