ISO/SAE 21434 Compliance Tool | Automotive Cybersecurity Standard Guide

Q: What is ISO/SAE 21434?

ISO/SAE 21434, officially titled 'Road vehicles — Cybersecurity engineering,' is the international standard that defines cybersecurity engineering requirements for the entire lifecycle of road vehicle electrical and electronic (E/E) systems. Published jointly by ISO and SAE International in August 2021, it provides a structured framework covering organizational cybersecurity management, risk assessment methods (TARA), product development, production, operations, maintenance, and decommissioning.

Q: What is TARA in ISO/SAE 21434?

TARA stands for Threat Analysis and Risk Assessment and is defined in Clause 15 of ISO/SAE 21434. It is the core risk-based methodology that involves systematically identifying assets and their cybersecurity properties, analyzing potential threat scenarios and attack paths, assessing feasibility and impact, determining risk levels, and defining cybersecurity goals and requirements. TARA must be performed during the concept phase and updated throughout the product lifecycle.

Q: Who needs to comply with ISO/SAE 21434?

ISO/SAE 21434 applies to all organizations in the automotive supply chain that contribute to vehicle E/E system cybersecurity, including OEMs, Tier-1 and Tier-2 suppliers, software providers, and semiconductor companies. While the standard itself is voluntary, compliance is effectively mandatory because UNECE R155 requires a certified CSMS for vehicle type approval in over 60 countries, and ISO/SAE 21434 is the recognized framework for demonstrating CSMS compliance.

The Standard

What Is ISO/SAE 21434?

Understanding the foundational standard for automotive cybersecurity engineering and its role in the global regulatory landscape.

The Standard Defined

ISO/SAE 21434, officially titled “Road vehicles — Cybersecurity engineering,” is the international standard that defines cybersecurity engineering requirements for the entire lifecycle of road vehicle electrical and electronic (E/E) systems. Published jointly by ISO and SAE International in August 2021, it establishes a structured framework covering organizational cybersecurity management, risk assessment methods, secure product development, production processes, post-production operations, and end-of-life decommissioning.

The standard applies to all series-produced road vehicles and their components, including passenger cars, commercial vehicles, and aftermarket ECUs. It addresses cybersecurity at both the organizational level (policies, processes, competencies) and the engineering level (threat analysis, secure design, verification, and validation).

Relationship to UNECE R155 & WP.29

UNECE Regulation No. 155 (R155) is a binding regulation adopted by the World Forum for Harmonization of Vehicle Regulations (WP.29). It requires vehicle manufacturers to maintain an approved Cybersecurity Management System (CSMS) as a prerequisite for vehicle type approval. Since July 2024, R155 compliance is mandatory for all new vehicles sold in over 60 contracting parties, including the European Union, United Kingdom, Japan, and South Korea.

ISO/SAE 21434 serves as the recognized engineering framework for implementing and demonstrating CSMS compliance. While R155 defines what must be achieved, ISO/SAE 21434 defines how to achieve it through specific engineering processes and documented work products. Technical services and type approval authorities reference ISO/SAE 21434 when auditing an organization’s CSMS.

Who Needs to Comply?

ISO/SAE 21434 applies to every organization in the automotive supply chain that contributes to vehicle E/E system cybersecurity:

OEMs

Vehicle manufacturers bear primary responsibility for CSMS certification and type approval. They must ensure cybersecurity across the entire vehicle architecture and manage supplier requirements.

Tier-1 Suppliers

System and component suppliers must demonstrate cybersecurity engineering capability, provide TARA evidence, and integrate into OEM cybersecurity processes through Cybersecurity Interface Agreements (CIA).

Tier-2 & Beyond

Semiconductor vendors, software providers, and sub-component suppliers are increasingly required to provide cybersecurity evidence and participate in distributed development models defined by the standard.

Key Clauses

Structure of
ISO/SAE 21434

The standard is organized into clauses that cover every phase of the automotive cybersecurity lifecycle. Here are the key requirements engineering teams must address.

