This article is the third episode of a blog series covering cyber security trends and best practices to be addressed by automotive stakeholders for implementing State-of-the-Art technics and meeting required compliance levels.

Previous episode


Upcoming episode

  • Cyber Security for Road Vehicles – EP.4 – From process to products
  • And even more to come…


EP.1 of that blog series introduced new cyber security requirements (especially regarding impact on suppliers) vehicle manufacturers have to fulfill for claiming for new type approvals since June 2022, while EP.2 described approval procedures with road vehicle authorities.


As a prerequisite for any new type approval, UN ECE R155 requires from manufactures the demonstration of implemented Cyber Security Management System (so-called CSMS). As we all know, road vehicle cyber security is a rapidly-evolving domain where organizations need to implement new “way-of-working” for minimizing new risks raising from events and incident on a daily basis.


For coping with such new paradigms, the establishment of new processes is non-negotiable. Those new practices are usually bundled and considered as management system dedicated to cyber / product security risks handling. A CSMS might either be integrated as a pillar of a higher-level component such as a Quality Management System (QMS), or built as an independent set of activities to be interfaced with existing way-of-working.

Implementation variants are intrinsically not critical for reaching compliance, but might have a strong impact on organization efficiency.


Main component of such CSMS should include:

  • Roles and responsibilities related to cyber / product security (incl. competence management)
  • Cyber security lifecycle throughout entire vehicle lifetime (development, production and post-production phases), incl.
      • Early-stage & continuous cyber risk assessment
      • Secure design & implementation
      • Security testing
      • Continuous security monitoring
      • Vulnerability management & incident handling
  • Cyber risk handling throughout supply chain (incl. supplier management)


Those topics might obviously be addressed and documented from different perspectives and approaches. Below an overview of a typical CSMS structure:

As illustrated above, a typical management system could be segmented on three levels:


  • #1 level – Top-level policy and/or directive: At that level, the goal is to formalize the CSMS scope, its objectives, and specific considerations on a high-level. Such a document also aims to collect top management commitment about importance of cyber / product security
  • #2 level – Process groups: At that level, the goal is to group and document similar activities, based on criteria such as topic, people involved, interfaces with other activities than cyber/product security… Such activities need to be described as processes from an operational perspective
      • Example 1 – Competence management: With the goal to maintain sufficient competences throughout organization teams, processes for evaluating / qualifying staff and identifying potential training needs might be developed (not exhaustive list)
      • Example 2 – Supplier management: With the goal to address cyber/product security from and end-to-end manner throughout the supply chain, processes for identifying expectations from suppliers and product security requirements through interface agreement (CIAD = Cybersecurity Interface Agreement for Development) might be developed (not exhaustive list)
  • #3 level – Supporting resource: For ensuring the implementation of processes described on higher-level, supporting resources should be developed for generating process outputs / records. This level would include heterogenous documentation such as forms, guidelines, templates, tools etc.


Such a structure is only an example of a pragmatic method to build and represent a management system dedicated to a specific discipline. Similar approaches might be applied for building Software Update Management System (SUMS) according to UN ECE R156 or any other instances of management system.


For more information on SUMS, feel free to have a look on our blog series dedicated to that topic here.


Audit preparation – ISO/PAS 5112 & VDA

As a preparation for audit from authorities, some references are good to considered for anticipating auditor questions and evaluation criteria. In that context, ISO/PAS 5112 and VDA ACSMS Red Volume are describing examples of audit questions with potential evidence to be presented by auditees.

As example of evidence, strong references are made to ISO/SAE 21434 work products which is again illustrating the relevance to that technical standard for meeting UN ECE R155 compliance. Relationships between those documents are illustrated below.

More details about such auditing guidelines will be given through upcoming episodes, stay tuned.


From a CSMS perspective to vehicle type approvals

At a later stage, after getting their CSMS certificate form authorities, vehicle manufacturers would have to possibility to apply for vehicle type approvals. During this phase authorities would require from them to demonstrate the real implementation of processes described within the CSMS for this specific vehicle.


This is specifically where the structure proposed above looks interesting. Indeed, while the CSMS audit would be focused on #1 and #2 levels of documentation, the type approval procedure would obviously dig into more details on the #3 level, with the evidence of applied practices.


As an example for supplier management, CSMS processes would define the way of distributing security requirements to suppliers, based on CIAD document templates. During the vehicle type approval, authorities will ask for related evidence such as filled CIAD with main / most critical suppliers. The structure proposed above allows therefore to rapidly identify which level of documentation might be requested at different stage of type approval procedure.





CertX as you partner for meeting UN ECE R155 and/or ISO 21434 compliance


If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our cyber security experts: