How to prepare for a CSMS?

Cybersecurity Management Systems (CSMS) have gained significant traction in the automotive industry in recent times. Everyone needs these systems for compliance and to maintain a competitive advantage. A successful CSMS requires a proactive and comprehensive approach. To this end, we will explore 10 key steps that can effectively prepare your organization for a CSMS assessment. As I like to say – good preparation is half the work.

The How

  • Understanding the standard. Familiarize yourself well enough with ISO/SAE 21434. You first need to learn how to read the standard. Look at the abbreviations section, learn the difference between what is a requirement, recommendation, and permission. Analyze the definitions, take some time to look at the examples, notes, and annexes. The first video in our series, “Implementing ISO/SAE 21434” will help you get started.
  • Asking questions. While you are on your learning path, keep notes of provisions that don’t seem clear to you yet. Don’t understand how a Threat Analysis & Risk Assessment works? No problem, understanding takes time. Once you have specific questions, there are plenty of experts in the automotive cybersecurity community willing to help. If an auditor will be helping you out with the CSMS assessment, feel free to ask them questions. This way you will improve your knowledge about certain topics and the whole process, as well as show your professionalism by showing interest in learning. Having done your homework in advance will only save you time and make for better preparation and quality work.
  • Preparing the material. While you are reading through the standard and taking notes, don’t forget to actually start preparing the material that you will be asked to show. Let’s say you are reading Clause 6 and find [RQ-06-03] which talks about what a cybersecurity plan shall include. This means that you will surely be asked if you have a cybersecurity plan and what it looks like. Many automotive cybersecurity companies offer pre-made templates to start or you can start building your own, requirement by requirement. Check with your colleagues if needed and document your plan.
  • Constant progress. Whenever you have some processes defined, it doesn’t mean they can’t be upgraded. If you have a vulnerability analysis procedure, you can always look at ways on how to improve the process. Whether it would involve using a different method of analyzing attack paths, reviewing past cybersecurity incidents if you haven’t done this yet, or making the process more efficient, it will help you get ahead of others. You do not need to wait for the auditor to tell you that and instead do this on your own accord.
  • Investing in industry professionals. Even if CSMS activities are something you are doing for the first time, it is a good investment in your future. Get it done well and make the most out of it. Hire someone who can provide actual value to your processes and guide you through the wide sea of unknown. Once you have a good foundation laid out, you will be able to take charge of implementing those processes and improving them with time.
  • Doing it for more than just a checkmark. It isn’t uncommon to see that a lot of companies do penetration testing, TARA, or CSMS just to get a checkmark on a piece of paper. If you truly invest all your effort into being a part of the process, you will gain so much more by contributing to it and learning from it.
  • Putting some time aside. Doing a CSMS with outside consulting can be time-consuming. Both the customer and consulting team will be expected to work together towards a desired outcome. If you schedule regular meetings together, it is best not to keep rescheduling or postponing them. Furthermore, it helps if all the necessary parties are able to join those meetings for better communication and task tracking.
  • Performing professional documentation. Having your procedures well documented is a recipe for success. The more details and clarity, the better. Everything needs to be simple enough that your other colleagues would be able to understand the information presented. You may include diagrams, charts, and other types of drawings as aid. Be sure to include these from the beginning to make the task easier. You can also always have the documentation peer-reviewed for better gap remediation.
  • Communicating. Effective communication is crucial for a successful CSMS implementation with external consultants. Establish a clear communication strategy to streamline information exchange, facilitate inquiries, and manage scheduling. Secure file-sharing protocols for confidential documents are also essential. Remember, post-implementation success hinges on effectively communicating cybersecurity policies and procedures across all organizational levels.
  • Learning. If you still feel unsure about the CSMS process and want to have a head-start before your first meeting with a consultant, there are some Cybersecurity Management Courses you can do. If you still have some unanswered questions later on, you will at least know what to ask. Reach out to the Auto-ISAC, join the ASRG, and–of course–take the free courses offered on our Vehicle Security Engineering Cloud (VSEC) platform.

The sooner you focus on the big picture and understand how a well-defined CSMS will aid you in having higher quality, the sooner and better you can start preparing for all the work waiting ahead. Another saying I like to use is “how you make your bed, is how you will sleep” which can be easily adapted to doing preparations for CSMS work.

References:

ISO/SAE 21434