verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/SAE 21434:2021
ActiveInternational Standardupdate Standard Updated: Aug 2021fact_check Fact checked: Jun 28, 2026

ISO/SAE 21434:2021

Road vehicles — Cybersecurity engineering

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/SAE 21434:2021 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Automotive, Electronics, Technology and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/SAE 21434:2021.

security

Cybersecurity by Design

Establishes a structured process-oriented approach to cybersecurity engineering across the entire vehicle E/E system lifecycle — from concept through decommissioning.

bug_report

Threat & Risk Assessment

Requires systematic threat analysis and risk assessment (TARA) to identify cybersecurity threats, evaluate attack feasibility, and determine required risk treatment measures.

monitoring

Continuous Monitoring

Mandates cybersecurity monitoring, vulnerability management, and incident response throughout the operational phase — cybersecurity does not end at production.

list_alt Key Process Areas

  • Organizational cybersecurity management and governance
  • Cybersecurity risk assessment methodology (TARA)
  • Concept-phase cybersecurity goals and requirements
  • Product development cybersecurity requirements (system, hardware, software)
  • Cybersecurity validation and verification
  • Production cybersecurity controls
  • Operations and maintenance — monitoring and incident response
  • Supplier cybersecurity capability management

Who Needs to Comply?

groups

Automotive OEMs, Tier 1/2/3 suppliers, and engineering service providers involved in the development, production, or maintenance of E/E systems in road vehicles. Effectively mandated by UNECE WP.29 R155 for vehicles sold in the EU, Japan, and South Korea.

Key Requirements

1

Cybersecurity Management System

Establish organizational policies, processes, and responsibilities for cybersecurity engineering. Implement a cybersecurity management system that covers governance, competency, and continuous improvement.

2

Threat Analysis & Risk Assessment (TARA)

Perform systematic threat analysis identifying assets, threat scenarios, and attack paths. Assess cybersecurity risk based on impact (safety, financial, operational, privacy) and attack feasibility.

3

Cybersecurity Goals & Requirements

Define cybersecurity goals and derive cybersecurity requirements allocated to system components. Ensure traceability from threats through goals to specific implementation measures.

4

Verification & Validation

Verify cybersecurity requirements through testing (penetration testing, fuzz testing, vulnerability scanning) and validate that cybersecurity goals are met at the vehicle level.

5

Post-Production Cybersecurity

Implement cybersecurity monitoring for fielded vehicles, maintain a vulnerability management process, and establish incident response procedures for cybersecurity events throughout the vehicle operational lifecycle.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, ownership and regulatory context

Define the road-vehicle cybersecurity engineering lifecycle scope across vehicle E/E systems, software, components, interfaces, suppliers, production, operations, maintenance, incident response, and decommissioning. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk-based planning

Assess current practices against ISO/SAE 21434 expectations and risk context. Review cybersecurity governance, item definition, threat analysis and risk assessment, cybersecurity goals, requirements, validation, vulnerability management, production controls, monitoring, and incident response, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.

3
Phase 3schedule Duration: 8-20 weeks

Implement controls, documentation and evidence

Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around cybersecurity plans, item definitions, TARA records, risk treatment decisions, cybersecurity requirements, verification results, vulnerability triage, incident records, supplier agreements, and cybersecurity cases.

4
Phase 4schedule Duration: Ongoing

Review, audit and maintain compliance

Complete internal reviews, readiness checks, and corrective actions before the cybersecurity assessment or customer audit. Keep the program current after product, supplier, legal, customer, incident, or operational changes.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and improvement

Penalties & Enforcement

warning

No direct penalties from the standard itself. However, UNECE R155 requires a certified Cybersecurity Management System (CSMS) for type approval in 60+ countries. Without compliance, OEMs cannot sell new vehicle types (mandatory from July 2022) and all new vehicles (from July 2024) in regulated markets.

Frequently Asked Questions

Who needs ISO/SAE 21434?

expand_more

ISO/SAE 21434 is relevant for organizations whose activities fall within vehicle E/E systems, software, components, interfaces, suppliers, production, operations, maintenance, incident response, and decommissioning. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.

What is the core purpose of ISO/SAE 21434?

expand_more

The core purpose is to create a repeatable program for cybersecurity governance, item definition, threat analysis and risk assessment, cybersecurity goals, requirements, validation, vulnerability management, production controls, monitoring, and incident response. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.

What should be done first?

expand_more

Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.

How long does implementation take?

expand_more

A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.

What evidence is most useful?

expand_more

Useful evidence includes cybersecurity plans, item definitions, TARA records, risk treatment decisions, cybersecurity requirements, verification results, vulnerability triage, incident records, supplier agreements, and cybersecurity cases. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.

How should suppliers be handled?

expand_more

Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.

How often should the program be reviewed?

expand_more

Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.

Can this be integrated with other compliance programs?

expand_more

Yes. ISO/SAE 21434 can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.

Official Documentation

View All

Implementation Timeline

gavel
Jun 2020
UNECE WP.29 adopts R155 regulation requiring Cybersecurity Management Systems for vehicle type approval
check_circle
Aug 2021
ISO/SAE 21434:2021 published as the international standard for automotive cybersecurity engineering
calendar_today
Jul 2022
UNECE R155 becomes mandatory for all new vehicle types in regulated markets
directions_car
Jul 2024
UNECE R155 extends to all new vehicles produced (not just new types)
update
2025
Revision work begins to address evolving threat landscape and software-defined vehicle architectures

Related Categories