5

Clause 5 — Organizational Cybersecurity Management

Establishes the organizational CSMS: governance policies, cybersecurity culture, roles and responsibilities, competence management, continuous improvement, and information sharing. The foundation for all other clauses.

6

Clause 6 — Project-Dependent Cybersecurity Management

Defines project-level cybersecurity activities: cybersecurity planning, tailoring of activities, cybersecurity case creation, cybersecurity assessment, and release for post-development.

7

Clause 7 — Distributed Cybersecurity Activities

Governs cybersecurity across the supply chain. Defines Cybersecurity Interface Agreements (CIA) between OEMs and suppliers to ensure responsibilities, deliverables, and evidence are clearly allocated.

8

Clause 8 — Continual Cybersecurity Activities

Requires continuous monitoring for cybersecurity vulnerabilities, threat intelligence gathering, and cybersecurity event evaluation throughout the product lifetime. Feeds into TARA updates.

9

Clause 9 — Concept Phase

Covers the cybersecurity concept: item definition, initial TARA execution, cybersecurity goal definition, and cybersecurity concept derivation. The starting point for engineering-level cybersecurity.

10

Clause 10 — Product Development

Mandates cybersecurity activities during design and implementation: cybersecurity specifications, secure design principles, integration, verification, and validation for both hardware and software.

11

Clause 11 — Cybersecurity Validation

Defines validation activities at the vehicle level to confirm that cybersecurity goals are met. Includes penetration testing, fuzz testing, and validation of the complete cybersecurity case before production release.

15

Clause 15 — Threat Analysis and Risk Assessment (TARA)

The cornerstone methodology of ISO/SAE 21434. Defines the systematic process for identifying assets, analyzing threats, assessing attack feasibility and impact, determining risk levels, and deriving cybersecurity goals. See the TARA process below.

TARA Methodology

Threat Analysis &
Risk Assessment (TARA)

TARA is the core risk-based methodology defined in ISO/SAE 21434 Clause 15. It provides a systematic, repeatable process for identifying and evaluating cybersecurity risks throughout the vehicle lifecycle.

Asset Identification

Identify assets requiring protection: functions, data, interfaces, and hardware components. Determine their cybersecurity properties (confidentiality, integrity, availability, authenticity).

Threat Scenario Identification

Systematically identify threat scenarios using STRIDE or equivalent methodologies. Consider spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Impact Assessment

Assess potential damage across four dimensions: safety, financial, operational, and privacy. Rate impact from negligible to severe for each dimension.

Attack Path Analysis

Model attack paths from entry points to target assets. Evaluate attack feasibility based on elapsed time, expertise, knowledge, window of opportunity, and equipment required.

Risk Determination

Combine impact and feasibility ratings using a risk matrix to determine risk levels (1–4). Higher risk levels require mandatory treatment and documented mitigation.

Risk Treatment

Select treatment options for each unacceptable risk: avoid, reduce, transfer, or accept. Derive cybersecurity goals and traceable security requirements for implementation.

Read the Full TARA Implementation Guide

Work Products

Key Work Products
Required by ISO/SAE 21434

ISO/SAE 21434 requires documented evidence at every phase. These work products form the audit trail that technical services evaluate during CSMS certification and type approval.

Cybersecurity PlanProject-level plan defining all cybersecurity activities, tailoring decisions, milestones, and responsible parties.

TARA ReportComplete threat analysis and risk assessment documentation with asset inventory, threats, risk ratings, and treatment decisions.

Cybersecurity GoalsHigh-level security objectives derived from TARA, each linked to specific threats and risk levels.

Cybersecurity SpecificationsDetailed security requirements for hardware and software, traceable to cybersecurity goals.

Cybersecurity CaseComprehensive argument that the item achieves adequate cybersecurity, supported by evidence from all lifecycle phases.

Cybersecurity Interface AgreementFormal agreement between customer and supplier defining distributed cybersecurity responsibilities and deliverables.

Vulnerability Analysis ReportResults of vulnerability analysis activities including known vulnerability checks, weakness analysis, and penetration testing.

