ISO/PAS 5112 Audit Guide: Cybersecurity Engineering Audit for Road Vehicles

ISO/PAS 5112, published in 2022, provides guidelines for auditing cybersecurity engineering in road vehicles. It is the companion audit standard to ISO/SAE 21434, filling a critical gap in the automotive cybersecurity ecosystem: while ISO/SAE 21434 defines what organizations must do for cybersecurity engineering, ISO/PAS 5112 defines how to verify that they are actually doing it. For any organization seeking CSMS certification, preparing for UNECE R155 type approval, or conducting internal cybersecurity process assessments, ISO/PAS 5112 is the methodological foundation for the audit process.

This guide provides a comprehensive overview of ISO/PAS 5112: its scope and purpose, its relationship to ISO/SAE 21434 and ISO 19011, the audit principles it establishes, the audit process from program management through follow-up, the competence requirements for automotive cybersecurity auditors, the specific audit criteria for CSMS evaluation, common non-conformities encountered in practice, and practical guidance for preparing your organization for a cybersecurity audit.

Scope and Purpose of ISO/PAS 5112

ISO/PAS 5112 (full title: “Road vehicles — Guidelines for auditing cybersecurity engineering”) is a Publicly Available Specification that provides guidelines for conducting audits of cybersecurity processes in the automotive domain. The standard is applicable to the entire automotive supply chain: OEMs, Tier-1 suppliers, Tier-2 suppliers, and any organization involved in the development, production, or post-production management of road vehicle electrical and electronic systems.

The standard serves multiple purposes:

• CSMS certification audits: When a certification body audits an organization’s Cybersecurity Management System for compliance with ISO/SAE 21434 and UNECE R155, ISO/PAS 5112 provides the audit methodology.
• Internal audits: Organizations use ISO/PAS 5112 as the basis for internal cybersecurity process audits, ensuring that their own teams are following the established CSMS processes.
• Supplier audits: OEMs and Tier-1 suppliers conduct second-party audits of their suppliers’ cybersecurity capabilities using ISO/PAS 5112 as the framework.
• Pre-assessment and gap analysis: Organizations preparing for certification use ISO/PAS 5112 audit criteria to conduct gap analyses and identify areas requiring improvement before the formal audit.

ISO/PAS 5112 does not define cybersecurity requirements — that is the role of ISO/SAE 21434. Instead, it provides the audit methodology for evaluating whether an organization’s cybersecurity engineering processes conform to the requirements of ISO/SAE 21434 and are being effectively implemented.

Relationship to ISO/SAE 21434 and ISO 19011

ISO/PAS 5112 sits at the intersection of two parent standards:

ISO/SAE 21434: The Audit Criteria Source

ISO/SAE 21434 provides the cybersecurity engineering requirements that serve as the audit criteria for ISO/PAS 5112 audits. Every audit finding is evaluated against specific clauses of ISO/SAE 21434. The auditor assesses whether the organization has implemented the processes, work products, and controls required by ISO/SAE 21434, whether those processes are being followed consistently, and whether the outputs (work products such as TARA reports, cybersecurity goals, requirements, verification evidence) demonstrate effective implementation. Understanding ISO/SAE 21434 in detail is therefore a prerequisite for both auditors and auditees.

ISO 19011: The Audit Methodology Foundation

ISO 19011 (“Guidelines for auditing management systems”) provides the generic audit methodology upon which ISO/PAS 5112 builds. ISO/PAS 5112 adapts the ISO 19011 framework for the specific context of automotive cybersecurity engineering. This includes specialised audit criteria derived from ISO/SAE 21434, automotive-specific competence requirements for auditors, cybersecurity-specific evidence types and sampling strategies, and considerations for auditing distributed development activities across the automotive supply chain. Organizations already familiar with ISO 19011 from quality management (ISO 9001) or information security (ISO 27001) auditing will find the ISO/PAS 5112 audit process structurally familiar, with automotive cybersecurity-specific content overlaid on the general methodology.

