Assessing Automotive Cybersecurity Management System (CSMS) Compliance

The automotive industry is swiftly approaching the July 2024 deadline for implementing a fully functional Cybersecurity Management System (CSMS) as prescribed by UNECE WP.29 Regulation No. 155 (UN R155). It is imperative for OEMs/Suppliers to scrutinize their internal cybersecurity processes utilized across the organization and product development lifecycle to identify and address existing gaps, thereby avoiding restrictions imposed by CSMS auditors. While UN R155 does not explicitly mandate the use of ISO 21434 [1], it is widely adopted across the industry, effectively making it the de facto standard for CSMS implementation.

Every OEM/Supplier organization must follow a series of general steps to assess its cybersecurity processes to achieve CSMS compliance. The major steps for a company to assess their cybersecurity compliance internally are as follows:

1. Information Gathering

The first step in the cybersecurity compliance assessment process is information gathering. During this step, all organizational and project-dependent cybersecurity information, along with related documentation, is collected for analysis purposes. A systematic approach to collecting all necessary information involves:

   a. Identify Key Stakeholders

ISO/SAE 21434 is divided into 15 clauses, implying that the OEM/Supplier organization will have separate stakeholders responsible for different areas of the organization and throughout various phases of the product development lifecycle. To gather accurate information about a specific work product, it is essential to identify the key stakeholder(s) responsible for it. These stakeholders possess the best knowledge about the area and can answer any questions. The following table is an example of identifying stakeholders for each work product.

Work ProductDepartment (Owner)Key Stakeholder
WP-05-01: Cybersecurity policy, rules and processesOrganizationCISOIT Security ManagersPolicy Analyst
WP-05-03: Evidence of the organization’s management systemOrganization, QualityQuality assurance managersCompliance officerManagement system analyst
WP-06-01: Cybersecurity planProject ManagementSecure Engineering ProcessCISOCybersecurity ManagersSecurity Architects

    b. Interviewing Key Stakeholders

Once the key stakeholders are identified, the next step is to interview them to gain insights into the relevant work products for which they are responsible. A structured interview questionnaire should be prepared beforehand, focusing on ISO 21434 work product requirements. 

   c. Collecting Information/Documentation

The responses from the key stakeholders to each question need to be recorded for analysis purposes. Additionally, asking for supporting documentation is advisable if stakeholders claim compliance with ISO 21434 work product requirements.

2. Information Analysis

The next step in cybersecurity compliance assessment involves analyzing the collected information. Evaluate existing documentation such as policies, procedures, project planning, risk assessments, and incident response plans. Identify gaps and inconsistencies in documentation by comparing them with the ISO 21434 compliance requirements. Each work product has a minimum set of requirements as outlined in ISO 21434 to achieve compliance. However, there are some requirements in ISO 21434 that don’t have any work products but need to be fulfilled.

3. Identifying Cybersecurity Gaps

The best approach to identifying cybersecurity gaps is to compare existing resources (documentation, processes) against ISO 21434 individual work products. If any existing material does not comply with ISO 21434 requirements, it can be flagged as a gap by introducing a scoring method to understand the severity of the gaps. An example of a gap assessment scoring scale is as follows, where a ‘score = 0’ indicates that the customer company lacks evidence for a work product and ‘score = 3’ indicates that the supporting documentation is fully compliant with ISO 21434.

ScoreReasonDetails
0No evidenceDoesn’t have any processes or supporting documents related to ISO 21434 requirements
1Major gaps in evidenceMay have processes and supporting documents but they are not compliant to ISO 21434
2Adjustments neededExisting processes and supporting documents are partially compliant to ISO 21434 requirements
3Fully sufficientExisting processes and supporting documents are fully mature and ISO 21434 compliant

4. Gap Remediation

After identifying the gaps, the next step involves developing a plan to remediate these gaps and achieve ISO 21434 compliance. Gap remediation can vary from creating new work products from scratch to utilizing existing ones. For instance, if the OEM/Supplier organization has previously met ISO 26262 Functional Safety requirements, they likely have safety-related documentation that can be repurposed for creating cybersecurity-related documentation.

What do auditors look during a CSMS compliance auditing?

Once the key stakeholders are identified, the next step is to interview them to gain insights into the relevant work products for which they are responsible. A structured interview questionnaire should be prepared beforehand, focusing on ISO 21434 work product requirements.

Block Harbor Cybersecurity is a premier automotive cybersecurity company that empathizes with the challenges faced by customers in achieving their automotive cybersecurity objectives. With a dedicated CSMS team, we engage with OEM/Supplier key stakeholders to first understand the maturity level of their cybersecurity processes and recommend the most effective actions. While Block Harbor offers both gap assessment and gap remediation services, we strongly advise OEMs/Suppliers to begin with the gap assessment before proceeding to gap remediation. Block Harbor’s CSMS team is flexible and can adapt to customers’ customized requirements to assist them in achieving CSMS compliance certification. Furthermore, Block Harbor provides its own in-house ISO 21434 work product templates for both gap assessment and gap remediation, facilitating expedited CSMS compliance for their clients. Recognizing that the industry is still adapting to the new regulatory framework, Block Harbor is committed to supporting its customers’ smooth transition and expertise in CSMS compliance through its education program at VSEC:Learn.

  1. Contact us for a complimentary CSMS readiness evaluation.
  2. Based on the evaluation results, we can guide you in the right direction. Remember, achieving your CSMS compliance certification is just one step away.
  1. ISO 21434 – Road vehicles – Cybersecurity Engineering
  2. UN Regulation No. 155
  3. ISO/PAS 5112 – Road Vehicles – Guidelines for Auditing Cybersecurity Engineering