ISO/SAE 21434 · Road vehicles — cybersecurity engineering

The engineering standard behind UN R155.

ISO/SAE 21434 defines how road-vehicle cybersecurity is engineered — from TARA and cybersecurity goals through development, production, operations and decommissioning. It's how you turn an R155 CSMS into evidence that holds. Setu Innovation does the engineering, not just the advice.

Talk to our team What 21434 covers
Key facts
  • ISO/SAE standard
  • Published · 2021
  • Scope · E/E systems
  • Underpins · UN R155
Scope · Who uses it

If you develop electrical/electronic systems for road vehicles, 21434 is your method.

ISO/SAE 21434 applies to the cybersecurity engineering of electrical and electronic (E/E) systems in road vehicles — used by OEMs and Tier-1/Tier-N suppliers alike, across concept, development and post-development.

Relationship to regulation. 21434 is voluntary, but it is the recognised state of the art and the practical route to the engineering evidence UN R155 type approval depends on.

A 20-second self-check

  • Do you design or develop E/E systems, ECUs or vehicle software?
  • Are you in an R155 supply chain, as OEM or supplier?
  • Do you need a repeatable TARA and traceable cybersecurity goals?
  • Do you exchange cybersecurity responsibilities with customers or suppliers?

Mostly "yes"? 21434 is the framework that makes your cybersecurity work auditable and R155-ready. A short call confirms where to start.

Engineering · What 21434 covers

The work products that make cybersecurity provable.

21434 frames cybersecurity as an engineering discipline with traceable work products across the lifecycle.

Management

Cybersecurity management

Organisational and project-level cybersecurity management: policies, rules, roles and responsibilities, and a culture that sustains cybersecurity across programmes.

TARA

Threat Analysis & Risk Assessment

Asset identification, threat and damage scenarios, attack-feasibility and impact rating, risk determination and risk treatment — the analytical core of the standard.

Concept

Cybersecurity goals & concept

Derive cybersecurity goals from the risk picture and define the cybersecurity concept and requirements that the design must satisfy.

Development

Product development

Cybersecurity requirements and verification across system, hardware and software development — built in, then validated, not bolted on.

CAL

Cybersecurity Assurance Levels

Scale the rigour and independence of cybersecurity activities to the risk, so effort is proportionate to what's at stake.

Post-development

Production, operations & end of life

Production, operations and maintenance, continual cybersecurity monitoring and incident response, and cybersecurity-aware decommissioning.

Lifecycle · How 21434 is organised

From concept to end of life — and across the supply chain.

21434 runs cybersecurity through the whole product lifecycle and across the customer–supplier relationship.

— 01

Concept

Item definition, TARA, cybersecurity goals and the cybersecurity concept — the phase that sets what must be protected and why.

TARAGoals
— 02

Development

System, hardware and software development against cybersecurity requirements, with verification and validation that traces back to the goals.

RequirementsV&V
— 03

Distributed development

Customer and supplier split responsibilities through a Cybersecurity Interface Agreement (CIA), often using Component-out-of-Context (CooC).

CIACooC
— 04

Operations & maintenance

Continual cybersecurity activities in the field — monitoring, vulnerability management and incident response — through to decommissioning.

MonitoringIncident response
How Setu helps · Advise · Build · Assure

21434 is the engineering an advisory-only firm can't deliver.

The standard's value is in the work products — TARA, concept, verification — produced by engineers. Setu does exactly that, in one team.

01 — Advise

Tailor the lifecycle

Assess your processes against 21434, define the cybersecurity management approach and CAL strategy, and map a prioritised gap.

02 — Build

Engineer the work products

Run TARA, derive cybersecurity goals and concept, write and verify cybersecurity requirements, and set up the distributed-development interfaces (CIA, CooC).

03 — Assure

Make it R155-ready

Tie the 21434 work products into the R155 evidence chain and pre-review them before assessment by the technical service.

Frequently asked

ISO/SAE 21434, answered plainly.

Is ISO/SAE 21434 mandatory?

It's a voluntary standard, not law in itself — but it's the recognised state of the art, and demonstrating UN R155 in practice relies on the work products 21434 defines. For type-approval programmes it's effectively expected.

How does it relate to UN R155?

R155 is the regulation (CSMS, per-type cybersecurity); 21434 is the engineering standard describing how to do the work. Building to 21434 produces the evidence an R155 assessment expects.

What is a TARA?

Threat Analysis and Risk Assessment — identify assets, derive threat and damage scenarios, rate attack feasibility and impact, determine risk, and choose treatment that traces to cybersecurity goals.

What is a Cybersecurity Assurance Level (CAL)?

A scheme for scaling the rigour and independence of cybersecurity activities to the risk — a higher CAL means more depth in the assurance applied to an item or component.

Do suppliers need 21434?

In practice, yes. 21434 covers distributed development via the Cybersecurity Interface Agreement and Component-out-of-Context, so suppliers must produce 21434-aligned work products to support their customers.

Engineering the evidence

Engineer ISO/SAE 21434 in, from TARA to release.

A focused review: your process gap against 21434, the TARA and CAL strategy, and how it feeds the R155 evidence chain. Tell us where you are and we'll take it from there — or ask for a call if that's easier.

Talk to our team