Audit Principles

ISO/PAS 5112 establishes seven audit principles, adapted from ISO 19011 with automotive cybersecurity context. These principles guide auditor behavior and ensure audit quality:

1. Integrity: Auditors must perform their work with honesty, diligence, and responsibility. In the cybersecurity context, this includes maintaining strict confidentiality of the security-sensitive information they encounter during audits — threat models, vulnerability data, security architectures, and attack feasibility assessments are all highly sensitive material.
2. Fair presentation: Audit findings, conclusions, and reports must accurately and truthfully reflect the audit activities. Findings must be supported by objective evidence, not subjective impressions. Where evidence is ambiguous, the auditor must seek clarification rather than making assumptions.
3. Due professional care: Auditors must exercise care commensurate with the importance and sensitivity of the cybersecurity engineering activities being audited. Safety-critical systems require more thorough evidence sampling than non-safety systems.
4. Confidentiality: Cybersecurity audit evidence often includes information that could be exploited if disclosed: vulnerability assessments, attack paths, security architecture details, incident response procedures. Auditors must protect this information with the same rigor they would expect of the auditee.
5. Independence: Auditors must be independent of the activities being audited. For internal audits, this means the auditor cannot audit their own work or the work of their direct team. For third-party certification audits, the auditor must have no consulting or commercial relationship with the auditee that could create a conflict of interest.
6. Evidence-based approach: Audit conclusions must be based on verifiable evidence. In automotive cybersecurity, evidence includes documented processes, work products (TARA reports, cybersecurity cases, test reports), tool configurations, training records, and interviews with engineering staff. The auditor must sample evidence systematically to reach reliable conclusions.
7. Risk-based approach: The audit scope, depth, and sampling strategy should be proportionate to the cybersecurity risk. Higher-risk items (safety-critical ECUs, externally connected components) warrant more thorough audit coverage than lower-risk items.

Audit Program Management

ISO/PAS 5112 requires organizations to establish and manage an audit program — the overall plan for conducting cybersecurity audits over a defined period (typically aligned with the CSMS certification cycle of three years). The audit program addresses:

Audit Program Scope

The program scope defines which organizational units, vehicle programs, development processes, and lifecycle phases will be covered by audits within the program period. For a large OEM, the scope might include corporate CSMS processes, multiple vehicle program-level cybersecurity activities, and supplier cybersecurity capability assessments. The scope should be comprehensive enough to cover all ISO/SAE 21434 clauses over the program period, but individual audits may focus on specific clauses or processes.

Audit Program Risk Assessment

The program manager must assess risks to the audit program itself: resource constraints that could prevent planned audits from being conducted, availability of qualified auditors, access to evidence and auditees, and the risk of audit fatigue in frequently audited teams. These risks are managed through contingency planning, auditor development programs, and coordination with project schedules.

Audit Scheduling

Audits should be scheduled to align with meaningful points in the development lifecycle. Auditing a TARA process during the concept phase provides timely feedback; auditing the same process after production start provides assurance but no opportunity for correction. Surveillance audits (between certification cycles) should be distributed across different ISO/SAE 21434 clauses to avoid repetitive coverage.

The Audit Process: Stages and Activities

ISO/PAS 5112 defines a structured audit process consisting of distinct stages, each with specific activities and outputs. The following table summarizes the stages:

Document Review (Stage 1 Audit)

The document review is often called the “Stage 1” or “readiness review” in certification contexts. The auditor reviews the organization’s documented CSMS before conducting the on-site audit. This review serves two purposes: assessing whether the documented processes address all ISO/SAE 21434 requirements (completeness check), and identifying areas that need deeper investigation during the on-site audit. The document review typically covers the cybersecurity policy, CSMS process descriptions, organizational roles and responsibilities, competence management records, supplier management procedures, and incident response plans.

On-Site Audit (Stage 2 Audit)

The on-site audit is where the auditor collects evidence of effective implementation. The auditor uses three primary evidence collection methods:

• Interviews: The auditor interviews personnel at various levels — management, cybersecurity engineers, project managers, TARA analysts, verification engineers — to assess their understanding of the CSMS processes and their roles within them. The auditor asks open-ended questions like “Walk me through how you conduct a TARA for a new vehicle item” rather than yes/no questions, to assess real understanding versus rote knowledge of documentation.
• Work product review: The auditor samples specific work products from actual vehicle programs: TARA reports, cybersecurity goals and requirements documents, traceability matrices, verification test reports, cybersecurity cases, vulnerability monitoring records, and incident response logs. The sampling strategy should be risk-based, focusing on safety-critical items and items with external connectivity.
• Process observation: Where possible, the auditor observes processes being performed in real time: a TARA workshop in progress, a cybersecurity review meeting, or a vulnerability triage session. Direct observation provides the strongest evidence of process implementation.

Auditor Competence Requirements

ISO/PAS 5112 places significant emphasis on auditor competence, recognizing that cybersecurity auditing requires a combination of audit methodology skills and deep technical knowledge. The standard defines competence requirements across multiple dimensions:

Generic Audit Competence

All auditors must have competence in audit principles and methodology (as defined in ISO 19011), audit planning and execution, evidence evaluation and finding classification, report writing and communication, and professional ethics and confidentiality management. This is typically demonstrated through formal auditor training (e.g., ISO 19011 lead auditor course) and audit experience.

Automotive Domain Knowledge

Cybersecurity auditors in the automotive domain must understand vehicle E/E architecture concepts (ECUs, buses, gateways, domain controllers), automotive development processes (V-model, ASPICE, agile adaptations), automotive safety concepts (ISO 26262, ASIL, functional safety), automotive communication protocols (CAN, CAN FD, Ethernet, LIN, FlexRay), the automotive supply chain structure (OEM, Tier-1, Tier-2 relationships), and vehicle lifecycle phases (concept, development, production, post-production, decommissioning).

Cybersecurity Technical Competence

Auditors must also have cybersecurity technical knowledge sufficient to evaluate the adequacy of the auditee’s cybersecurity engineering. This includes threat analysis and risk assessment methodologies, cryptographic concepts and their automotive application, secure software development practices, vulnerability management processes, network security and intrusion detection, and incident response and forensic concepts. The depth of technical knowledge required depends on the auditor’s role: the lead auditor must have broad cybersecurity knowledge to plan the audit and evaluate findings, while technical experts on the audit team may provide deeper expertise in specific areas.

ISO/SAE 21434 Specific Knowledge

All audit team members must have thorough knowledge of ISO/SAE 21434, including all clauses from organizational cybersecurity management (clause 5) through post-production cybersecurity (clause 13). The auditor must understand not just the requirements of each clause but the intent behind them — understanding why ISO/SAE 21434 requires a specific activity enables the auditor to evaluate whether the auditee’s implementation achieves the intended outcome, even if the implementation approach differs from the typical pattern.

The combination of audit methodology competence, automotive domain knowledge, and cybersecurity technical expertise makes automotive cybersecurity auditors a scarce resource. Organizations should invest in developing internal auditor competence early, rather than depending entirely on external audit providers.

Audit Criteria for CSMS Evaluation

The audit criteria for a CSMS evaluation are derived from ISO/SAE 21434. The auditor evaluates conformity against these criteria across all relevant clauses. The following summarizes the key evaluation areas:

Organizational Cybersecurity Management (Clause 5)

The auditor assesses whether the organization has established a cybersecurity policy, defined roles and responsibilities for cybersecurity activities, established a cybersecurity culture, allocated adequate resources, and implemented a cybersecurity management system that covers all lifecycle phases. Evidence includes the cybersecurity policy document, organizational charts showing cybersecurity roles, competence management records, and management review minutes.

Project-Dependent Cybersecurity Management (Clause 6)

For each sampled vehicle program, the auditor evaluates whether a cybersecurity plan exists and is being followed, whether cybersecurity activities are integrated into the project schedule, whether cybersecurity responsibilities are assigned for the project, and whether cybersecurity assessment and tailoring have been conducted appropriately. Evidence includes project cybersecurity plans, gate review records, and project staffing documentation.

Distributed Cybersecurity Activities (Clause 7)

The auditor evaluates the organization’s management of cybersecurity in supplier relationships: whether cybersecurity interface agreements exist with relevant suppliers, whether supplier cybersecurity capabilities have been assessed, and whether distributed work products meet the required quality. Evidence includes cybersecurity interface agreements, supplier assessment records, and incoming quality records for supplier deliverables.

Continual Cybersecurity Activities (Clause 8)

The auditor assesses whether the organization monitors for new cybersecurity information (vulnerabilities, threats, incidents), whether vulnerability management processes are operational, and whether cybersecurity events are assessed and triaged appropriately. Evidence includes vulnerability monitoring tool configurations, triage records, and cybersecurity event logs.

