CSMS for ISO/SAE 21434

Why you need a Cyber Security Management System,
and how Karamba can help

Karamba Security offers products and services that accompany manufacturers and their suppliers along the compliance journey and span the entire lifecycle of product development and deployment.

Establishing a solid CSMS provides the framework that enables automotive OEMs and Tier 1s to develop and produce a vehicle of mature cybersecurity posture that complies with the ISO/SAE 21434 standard and the UN-R 155/6 regulations.

We can separate the process of ISO/SAE compliance into the four key stages described below: Gap Analysis, Implementation Support, Process Immersion, Assessment and Certification.

SAE International
UNECE
IEC
NIST
Karamba certified

The Four Stages of a Successful CSMS Journey

Gap Analysis
Gap
Analysis

This stage revolves around getting to know the organization, its cybersecurity maturity level, and how security is designed into its products – from development to production and on to post-production and decommissioning.

Among the essential questions posed to the organization:
Does the organization have an Information Security Policy? a Cybersecurity Incident Response Plan?
Does it manage and evaluate its suppliers from the perspective of cybersecurity?
Does it implement a process to monitor, evaluate, identify, and manage vulnerabilities?
Is there a procedure in place to communicate the end of cybersecurity support and the decommissioning of automotive products/components?

At the end of the Gap Analysis, the client receives a detailed report on the identified gap, a “Spider” chart visualization in the context of the ISO standard, and a recommendation list which elaborates on the issues that need rectifying.

Implementation Support
Implemenation
Support

Depending on the engagement model with Karamba's Professional Services team, Karamba can draft and produce the full set of documents for the organization, or provide templates and expert advice. ISO/SAE 21434 Standard specifies its requirements in 15 clauses, ranging from an analysis of the cybersecurity capabilities and maturity of the organization, to project management tasks, TARA output, and cyber protection activites throughout the product life-cycle.

Work Products based on Karamba templates and advice will be customized to the organization’s existing processes (as defined in ISO 27001 and/or ISO 26262) and enterprise procedures, taking into account reporting methods, organizational structure and stakeholders.

Process Immersion
Process
Immersion

This stage entails carrying out the processes described in the policies and procedures, and creating the required Work Products. Examples of evidence -- documents, reports, and screenshots -- that could be used for the audit are: logs showing how the cybersecurity is managed during the course of the project; the interface agreement with suppliers ("CIA"); and screenshots of the system used to discover and manage a new vulnerability. In addition, TARA output must be presented (Cybersecurity Concept, Goals and Claims), along with verification that mitigations called for are implemented.

Assessment and Certification
Assessment and
Certification

Prior to applying for certification, the organization can perform an Assessment with an external Assessor, such as Karamba Security. In this process the readiness of the organization for the external certification audit will be assessed. A “dry run” of the audit process, it aims to assure a successful result in an external audit carried out by one of the automotive type-approval bodies. After the audit process, summarized in reports and a workshop with the company, the organization receives a list of issues to rectify and, upon completion, will receive the approval certification.

Set up a CSMS and Assure Compliance

Loc

Israel

24 HaNagar Street
Hod Hasharon
45277-13
Tel: +972 9 88 66 113

Loc

USA

41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA

Loc

Germany

Wasserburger
Landstr. 264, Munich
81827
Tel: +49 892 1547 7583