ISO/SAE 21434 is considered a milestone for the automotive industry regarding cybersecurity. As of today, ISO/SAE 21434 has the new status “International Standard published”. What does this mean for the industry? We provide an overview in the following article and in a upcoming info webcast for which you can register free of charge.
First of all, the most important questions regarding the publication that has now taken place at a glance.
- I. ISO/SAE 21434:2021: What you need to know now
- II. ISO/SAE 21434 DIS, FDIS and the latest publication: What are the differences?
- III. Additional Information materials next to the document of the standard
- IV. Publication of the official ISO/SAE 21434: Understand the scope of ISO/SAE 21434:2021 with our upcoming info webcast
ISO/SAE 21434:2021: What you need to know now
In our brand-new(!) multi-part video learning course “Overview ISO/SAE 21434 G1_5” on the CYRES Academy Online Learn Platform we answer the most important questions about ISO/SAE 21434:2021. After your registration you can watch the whole video course free of charge for a limited time.
However, regardless of that, let’s get started:
Is the ISO/SAE 21434 released?
The ISO/SAE 21434:2021 Road Vehicles – Cybersecurity Engineering has been officially released in its latest version on August 31, 2021. Thus, the release of the ISO/SAE 21434 standard replaces the previous draft versions (the DIS version from February 2020 as well as the latest FDIS version from May 2021).
Where can ISO/SAE 21434:2021 be officially purchased?
The document of the standard can be purchased in PDF format or hard copy on the official website of the International Standard Organization and (soon) probably also through the DIN at Beuth Verlag. In addition, the official Table of Contents and the general overview of the standard can be viewed via the ISO Online Browsing Platform.
What are the differences between the now released ISO/SAE 21434:2021 and the previous draft versions?
Since the start of the standard, the entire automotive industry has been keeping an eagle eye on what ISO/SAE 21434 requires of the stakeholders in the automotive value chain. Accordingly, even apparently minor adjustments and changes in the structure or wording of the standard can have far-reaching effects on practice.
From the draft versions to the officially published version, the structure of the document, i.e. the entire structure of ISO/SAE 21434, has changed from the DIS version once again. However, this change in the structure is not accompanied by serious changes in the content of the standard.
What is the structure of ISO/SAE 21434:2021?
The first thing to do is to think in the same way as ISO/SAE communicates: The structure of ISO/SAE 21434 does not represent an “execution sequence” of the individual topics.
For the official structure of ISO/SAE 21434:2021, we have created a custom graphical visualization that illustrates the structure not in sequence, but along the development product lifecycle:
The structure of ISO/SAE 21434:2021 in the order given in the now released document:
Clause 4 (General considerations) is informational and includes the context and perspective of the approach to road vehicle cybersecurity engineering.
- Clause 5 (Organizational cybersecurity management) provides information regarding cybersecurity management, specifications of the organizational cybersecurity policies, as well as rules and processes
- Clause 6 (Project dependent cybersecurity management) includes the cybersecurity management and cybersecurity activities at the project level
- Clause 7 (Distributed cybersecurity activities) includes requirements for assigning responsibilities for cybersecurity activities between customer and supplier
- Clause 8 (Continual cybersecurity activities) includes activities that provide information for ongoing risk assessments and defines vulnerability management of E/E systems until end of cybersecurity support.
- Clause 9 (Concept) includes activities that determine cybersecurity risks, cybersecurity goals and cybersecurity requirements for an item
- Clause 10 (Product development) includes activities that define the cybersecurity specifications, and implement and verify cybersecurity requirements
- Clause 11 (Cybersecurity validation) includes the cybersecurity validation of an item at the vehicle level
- Clause 12 (Production) includes the cybersecurity-related aspects of manufacturing and assembly of an item or component
- Clause 13 (Operations and maintenance) includes activities related to cybersecurity incident response and updates to an item or component
- Clause 14 (End of cybersecurity support and decommissioning) includes cybersecurity considerations for end of support and decommissioning of an item or component
- Clause 15 (Threat analysis and risk assessment methods) includes modular methods for analysis and assessment to determine the extent of cybersecurity risk so that treatment can be pursued.
Clauses 5 to 15 are followed by the annexes, which summarize the cybersecurity activities and work products, among other things.
ISO/SAE 21434 DIS, FDIS and the latest publication: What are the differences?
Although the ISO/SAE 21434 was only officially published a few hours ago, the previous versions have already been made publicly available in recent months.
First as a committee draft, then as a draft international standard (DIS for short) and finally with the newer final draft international standard (FDIS for short), which had only received little publicity.
Accordingly, automotive cybersecurity education providers and automotive cybersecurity practitioners have relied on the draft versions of ISO/SAE 21434 in recent months and years to understand the requirements and work products.
Thus, starting from the first public available version (DIS) the ISO/SAE 21434 was considered as state-of-the-art reference document for automotive cybersecurity.