TARA (Clause 9) and Cybersecurity Concept (Clause 10)

These are typically the most heavily scrutinized clauses. The auditor evaluates whether TARA methodology is defined and consistently applied, whether asset identification is complete, whether threat scenarios are systematically identified, whether risk values are assessed using defined criteria, whether cybersecurity goals are derived from risk treatment decisions, whether cybersecurity requirements are traceable to goals and allocated to architecture elements, and whether the cybersecurity concept is adequate for the identified risks. Evidence includes TARA reports, risk matrices, goal-requirement traceability matrices, and cybersecurity concept documents.

Verification and Validation (Clauses 11–12)

The auditor evaluates whether cybersecurity requirements have been verified through appropriate methods (testing, analysis, inspection), whether verification rigor is commensurate with the CAL, and whether the cybersecurity case provides a convincing argument that the item achieves adequate cybersecurity. Evidence includes verification plans, test reports, analysis records, and the cybersecurity case document.

Post-Production Cybersecurity (Clause 13)

The auditor assesses whether the organization has processes for monitoring cybersecurity in production vehicles, managing field vulnerabilities, and conducting cybersecurity incident response. Evidence includes monitoring configurations, field vulnerability triage records, and incident response exercise records.

Common Non-Conformities in Practice

Based on industry experience with automotive cybersecurity audits, the following non-conformities are encountered most frequently:

Incomplete Asset Identification

The TARA process identifies only obvious assets (ECUs, communication buses) while missing less visible assets such as diagnostic interfaces, debug ports, stored cryptographic keys, calibration data, and personal data. The auditor finds that the threat analysis scope does not cover the full attack surface of the item.

Inconsistent Risk Assessment Methodology

Different project teams within the same organization apply different rating scales, different feasibility assessment criteria, or different risk acceptance thresholds. The auditor finds that the same threat scenario could receive different risk values depending on which team performs the assessment, indicating that the methodology is not sufficiently defined or not consistently trained.

Weak Goal-to-Requirement Traceability

Cybersecurity goals exist in one document and requirements in another, with no formal traceability links between them. When the auditor asks which requirements implement a specific goal, the auditee cannot provide a definitive answer without manual analysis. This is a clause 10 non-conformity and one of the most common findings.

Insufficient Verification Rigor for High-CAL Items

Requirements derived from high-CAL goals (CAL 3 or 4) are verified using the same methods as low-CAL requirements — for example, only review-based verification where independent testing is required. The auditor finds that the verification rigor does not match the assurance level demanded by the risk assessment.

Supplier Cybersecurity Not Managed

Cybersecurity interface agreements with suppliers are missing, incomplete, or not enforced. The auditor finds that third-party components are integrated without assessment of the supplier’s cybersecurity engineering processes, and no cybersecurity requirements have been communicated to the supplier.

Post-Production Monitoring Gaps

The organization has cybersecurity monitoring processes defined on paper but not operationally implemented. Vulnerability databases are not being systematically scanned for components in production vehicles. Incident response procedures exist but have never been tested through exercises. The auditor finds that post-production cybersecurity is a planning artifact rather than an operational reality.

Competence Management Weaknesses

Cybersecurity roles are assigned but the people filling those roles lack documented competence in automotive cybersecurity engineering. Training records are incomplete or absent. The organization cannot demonstrate that the people performing TARA, defining cybersecurity requirements, or conducting verification have the knowledge and skills required by ISO/SAE 21434 clause 5.

Preparing Your Organization for a Cybersecurity Audit

Preparation for a cybersecurity audit should begin months before the audit date. The following preparation activities significantly improve audit outcomes:

Conduct an Internal Gap Analysis

Before the external audit, conduct an internal assessment using ISO/PAS 5112 audit criteria against every clause of ISO/SAE 21434. Identify gaps where processes are not defined, not documented, or not consistently implemented. Prioritize gap closure based on risk: address gaps in safety-critical areas (TARA, cybersecurity concept, verification) before addressing administrative gaps.

Ensure Documentation Currency

Auditors assess documented processes against actual practice. If your CSMS documentation describes version 1 of a process but your teams are following version 3 (which was never formally updated in the documentation), the auditor will find a non-conformity. Review all CSMS documentation for accuracy and currency. Ensure that process descriptions match current practice, that role definitions match current organizational structure, and that referenced tools and templates are the ones actually in use.

Prepare Work Product Samples

Select representative vehicle programs whose work products (TARA reports, cybersecurity goals, requirements, verification evidence, cybersecurity cases) demonstrate mature, consistent implementation. Review these work products for completeness, consistency, and traceability. The auditor will sample from your portfolio — ensure that any sample they might select meets the standard’s requirements.

