ISO 21434 sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of newly approved smart vehicles.
Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automobile Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.

Reading Time: 3 minutes Difficulty: Advanced
28 June 2023
28 June 2023
Reading Time: 3 minutes Difficulty: Advanced

ISO 21434 sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of newly approved smart vehicles.
Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automobile Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.

Fundamentals of ISO 21434

ISO 21434 applies to the electrical and electronic (E/E) systems of mass-produced road vehicles, including software and related components and interfaces.
Although this standard does not prescribe specific technical requirements or technology related to cybersecurity, it is the guide for the overall safety of guidance systems, because:

  • it specifies requirements for cybersecurity risk management
  • it covers the topic of a product’s lifecycle, from concept through decommissioning, including aspects necessary for the OEM to achieve compliance from an organizational perspective
  • it defines a common language for managing cybersecurity risks within the supply chain

Do you want to help our page grow?

Follow us on LinkedIN
Do you need support for a project that entails the implementation of ISO 21434?

When to apply ISO 21434

ISO 21434 is applicable specifically to the vehicle, meaning that the system outside the vehicle should be considered an interface, thus outside the scope of ISO 21434.
In addition, its application is limited to elements and components relevant to cybersecurity, and includes after-sales and spare parts, as outlined in Annex D: Cybersecurity relevance.
The following fall within the components covered by ISO 21434:

  • Gateway
  • Infotainment systems
  • Sensors
  • Cameras
  • Security systems
  • Communication systems in general

On the other hand, the following are currently deemed parts of the interface, and so are outside the scope of the standard:

  • External storage devices
  • Back-end servers
  • Connectivity systems
  • Diagnostic and maintenance applications

Different standards may be applied to the latter parts, such as IEC 62443, ISO 27001, or NIST.

The security lifecycle according to ISO 21434

The lifecycle, for the purposes of the ISO 21434 management system, outlines the importance of organizational aspects to ensuring cybersecurity of end products.
Just as other cybersecurity standards focus on the roles and responsibilities of OEMs, ISO 21434 also largely emphasizes this topic, devoting large sections to:

  • Cybersecurity governance
  • Supply of resources
  • Cybersecurity culture
  • Cybersecurity procedures
  • Information sharing

The reasoning and application behind the ISO 21434 security lifecycle is summarized in the diagram below.

ISO 21434 security lifecycle


Go back to the blog
Send this to a friend