Automotive Cybersecurity Audits, Assessments and Certification

A process audit reviews the development process by checking the existence of generic document templates, associated process descriptions, a cybersecurity management system (CSMS), an incident response process and a practiced security culture. The audit usually takes one to two days and will be guided by a process description review and is documented in an audit log. Anything that is found to be missing is then addressed, after which a technical report and, if required, a certificate is issued.

This assesses the finished product’s capabilities to defend against cyberattacks through preventive measures, according to standard ISO/SAE 21434. All the required product documentation is recorded and reviewed, and the results are documented and made available to the customer. Once again, there is opportunity for any missing stages or documents to be addressed. After this, a technical report is issued which contains the final cybersecurity assessment. A product certificate can also be acquired if needed.

Certification underlines your claim to have carried out a security evaluation with the greatest possible independence. At the same time, it enables your customers to see the achieved level of embedded cybersecurity at a glance. The certification is based on a technical report on the audit or the assessment and can be carried out for both. The Cybersecurity Assurance Level (CAL) is currently irrelevant, as its use is only considered informative according to ISO/SAE 21434.

ISO/SAE 21434 also recommends that dedicated tests, such as penetration tests and fuzz tests, are carried out for a cybersecurity assessment. We are happy to offer these in our cyber labs if required.