Brief Interviewees

The people who will be interviewed by the auditor should understand the audit process, know what to expect in an audit interview, and be prepared to explain their role in the CSMS and the specific work they perform. Briefing does not mean coaching people to give scripted answers — auditors detect rehearsed responses quickly. Briefing means ensuring that people can articulate what they actually do and can locate the evidence that supports their statements.

Verify Traceability Chains

Walk through the full traceability chain for at least two or three vehicle items: from cybersecurity information monitoring through vulnerability identification, TARA, cybersecurity goals, requirements, verification, and cybersecurity case. If you can walk through this chain smoothly with complete evidence at each step, the auditor will be able to do the same. If you encounter gaps in the chain, fix them before the audit.

Test Incident Response Readiness

If your post-production cybersecurity processes include incident response, conduct at least one tabletop exercise before the audit. The auditor may ask about incident response capability, and the difference between “we have a procedure” and “we have a procedure and we tested it last quarter; here are the exercise results and the improvement actions we identified” is significant.

Review Previous Audit Findings

If this is a surveillance or re-certification audit, review all findings from previous audits. Ensure that corrective actions have been implemented, that their effectiveness has been verified, and that the same non-conformities have not recurred. Recurring findings indicate a systemic process problem that the auditor will escalate.

The Evolving Landscape: From PAS to Full Standard

ISO/PAS 5112 is a Publicly Available Specification, which in ISO terminology means it is a normative document that has been published through a faster development track than a full International Standard. The PAS designation indicates that the standard may be revised and upgraded to a full ISO standard (removing the “PAS” designation) after a review period. The automotive industry should expect ISO/PAS 5112 to evolve in several ways:

• Alignment with updated ISO/SAE 21434: As ISO/SAE 21434 is revised (the first edition was published in 2021, and revisions are being discussed), ISO/PAS 5112 will need to update its audit criteria to match.
• Integration with UNECE R155 audit requirements: Type approval authorities are developing their own audit procedures for CSMS certification. ISO/PAS 5112 provides a foundation, but national and regional adaptations may add specific requirements.
• Harmonization with other automotive audit standards: ISO/PAS 5112 will likely be harmonized with IATF 16949 audit approaches and with Automotive SPICE assessment methodology to reduce audit burden on organizations subject to multiple assessment regimes.
• Expansion of competence requirements: As the automotive cybersecurity field matures, auditor competence requirements will likely become more specific, potentially including formal certification schemes for automotive cybersecurity auditors.

How ThreatZ Supports Audit Readiness

ThreatZ is designed from the ground up with audit readiness as a core capability. The platform maintains complete, version-controlled traceability from cybersecurity information monitoring through TARA, goals, requirements, and verification evidence. Every change is logged with timestamp, author, and rationale, providing the audit trail that ISO/PAS 5112 auditors require.

ThreatZ generates audit-ready work products including TARA reports with complete methodology documentation, goal-to-requirement traceability matrices, cybersecurity case summaries with evidence links, and compliance coverage reports showing which ISO/SAE 21434 clauses are addressed by each work product. When an auditor requests evidence for a specific ISO/SAE 21434 clause, the ThreatZ platform can produce the relevant documentation within minutes rather than requiring days of manual collection from scattered spreadsheets and documents.

Key Takeaways

• ISO/PAS 5112 is the companion audit standard to ISO/SAE 21434, providing the methodology for verifying cybersecurity engineering conformity in automotive organizations.
• The standard builds on ISO 19011 generic audit methodology but adds automotive cybersecurity-specific audit criteria, competence requirements, and evidence evaluation guidance.
• The audit process follows a structured sequence: initiation, document review, planning, on-site audit (interviews, work product review, process observation), reporting, and follow-up.
• Auditor competence requires a combination of audit methodology skills, automotive domain knowledge, cybersecurity technical expertise, and deep ISO/SAE 21434 understanding.
• Common non-conformities cluster around incomplete asset identification, inconsistent risk assessment, weak traceability, insufficient verification rigor, unmanaged supplier cybersecurity, and non-operational post-production monitoring.
• Audit preparation should include internal gap analysis, documentation currency review, work product quality assurance, interviewee briefing, traceability chain verification, and incident response testing.
• Organizations that use integrated TARA platforms with enforced traceability and version-controlled evidence are significantly better positioned for successful audit outcomes than those relying on manual, document-based approaches.