With the release of the official version, these draft versions will be more or less obsolete for upcoming development projects; it can be assumed that from now on, only the reference to ISO/SAE 21434:2021 will be on the agenda in automotive projects.
Your customer demands in a Statement of Work the application of ISO/SAE 21434 in the now published official version?
We believe that it is essential to compare the different versions of ISO/SAE 21434 in order to be able to adapt the requirements to your projects and product development if necessary. This requires a dedicated synchronization, the simple comparison of the last three versions side by side is not sufficient.
For this purpose, we have been working intensively over the last few months on a ISO/SAE 21434 synchronization tool that allows you to compare the different versions of the standard in a way that is as straightforward and user-friendly as possible.
We are happy to provide organization-specific support to help you understand how the different ISO/SAE versions relate to each other and what you need to adopt to work according to the now officially published standard.
Additional Information materials next to the document of the standard
The ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering is the main reference for automotive cybersecurity. Even though the ISO/SAE 21434 is only now officially published, further information is already available at the start.
The Essential Guide to ISO/SAE 21434, the first officially licensed book on ISO/SAE 21434
The Essential Guide to ISO/SAE 21434 (the world’s first reference book on ISO/SAE 21434, published in July 2021) is the first reference book (officially licensed by ISO/DIN) to contain the requirements and work products of the standard. The (hardcover) book refers to the ISO/SAE 21434 in the DIS version, which follows the same scope as the FDIS and the now published standard.
The ISO/SAE 21434 in the DIS and accordingly also the book contain even some more aspects.
This becomes even clearer when comparing the scope of the DIS with the latest release of ISO/SAE 21434:2021. The DIS version includes 116 requirements (RQ), 18 recommendations (RC) and 7 permissions (PM) whereas the official standard now published has 101 RQ, 13 RC and 4 PM. Even the sub-clause 10.4.3 “Specific requirements for software development” of the DIS is removed.
In direct comparison, it could even be said that the official publication that has now been made contains fewer requirements, but also leaves larger gaps in terms of concrete guidance.
Accordingly, The Essential Guide to ISO/SAE 21434 with the DIS does not differ from the now published official standard, but continues to offer a wide-ranging (and beyond the ISO/SAE 21434) introduction to the complex topic of automotive cybersecurity.
ISO/SAE 21434 as Pocket Guide
At the beginning of 2021, we published the world’s first pocket guide to ISO/SAE 21434. (Instead of nearly a hundred A4 pages, the entire standard can be worked through in a handy pocket format – a success, almost a thousand automotive cybersecurity specialists worldwide have ordered their hard copy). This current first edition of the Pocket Guide is based on ISO/SAE 21434 in DIS status.
The terms and conditions of publication regarding this official standard (which was developed for the first time by ISO in cooperation with SAE) do not allow a duplication like our Pocket Guide until six months after the official publication of the standard at the earliest.
Therefore, for each order of our ISO/SAE 21434 Pocket Guide (in the current edition, DIS version), you will receive a voucher for a free Pocket Guide in the version with the official ISO/SAE 21434:2021 with your order.
(Please note: The Pocket Guide ISO/SAE 21434:2021 will be published in March 2022 at the earliest due to this licensing reasons).
Publication of the official ISO/SAE 21434: Understand the scope of ISO/SAE 21434:2021 with our upcoming info webcast
In our daily consulting business, we have noticed in recent months and years that the discussion of ISO/SAE 21434 (and its draft versions) takes place at very different altitudes.
We would like to take the publication of the official ISO/SAE 21434:2021 as an opportunity for a info webcast in which we provide a current information update on the publication that has now taken place.
Although by now it has become common knowledge that ISO/SAE 21434 is to be applied to all E/E systems within a road-vehicle (i.e. all electrical and electronic systems), a far-reaching misunderstanding has dominated since the first hour: ISO/SAE 21434 does not only refer to the product, but rather requires a holistic approach to cybersecurity along the entire product lifecycle, along all phases of the development project and with far-reaching effects on the organization.
How does this now become concretely articulated in the (updated) structure of the official ISO/SAE 21434:2021?
Use our info webcast (free of charge) to get a quick update on the publication of the ISO/SAE 21434:2021.
Update Sep 28: You find the video-recording of the info webcast now on online on the CYRES Academy Online Learn Platform.
Felix Roth is Senior Consultant at CYRES Consulting. After his master’s degree in Management and Technology from the TU Munich and with several stops in different companies and fields including digitalization and industry 4.0, he joined CYRES Consulting back in 2019. At CYRES Consulting he is co-responsible for the CYRES Academy and is involved in different Cybersecurity projects. He is also member of the DIN NA 052-00-32-11 AK “Cybersecurity” and thus also of the ISO/TC 022/SC 32/WG 11 “Cybersecurity” covering the development of the ISO/SAE 21434 and ISO PAS 5112.