CSMS for ISO/SAE 21434

This stage revolves around getting to know the organization, its cybersecurity maturity level, and how security is designed into its products – from development to production and on to post-production and decommissioning.

Among the essential questions posed to the organization:
Does the organization have an Information Security Policy? a Cybersecurity Incident Response Plan?
Does it manage and evaluate its suppliers from the perspective of cybersecurity?
Does it implement a process to monitor, evaluate, identify, and manage vulnerabilities?
Is there a procedure in place to communicate the end of cybersecurity support and the decommissioning of automotive products/components?

At the end of the Gap Analysis, the client receives a detailed report on the identified gap, a “Spider” chart visualization in the context of the ISO standard, and a recommendation list which elaborates on the issues that need rectifying.

Depending on the engagement model with Karamba's Professional Services team, Karamba can draft and produce the full set of documents for the organization, or provide templates and expert advice. ISO/SAE 21434 Standard specifies its requirements in 15 clauses, ranging from an analysis of the cybersecurity capabilities and maturity of the organization, to project management tasks, TARA output, and cyber protection activites throughout the product life-cycle.

Work Products based on Karamba templates and advice will be customized to the organization’s existing processes (as defined in ISO 27001 and/or ISO 26262) and enterprise procedures, taking into account reporting methods, organizational structure and stakeholders.

This stage entails carrying out the processes described in the policies and procedures, and creating the required Work Products. Examples of evidence -- documents, reports, and screenshots -- that could be used for the audit are: logs showing how the cybersecurity is managed during the course of the project; the interface agreement with suppliers ("CIA"); and screenshots of the system used to discover and manage a new vulnerability. In addition, TARA output must be presented (Cybersecurity Concept, Goals and Claims), along with verification that mitigations called for are implemented.

Prior to applying for certification, the organization can perform an Assessment with an external Assessor, such as Karamba Security. In this process the readiness of the organization for the external certification audit will be assessed. A “dry run” of the audit process, it aims to assure a successful result in an external audit carried out by one of the automotive type-approval bodies. After the audit process, summarized in reports and a workshop with the company, the organization receives a list of issues to rectify and, upon completion, will receive the approval certification.