← Compliance Hub

COMPLIANCE · ISO

ISO/SAE 21434

Structure 42 Work Products across Clauses 5–15. Connect TARA, attack paths, controls, and Cybersecurity Case evidence into one engineer-reviewed chain.

See KAVACH On Your ArchitectureRequest A Compliance Readiness Discussion
Regulator: ISO and SAE InternationalScope: Road vehicle cybersecurity engineering — concept through decommissioning

WHAT IS ISO/SAE 21434?

ISO/SAE 21434 is the engineering standard that defines how to perform cybersecurity engineering for road vehicles across the full lifecycle.

CONTEXT

ISO/SAE 21434 covers Clauses 5–15 of automotive cybersecurity engineering and defines 42 Work Products spanning organisational processes, project planning, concept, product development, post-development, and decommissioning. It is the de-facto evidence framework cited by UNECE R155 cybersecurity assessments and AIS 189 / AIS 190 readiness reviews — even though R155 itself is outcome-oriented and does not prescribe a method.

WHAT ENGINEERING TEAMS PRODUCE

Outputs that go into the evidence chain

  • 01

    Item Definition, asset identification, and Cybersecurity Properties (Clauses 9, 15)

  • 02

    TARA outputs — damage scenarios, threats, attack paths, attack feasibility, risk determination, risk treatment (Clause 15)

  • 03

    Cybersecurity Goals, Cybersecurity Plan, and Cybersecurity Concept (Clauses 9–10)

  • 04

    Cybersecurity Specifications and verification evidence across the V-cycle (Clauses 10–11)

  • 05

    The cybersecurity case, built from evidence generated across the cybersecurity lifecycle — organisational, project-level, concept, product development, production, operation, and post-development activities

  • 06

    Cybersecurity Interface Agreements with suppliers and integrators (Clause 7)

  • 07

    Vulnerability management and post-production monitoring evidence (Clauses 8, 13)

WHERE TEAMS STRUGGLE

Friction points that show up at audit time

  • TARA cycles take 4–8 weeks of manual spreadsheet work per system — and drift between programmes

  • Evidence is reconstructed at audit time rather than generated during engineering

  • Architecture context lives in PowerPoint, requirements in DOORS or Polarion, threats in spreadsheets — links break under change

  • Suppliers maintain their own threat catalogues, and Interface Agreements lag behind engineering reality

  • 42 Work Products are easy to miscount; teams ship with gaps in the Cybersecurity Case

HOW AGNILE AND KAVACH HELP

Engineering evidence prepared for review

We support evidence preparation, structure work products, and help engineering teams ready themselves for assessment discussions. Final review and approval rest with the relevant authority.

  • KAVACH ingests vehicle architecture and produces a cybersecurity digital twin — assets, threats, attack paths, and controls live in one connected model

  • Architecture-aware TARA aligned with Clause 15 — engineer-in-the-loop review at every stage, deterministic outputs, AI-assisted acceleration that can be configured or disabled

  • Cybersecurity case assembly drawing on evidence generated across the cybersecurity lifecycle — ready for review without reconstructing artefacts at audit time

  • Interface Agreement workflows so OEM-supplier evidence stays connected

  • Agnile Cybersecurity Engineering services close gaps where the workspace meets programme-specific delivery pressure

RELATED CAPABILITIES

RELATED RESOURCES

Detailed reference reading

PILLAR GUIDE

In-depth ISO/SAE 21434 reference guide

Long-form technical reference — work-product enumeration, clause-level walkthroughs, and worked examples.

Read the guide →

CYBERSECURITY

Every ISO/SAE 21434 Work Product, Demystified

ISO/SAE 21434 defines work products across the cybersecurity engineering lifecycle (Clauses 5–15). The complete checklist with review priorities and UNECE R155 mapping.

Read article →

CYBERSECURITY

What Is TARA in Automotive Cybersecurity? A Practical Guide

The systematic Cybersecurity analysis methodology defined in ISO/SAE 21434 Clause 15 — from Threat Identification to Risk Treatment.

Read article →

ISO/SAE 21434

ISO/SAE 21434 vs UNECE R155: What’s the Difference?

Engineering standard vs regulation — understanding how ISO/SAE 21434 and UNECE R155 work together for Automotive Cybersecurity compliance.

Read article →

CYBERSECURITY

Cybersecurity Interface Agreements (CIA) Under ISO/SAE 21434 Clause 7: Template and Negotiation Guide

How to draft and negotiate a Cybersecurity Interface Agreement under ISO/SAE 21434 Clause 7 — RASIC matrix, clause checklist, and the patterns that hold up under audit.

Read article →

FAQ

Common questions about ISO/SAE 21434

Move from architecture to ISO/SAE 21434 evidence with engineers who do this work.

Bring a programme scope. We'll show where KAVACH fits cleanly, where integration work is, and what evidence is already in good shape for review.