Product Security per ISO/SAE 21434.
Cybersecurity by design for the mobility of tomorrow.
The ISO/SAE 21434 is the international standard for cybersecurity in the automotive sector. It defines requirements and processes to protect vehicles, electronic control units (ECUs) and connected components against cyber threats over the entire product lifecycle.
With increasing connectivity of vehicles, over-the-air updates and autonomous driving functions, the risk of targeted cyberattacks rises. Product security per ISO/SAE 21434 ensures that security is integrated into development from day one.
Six modules — from CSMS to supply chain.
Modular and close to development. Each building block can be integrated individually or set up as a complete cybersecurity program.
21434 carries — but not alone.
Product security in the automotive context combines ISO/SAE 21434 with UNECE regulations, CRA, TISAX and overarching ISO 27001 governance.
From maturity check to type approval.
Six steps — aligned with development phases, audit dates and R155 deadlines.
- 01
Gap & maturity analysis
Current state against ISO/SAE 21434, R155, R156 and CRA. Identification of critical gaps in CSMS, engineering and supply-chain processes.
- 02
CSMS build-up
Establishment of governance, roles, risk and vulnerability management — designed for type approval.
- 03
TARA & cybersecurity goals
Systematic threat analysis per vehicle architecture and component. Derivation of protection goals and security requirements.
- 04
Secure development
Integration of secure development practices: threat modeling, code analysis, pentest, HSM concepts, secure boot, OTA security.
- 05
Supplier management
Anchor cybersecurity requirements contractually, Tier-1/Tier-2 assessments, evidence flows across the supply chain.
- 06
Audit & operations
Audit preparation, support of type approval, build-up of Vehicle SOC and continuous improvement over the lifecycle.
Frequent questions on product security.
What is the difference between ISO/SAE 21434 and UNECE R155?
UNECE R155 is a binding type-approval regulation — without CSMS evidence you no longer get type approval for vehicle categories M, N and O from July 2024. ISO/SAE 21434 is the methodological standard that describes HOW a CSMS must be built. R155 thus presupposes what 21434 specifies. In practice 21434 is the concrete blueprint and R155 the obligation.
Are Tier-1 and Tier-2 suppliers directly affected by R155?
Not directly — the OEM is obliged toward UNECE R155. But: the OEM passes the ISO/SAE 21434 requirements contractually to its suppliers. Tier-1 and Tier-2 must therefore deliver in CSMS, TARA and SDLC conformant fashion, otherwise they are disqualified as suppliers. We help suppliers make their processes OEM-capable.
How long does it take to build up a CSMS?
Realistically 12–24 months for a complete CSMS to audit readiness — depending on maturity and product portfolio. Of these, typically 3–6 months for gap analysis and roadmap, 6–12 months for build-up and piloting, and 3–6 months for roll-out, training and audit preparation.
How does ISO/SAE 21434 relate to the CRA?
Both standards address cybersecurity of connected products but differ by sector. ISO/SAE 21434 is automotive-specific (with R155 obligation), CRA is horizontal and applies to all connected products with digital elements. For vehicles: 21434 fulfills a large part of the CRA requirements, but not all. We map both requirement sets onto an integrated evidence framework.
Do you also offer penetration tests on vehicle ECUs?
Yes — as part of the SDLC or separately. We test ECU hardware, firmware, bus communication (CAN, LIN, FlexRay, Automotive Ethernet), wireless interfaces (Bluetooth, WiFi, V2X) and backend connections (OTA, telematics). Methodologically we work according to OWASP IoT, ISO/SAE 21434 Annex G and our own automotive-pentest methodology.
We build industrial products, not cars — does this apply to us?
ISO/SAE 21434 is automotive-specific, but the methodology is broadly transferable. For industrial products IEC 62443-4 (secure product development), ISO/IEC 27034 or the CRA requirements are more applicable. We also address machinery manufacturers, medical-device manufacturers and IoT producers — the engineering practices (TARA, secure boot, threat modeling, SDLC) are cross-sector.
Protect Your Organization Now!
Contact us for an individual consultation and security solution tailored to your requirements.
Valeri Milke, CEO of VamiSec
"Only when all instruments are well-tuned does your organization become secure and compliant."