Consultancy services are organised in 3 main categories and associated activities below. These are agnostic to any normative or regulatory text which are in our scope and can be purchased separately.
The gap analysis is done to identify the compliance gap at organization and project levels with respect to applicable standards and regulations. The result of this activity is a roadmap to achieve the desired compliance levels and a preliminary cybersecurity plan that states the required resources (personnel, budget, tools etc.).
Before the gap analysis it is crucial to define a company compliance strategy to optimize the resources because the regulations and the standards are in constant evolution and certain normative texts like cybersecurity are prerequisites of others. The diagram below depicts the mutual relationship between cybersecurity related texts.
On the left, we see different UNECE regulations and their dependencies. At the innermost cell there is the UN r155 cybersecurity regulation. In upper cell there is UNr156 the software update regulation that requires compliance with cyber security. Similarly, UN r157 Automated Lane Keeping Systems (ALKS) regulation in the upper cell requires compliance with software update. The outermost rectangle is the new GSR II (General Safety Regulation). It requires compliance with cybersecurity and lane keeping, however there is no direct statement in it that requires compliance with software update.
On the right, we see the standards and their dependencies. ISO/SAE 21434 cybersecurity standard and ISO 26262 functional safety are at the core. ISO 24089 software update clearly requires compliance with cybersecurity and functional safety standards. However, ISO 21448 safety of intended functionality, known as SOTIF, does not directly require compliance with any of the three previous standards. SOTIF is complimentary with functional safety and cybersecurity. Therefore, a table is provided in introduction to highlight how the causes of hazardous events are handled by different standards. Nevertheless, there are always certain dependencies and overlaps. For more information on the future cybersecurity related normative and regulatory texts, see our Learning page.
Process integration is to done basically to establish the CSMS (Cybersecurity Management System) within a company. The processes that are identified as missing or insufficient in the gap analysis are created at this step. In addition, related cybersecurity activities are defined and launched, which are required to ensure the outcomes of the processes. These outcomes might be several types of documentation such as policies, guidelines, templates or other documents that are required for compliance.
Process integration is carried out with the help of the related standards and guidelines provided in the diagram below.
UN r155 regulation is positioned at the center because it is the source of CSMS at organisation level and type approval at vehicle level. In fact, these are the two main parts that make up this regulation.
For the CSMS part, the clauses 5, 8, 12, 13 and 14 of the ISO/SAE 21434 are utilised with the help of the ISO/PAS 5112. In fact, ISO/PAS5112 is directly related to ISO/SAE 21434 and extends ISO 19011 "Guidelines for auditing management systems" to the automotive domain. In other words, it is an audit document which will helps us to audit the target CSMS of an organization. There is also paid tool of VDA, the ACSMS, that helps us conduct audits in a more organized way.
For the project part, the word “assessment” is used rather than “audit”. The clauses 6, 7, 9, 10, 11 and 15 are utilised with the help of the VDA ASPICE for cyber security. There is one last document at the bottom which is UN r155 interpretation document. It is provided by UNECE to support the interpretation of UN r155 regulation. It has several references from other standards but especially from ISO/SAE 21434.
Cybersecurity activities at project level should be managed by a dedicated cybersecurity manager. This role is meant to work in parallel with the project teams to execute the already established CSMS in an entity. The first step is to create an inclusive cybersecurity plan for each project that will ensure the outcomes defined by the CSMS. These outcomes shall cover all deliverables listed in the ISO/SAE 21434.
Certain cybersecurity activities as part of the cybersecurity project management are (the list is not exhaustive):
Rappel Cybersecurity provides end-to-end and scalable consultancy services that spans entire product lifecycle. Contact us for your needs regarding cybersecurity compliance at any dimension and phase.