標準簡介
ISO/SAE 21434:2021 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於汽車、電子產品、科技等產業,並適用於全球等市場。
本頁整理了 ISO/SAE 21434:2021 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Cybersecurity by Design
Establishes a structured process-oriented approach to cybersecurity engineering across the entire vehicle E/E system lifecycle — from concept through decommissioning.
Threat & Risk Assessment
Requires systematic threat analysis and risk assessment (TARA) to identify cybersecurity threats, evaluate attack feasibility, and determine required risk treatment measures.
Continuous Monitoring
Mandates cybersecurity monitoring, vulnerability management, and incident response throughout the operational phase — cybersecurity does not end at production.
list_alt Key Process Areas
- Organizational cybersecurity management and governance
- Cybersecurity risk assessment methodology (TARA)
- Concept-phase cybersecurity goals and requirements
- Product development cybersecurity requirements (system, hardware, software)
- Cybersecurity validation and verification
- Production cybersecurity controls
- Operations and maintenance — monitoring and incident response
- Supplier cybersecurity capability management
Who Needs to Comply?
Automotive OEMs, Tier 1/2/3 suppliers, and engineering service providers involved in the development, production, or maintenance of E/E systems in road vehicles. Effectively mandated by UNECE WP.29 R155 for vehicles sold in the EU, Japan, and South Korea.
Key Requirements
Cybersecurity Management System
Establish organizational policies, processes, and responsibilities for cybersecurity engineering. Implement a cybersecurity management system that covers governance, competency, and continuous improvement.
Threat Analysis & Risk Assessment (TARA)
Perform systematic threat analysis identifying assets, threat scenarios, and attack paths. Assess cybersecurity risk based on impact (safety, financial, operational, privacy) and attack feasibility.
Cybersecurity Goals & Requirements
Define cybersecurity goals and derive cybersecurity requirements allocated to system components. Ensure traceability from threats through goals to specific implementation measures.
Verification & Validation
Verify cybersecurity requirements through testing (penetration testing, fuzz testing, vulnerability scanning) and validate that cybersecurity goals are met at the vehicle level.
Post-Production Cybersecurity
Implement cybersecurity monitoring for fielded vehicles, maintain a vulnerability management process, and establish incident response procedures for cybersecurity events throughout the vehicle operational lifecycle.
Penalties & Enforcement
No direct penalties from the standard itself. However, UNECE R155 requires a certified Cybersecurity Management System (CSMS) for type approval in 60+ countries. Without compliance, OEMs cannot sell new vehicle types (mandatory from July 2022) and all new vehicles (from July 2024) in regulated markets.