Definition and purpose

The purpose of ISO/SAE 21434 is to provide a framework for ensuring cybersecurity resilience in the design, development, production, operation, maintenance, and decommissioning of road vehicle electrical and electronic (E/E) systems. This includes protecting these systems from malicious attacks, unauthorized access, damage, or anything else that might interfere with safe and secure operation.

Governing Body

ISO/SAE 21434 is jointly developed by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE).

Last updated

ISO/SAE 21434 was published in 2021 and remains current. 

Applies to

ISO/SAE 21434 is applicable to organizations involved in the production, design, manufacturing, and after-market services of road vehicles, including cars, trucks, buses, and motorcycles. It is relevant to automotive manufacturers, suppliers, cybersecurity engineering service providers, and aftermarket connectivity service providers.

Controls and requirements

The standard includes a comprehensive set of requirements and guidelines covering:

• Cybersecurity Management System: Establishing and maintaining a cybersecurity management system (CSMS).
• Cybersecurity Risk Management Process: Identifying and assessing cybersecurity risks, and defining appropriate mitigation strategies.
• Concept Phase Requirements: Addressing cybersecurity at the early stages of product development.
• Product Development: Incorporating cybersecurity considerations in the development of E/E systems.
• Production, Operation, Maintenance, and Decommissioning: Ensuring ongoing cybersecurity throughout the vehicle lifecycle.
• Event and Incident Response: Preparing and responding to cybersecurity incidents.

Please refer to the official ISO/SAE 21434:2021 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits related to ISO/SAE 21434 compliance typically involve a thorough examination of the organization's cybersecurity practices across all stages of vehicle development and lifecycle. Given the rapidly evolving nature of cybersecurity threats, regular audits are recommended, though specific frequencies can vary based on organizational size, complexity, and the nature of the vehicles produced.

The duration of these audits depends on the scope of the audit, the size of the organization, and the range of products and services under review.