Cyber security
management system

A regulatory framework for cyber security in the various sectors of the economy is currently emerging. One prerequisite is always information security. International standard ISO 27001, for example, specifies that companies must develop processes and rules within their organization that can be used to control and continuously improve information security in connection with IT processes and components. An information security management system (ISMS) of this kind covers all internal and external business processes. For example, interfaces with and dependencies on other companies must be documented. Likewise, there must be a plan for dealing with risks as well as security targets for functions and hierarchy levels.

The ISMS is a fundamental basis for cyber security and the foundation for a cyber security management system (CSMS) that deals with all procedures and processes concerning cyber security within a company and/or for products. The automotive industry is a pioneer in this regard, incorporating all the structures in the product life cycle as well as the production and supply chain. Background: From July 2022, the EU will require a certified CSMS for the approval of any new vehicle type and, from July 2024, a CSMS will be mandatory for all vehicles produced. For each electronic component, the approval authorities will check whether the risk of cyber attack has been adequately assessed and mitigated.

The requirements of the new WP.29 Guidelines and the ISO/SAE 21434 and ISO 24089 standards mark a paradigm shift in product safety in the automotive industry. In future, manufacturers must provide evidence of a certified CSMS (in accordance with UN-R155) for entire vehicles throughout their life cycle. Moreover, a certified management system will also be required for software updates (UN-R156). These management systems will have to be audited every three years. DEKRA is supporting car manufacturers in this process and in achieving greater cyber security.