标准简介
ISO/SAE 21434:2021 是由 国际标准化组织 (ISO) 发布的有效标准,常用于汽车、电子产品、科技等行业,并适用于全球等市场。
本页汇总了 ISO/SAE 21434:2021 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。
Cybersecurity by Design
Establishes a structured process-oriented approach to cybersecurity engineering across the entire vehicle E/E system lifecycle — from concept through decommissioning.
Threat & Risk Assessment
Requires systematic threat analysis and risk assessment (TARA) to identify cybersecurity threats, evaluate attack feasibility, and determine required risk treatment measures.
Continuous Monitoring
Mandates cybersecurity monitoring, vulnerability management, and incident response throughout the operational phase — cybersecurity does not end at production.
list_alt Key Process Areas
- Organizational cybersecurity management and governance
- Cybersecurity risk assessment methodology (TARA)
- Concept-phase cybersecurity goals and requirements
- Product development cybersecurity requirements (system, hardware, software)
- Cybersecurity validation and verification
- Production cybersecurity controls
- Operations and maintenance — monitoring and incident response
- Supplier cybersecurity capability management
Who Needs to Comply?
Automotive OEMs, Tier 1/2/3 suppliers, and engineering service providers involved in the development, production, or maintenance of E/E systems in road vehicles. Effectively mandated by UNECE WP.29 R155 for vehicles sold in the EU, Japan, and South Korea.
Key Requirements
Cybersecurity Management System
Establish organizational policies, processes, and responsibilities for cybersecurity engineering. Implement a cybersecurity management system that covers governance, competency, and continuous improvement.
Threat Analysis & Risk Assessment (TARA)
Perform systematic threat analysis identifying assets, threat scenarios, and attack paths. Assess cybersecurity risk based on impact (safety, financial, operational, privacy) and attack feasibility.
Cybersecurity Goals & Requirements
Define cybersecurity goals and derive cybersecurity requirements allocated to system components. Ensure traceability from threats through goals to specific implementation measures.
Verification & Validation
Verify cybersecurity requirements through testing (penetration testing, fuzz testing, vulnerability scanning) and validate that cybersecurity goals are met at the vehicle level.
Post-Production Cybersecurity
Implement cybersecurity monitoring for fielded vehicles, maintain a vulnerability management process, and establish incident response procedures for cybersecurity events throughout the vehicle operational lifecycle.
Penalties & Enforcement
No direct penalties from the standard itself. However, UNECE R155 requires a certified Cybersecurity Management System (CSMS) for type approval in 60+ countries. Without compliance, OEMs cannot sell new vehicle types (mandatory from July 2022) and all new vehicles (from July 2024) in regulated markets.