This is how an effective cybersecurity management system works

Your cybersecurity management system governs by whom, when, and what actions must be taken to keep the connected vehicle secure until the end of its service life. Here we show you what you need to do to effectively integrate cybersecurity into your process landscape.

Back to Cybersecurity

The UNECE regulation expects the vehicle industry to establish cybersecurity management systems (CSMS). This is relevant for type approvals for all new vehicles manufactured from 2024 onwards. This CSMS is intended to comprehensively coordinate ongoing cybersecurity efforts at both the corporate and operational levels.

    Ensure that 

    • your products are designed to be secure throughout their lifecycle. 
    • new vulnerability information is constantly being evaluated.
    • and that action is taken accordingly.

    The requirements for a CSMS are described in ISO/SAE 21434, for example. Rather than deploying an additional isolated management system, we recommend integrating cybersecurity requirements into your existing process landscape. 

    Your free whitepaper

    Do you need a more detailed summary of the implementation of a cybersecurity management system? Our free whitepaper contains all the important information, including helpful illustrations, on how to effectively implement a cybersecurity management system acc. to ISO/SAE 21434.

    What is a CSMS?

    A management system is about structures, processes, measures and, competencies. 

    By definition of UNECE regulation R.155, a “CSMS means a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.”

    In other words, a management system structures your company's approach to safety and security. Your employees can concentrate on the various tasks at hand. With the management system, they bring them together and operate the interfaces.


    Aspects of a CSMS include

    • the cybersecurity culture,
    • the organizational structure,
    • the documentation of the required development processes and procedures
    • monitoring whether the work actually performed is in accordance with the processes and procedures,
    • monitoring whether this work results in appropriately secure products,
    • the necessary infrastructure,
    • the required skills and competencies. 
    Software Update Management Systems

    You need a software update management system to fend off threats from cyberspace by updating. Learn how to set up your software update management system in our tutorial.

    In cooperation with TUEV Nord

    Together with the TUEV Nord certification body we qualify you as a "Cybersecurity Engineer (Automotive)". During the training you will learn how to achieve the required end-to-end security. As a TUEV Nord qualified Cybersecurity Engineer, you will know how ISO/SAE 21434 supports your work and which homologation requirements are imposed by UNECE for your task.


    Automotive Cybersecurity 2020

    How do experts assess the status of cybersecurity activities in the automotive industry? In the industry barometer »Automotive Cybersecurity. State of Practice 2020«, experts from E/E development give their assessment of the questions that challenge newcomers to the field of cybersecurity in particular.

    Join the TARA training class

    In this course we will familiarize you with theoretical and practical knowledge about TARA and risk assessments. After TARA in the concept phase, risk assessments turn into the pivotal point of cybersecurity oriented processes. We therefore recommend that you become accustomed to TARA from the very beginning.

    An integrated management system

    Image   A CSMS integrated into the company's process landscape

    In a company, there are different levels of tasks, from the corporate level to the business unit to the projects. At each level, risks are also different. The level of detail of a management system relates to the nature of the risks. At the appropriate levels, you should derive corresponding subsystems with structures, processes, measures and competencies.

    Continuous cybersecurity activities

    With your cybersecurity management system in place, you ensure that all necessary cybersecurity activities for

    • development, 
    • production and 
    • post-production

    are carried out thoroughly and until the vehicle series finally reaches the end of its service – cybersecurity is not an afterthought.

    To this end, Clause 15 of ISO/SAE 21434 calls for continuous risk assessments in particular, in order to check whether the risk assumptions and countermeasures are still up to date. 

    Implement the management system carefully to foster and establish a cybersecurity culture in your corporation: Cybersecurity concerns will become second nature to you and your colleagues – then you will actually develop cybersecurity by design. 

    We're here for you

    Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.

    Steffen Herrmann and the sales team


    • Fostering awareness for the need for comprehensive end-to-end safeguards
    • Detailed assessments of any threats posed 
    • Matching your cybersecurity policies to processes, products and IT requirements; managing involved specialists
    • Assessing and improving your development processes with respect to security issues
    • Adapting existing workflows and procedures to address key cybersecurity issues
    • Ensuring systems conform to UNECE homologation guidelines
    • Definition and introduction of new development processes in keeping with the requirements of ISO/SAE 21434
    • Evaluation, development and implementation of cybersecurity management systems
    • Selection of relevant security technology and industry standards according to your requirements

    Download White Paper