Incident Response PlanDocumented procedures for cybersecurity incident detection, triage, response, and recovery throughout the vehicle lifetime.

ThreatZ Platform

How ThreatZ Implements
ISO/SAE 21434 Compliance

ThreatZ is the purpose-built CSMS platform for automotive cybersecurity. It maps directly to ISO/SAE 21434 clauses, automating evidence collection, TARA workflows, and compliance reporting — reducing months of manual work to days.

TARA Module

AI-Powered Threat Analysis

Automated TARA workflows with AI-assisted threat identification, attack path modeling, and risk scoring. ThreatZ’s knowledge graph maps assets, threats, vulnerabilities, and controls — ensuring full traceability from cybersecurity goals to implementation evidence as required by Clause 15.

Automated threat scenario generation
Attack feasibility and risk determination
Full TARA evidence export for audits

Explore TARA Module

Foundation Module

Living Compliance Reporting

Generate audit-ready ISO/SAE 21434 and UNECE R155 reports at any time. ThreatZ maintains living documentation that updates automatically as your project evolves — covering Clauses 5, 6, and 7 requirements for organizational and project-level cybersecurity management.

Automated work product generation
R155 type approval evidence packaging
Versioned exports with change history

Explore Foundation Module

BOM & Supply Chain

SBOM & Vulnerability Management

Manage your Software Bill of Materials and track vulnerabilities across your entire supply chain. ThreatZ integrates with CVE databases, NVD feeds, and vendor advisories — a critical requirement for Clause 8 continual cybersecurity activities and Clause 13 post-production operations.

Centralized SBOM management
Automated CVE/NVD correlation
Supply chain risk assessment

Explore BOM Module

Operations Module

Incident & Testing Management

Manage cybersecurity incidents, security test campaigns, and penetration test findings. ThreatZ connects test results back to TARA evidence, ensuring complete traceability from identified risks through verification — fulfilling Clauses 10 and 11.

Structured incident response workflows
Security test campaign management
Test-to-TARA traceability linking

Explore Operations Module

Multi-OEM Support

Supplier CSMS at Scale

For Tier-1 suppliers managing multiple OEM relationships, ThreatZ provides dedicated project workspaces, configurable compliance templates, and Cybersecurity Interface Agreement management — directly addressing Clause 7 distributed activities.

Multi-OEM project workspaces
CIA tracking and management
OEM-specific compliance templates

Explore Multi-OEM Support

End-to-End Traceability

Knowledge Graph Intelligence

ThreatZ’s AI-powered knowledge graph connects every cybersecurity artifact — assets, threats, risks, controls, requirements, test results, and incidents — in a semantically linked model, delivering the traceability that ISO/SAE 21434 demands across all clauses.

Semantic artifact linking
Impact analysis for change management
Audit-ready traceability reports

Explore Knowledge Graph

Explore ThreatZ View Pricing

Related Resources

Continue Learning About
Automotive Cybersecurity

Tutorial

ISO/SAE 21434 TARA: Step-by-Step Implementation Guide

A practical, hands-on guide to implementing Threat Analysis and Risk Assessment per ISO/SAE 21434 with real automotive examples.

Read Article

Compliance

UNECE R155 Type Approval: What OEMs Need to Know

Everything about R155 type approval requirements, the CSMS certification process, and how ISO/SAE 21434 maps to regulatory compliance.

Read Article

Best Practice

SBOM Management Best Practices for Automotive

Build, maintain, and leverage Software Bills of Materials across the automotive supply chain for ISO/SAE 21434 compliance.

Read Article

FAQ

Frequently Asked Questions About
ISO/SAE 21434

What is ISO/SAE 21434?

ISO/SAE 21434, officially titled “Road vehicles — Cybersecurity engineering,” is the international standard that defines cybersecurity engineering requirements for the entire lifecycle of road vehicle electrical and electronic (E/E) systems. Published jointly by ISO and SAE International in August 2021, it provides a structured framework covering organizational cybersecurity management, risk assessment methods (TARA), product development, production, operations, maintenance, and decommissioning.

