ISO/SAE 21434:2021
Road vehicles — Cybersecurity engineering
Standard Introduction
ISO/SAE 21434:2021 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Automotive, Electronics, Technology and applies in Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/SAE 21434:2021.
Cybersecurity by Design
Establishes a structured process-oriented approach to cybersecurity engineering across the entire vehicle E/E system lifecycle — from concept through decommissioning.
Threat & Risk Assessment
Requires systematic threat analysis and risk assessment (TARA) to identify cybersecurity threats, evaluate attack feasibility, and determine required risk treatment measures.
Continuous Monitoring
Mandates cybersecurity monitoring, vulnerability management, and incident response throughout the operational phase — cybersecurity does not end at production.
list_alt Key Process Areas
- Organizational cybersecurity management and governance
- Cybersecurity risk assessment methodology (TARA)
- Concept-phase cybersecurity goals and requirements
- Product development cybersecurity requirements (system, hardware, software)
- Cybersecurity validation and verification
- Production cybersecurity controls
- Operations and maintenance — monitoring and incident response
- Supplier cybersecurity capability management
Who Needs to Comply?
Automotive OEMs, Tier 1/2/3 suppliers, and engineering service providers involved in the development, production, or maintenance of E/E systems in road vehicles. Effectively mandated by UNECE WP.29 R155 for vehicles sold in the EU, Japan, and South Korea.
Key Requirements
Cybersecurity Management System
Establish organizational policies, processes, and responsibilities for cybersecurity engineering. Implement a cybersecurity management system that covers governance, competency, and continuous improvement.
Threat Analysis & Risk Assessment (TARA)
Perform systematic threat analysis identifying assets, threat scenarios, and attack paths. Assess cybersecurity risk based on impact (safety, financial, operational, privacy) and attack feasibility.
Cybersecurity Goals & Requirements
Define cybersecurity goals and derive cybersecurity requirements allocated to system components. Ensure traceability from threats through goals to specific implementation measures.
Verification & Validation
Verify cybersecurity requirements through testing (penetration testing, fuzz testing, vulnerability scanning) and validate that cybersecurity goals are met at the vehicle level.
Post-Production Cybersecurity
Implement cybersecurity monitoring for fielded vehicles, maintain a vulnerability management process, and establish incident response procedures for cybersecurity events throughout the vehicle operational lifecycle.
Penalties & Enforcement
No direct penalties from the standard itself. However, UNECE R155 requires a certified Cybersecurity Management System (CSMS) for type approval in 60+ countries. Without compliance, OEMs cannot sell new vehicle types (mandatory from July 2022) and all new vehicles (from July 2024) in regulated markets.
Official Documentation
Official PDF for ISO/SAE 21434:2021
Official publication or summary for ISO/SAE 21434:2021
Official online resource
International Organization for Standardization (ISO) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for ISO/SAE 21434:2021