What is the relationship between ISO/SAE 21434 and UNECE R155?

UNECE Regulation No. 155 (R155) is a binding regulation requiring vehicle manufacturers to have an approved Cybersecurity Management System (CSMS) for type approval. ISO/SAE 21434 is the engineering standard that provides the technical framework and processes to implement and demonstrate CSMS compliance. In practice, R155 defines “what” must be achieved (a certified CSMS), while ISO/SAE 21434 defines “how” to achieve it through specific engineering processes and work products. Technical services reference ISO/SAE 21434 when auditing an organization’s CSMS for R155 certification.

What is TARA in ISO/SAE 21434?

TARA stands for Threat Analysis and Risk Assessment. It is the core risk-based methodology defined in Clause 15 of ISO/SAE 21434. TARA involves systematically identifying assets and their cybersecurity properties, analyzing potential threat scenarios and attack paths, assessing the feasibility of attacks and the impact of successful exploitation, determining risk levels, and defining appropriate cybersecurity goals and requirements. TARA must be performed during the concept phase and updated throughout the product lifecycle whenever the threat landscape or system architecture changes.

Who needs to comply with ISO/SAE 21434?

ISO/SAE 21434 applies to all organizations involved in the development, production, and post-production of road vehicle E/E systems. This includes OEMs (Original Equipment Manufacturers), Tier-1 and Tier-2 suppliers, software providers, semiconductor companies, and any organization in the automotive supply chain that contributes to vehicle cybersecurity. While the standard itself is voluntary, compliance is effectively mandatory because UNECE Regulation No. 155 (R155) requires a certified Cybersecurity Management System (CSMS) for vehicle type approval in over 60 countries, and ISO/SAE 21434 is the recognized framework for demonstrating CSMS compliance.

The Complete Guide toISO/SAE 21434 Automotive Cybersecurity

What Is ISO/SAE 21434?

The Standard Defined

Relationship to UNECE R155 & WP.29

Who Needs to Comply?

OEMs

Tier-1 Suppliers

Tier-2 & Beyond

Structure ofISO/SAE 21434

Clause 5 — Organizational Cybersecurity Management

Clause 6 — Project-Dependent Cybersecurity Management

Clause 7 — Distributed Cybersecurity Activities

Clause 8 — Continual Cybersecurity Activities

Clause 9 — Concept Phase

Clause 10 — Product Development

Clause 11 — Cybersecurity Validation

Clause 15 — Threat Analysis and Risk Assessment (TARA)

Threat Analysis &Risk Assessment (TARA)

Asset Identification

Threat Scenario Identification

Impact Assessment

Attack Path Analysis

Risk Determination

Risk Treatment

Key Work ProductsRequired by ISO/SAE 21434

How ThreatZ ImplementsISO/SAE 21434 Compliance

AI-Powered Threat Analysis

Living Compliance Reporting

SBOM & Vulnerability Management

Incident & Testing Management

Supplier CSMS at Scale

Knowledge Graph Intelligence

Continue Learning AboutAutomotive Cybersecurity

ISO/SAE 21434 TARA: Step-by-Step Implementation Guide

UNECE R155 Type Approval: What OEMs Need to Know

SBOM Management Best Practices for Automotive

Frequently Asked Questions AboutISO/SAE 21434

Related Standards & Resources

UNECE R155 Type Approval

GB 44495 Compliance

Glossary

Automotive TARA Tool

Cybersecurity Management System

Get ISO/SAE 21434 Compliantwith ThreatZ.

The Complete Guide to
ISO/SAE 21434 Automotive Cybersecurity

Structure of
ISO/SAE 21434

Threat Analysis &
Risk Assessment (TARA)

Key Work Products
Required by ISO/SAE 21434

How ThreatZ Implements
ISO/SAE 21434 Compliance

Continue Learning About
Automotive Cybersecurity

Frequently Asked Questions About
ISO/SAE 21434

Get ISO/SAE 21434 Compliant
with ThreatZ.