Skip to main content

Engineering · Automotive Cybersecurity

ISO/SAE 21434 Consulting, Clauses 5–15

From Threat Analysis and Risk Assessment to the Cybersecurity Case. Agnile’s Automotive Cybersecurity specialists build the CSMS, execute the TARA, author the Work Products, and prepare the evidence your assessor will actually read — for OEM, Tier-1, and Tier-2 programmes worldwide.

What does ISO/SAE 21434 consulting cover?

ISO/SAE 21434 consulting is engineering support for deploying the road-vehicle cybersecurity standard on a real programme: assessing the gap against Clauses 5–15, building the Cybersecurity Management System, executing the Threat Analysis and Risk Assessment, authoring the 42 Work Products, and preparing the evidence an assessor reviews for UNECE R155 Type Approval. Agnile delivers each of these as a scoped engagement — see the ISO/SAE 21434 compliance overview for how the standard and the regulation fit together.

Scope

What the Engagement Covers

Most engagements start in one of two places: a programme that needs the standard deployed from zero, or a programme mid-flight that needs specific evidence closed before an assessment. The scope below flexes to both.

Gap Assessment Against Clauses 5–15

We review your processes, templates, and existing evidence clause by clause, interview the engineers who own each activity, and return a prioritised remediation roadmap — what exists, what is missing, what an assessor will challenge, and the order in which to close it. Typical duration is 2–4 weeks.

CSMS Build-Out

UNECE R155 makes the Cybersecurity Management System the unit of assessment, and ISO/SAE 21434 Clauses 5–8 define what a working one looks like. We author the Cybersecurity Policy, organizational rules and processes, competence and audit structures, and the continual activities — monitoring, vulnerability analysis, and incident handling — then run the system on an anchor project so it is demonstrably operating, not shelf-ware.

TARA Execution

Threat Analysis and Risk Assessment is the analytical core of the standard and the first thing most customers ask for. We run the full Clause 15 method — asset identification, Damage Scenarios, Threat Scenarios, Attack Paths, Attack Feasibility, Risk Determination, and Risk Treatment — as facilitated workshops or as delivered analysis. A manual TARA cycle commonly takes 4–8 weeks; on KAVACH the same analysis compresses sharply without losing engineer review. The Automotive TARA solution page covers the method in detail.

Work Products Authoring — All 42

Annex A of the standard defines exactly 42 Work Products across the lifecycle, and assessors work from that table. We author, review, or rescue them — from the Cybersecurity Plan through verification and validation reports to the Cybersecurity Case — with traceability from every claim back to its source. Our 42 Work Products checklist breaks down the full set.

Cybersecurity Interface Agreements

Distributed development is where programmes bleed time. Clause 7 requires Cybersecurity Interface Agreements that pin down who does what between OEM and supplier — and between Tier-1 and Tier-2. We draft the agreements, align responsibility splits, evaluate supplier capability, and prepare responses to customer agreements when you are the supplier.

Audit Preparation for UNECE R155 Type Approval

For programmes heading into Type Approval — mandatory for all new vehicles in the EU since 7 July 2024 — we assemble the Cybersecurity Case, map evidence to the questions authorities such as KBA (Germany), RDW (Netherlands), and UTAC (France) and their technical services actually ask, and run assessment rehearsals so the first hard questions come from us, not the authority.

Engagement models

Four Ways to Engage

Advisory

A senior consultant alongside your team on a defined cadence — reviewing TARAs and Work Products, coaching process owners, answering assessor-facing questions, and stepping in before milestones. The lightest engagement; suits teams with capacity that need direction and review depth.

Project-Based Delivery

A fixed-scope package delivered against milestones — a gap assessment, a TARA on a defined item, a CSMS build-out, or a complete work-product set for one ECU or platform. Clear deliverables, clear acceptance criteria, scoped per programme.

Staff Augmentation

Agnile cybersecurity engineers embedded in your programme, working in your toolchain and your meetings — carrying TARA, requirements, and evidence work as part of the team for as long as the programme needs it.

KAVACH-Accelerated Delivery

Any of the above, delivered on KAVACH, our AI-assisted ISO/SAE 21434 workspace — threat identification grounded in a curated automotive Threat Database, consistent Risk Scoring across analysts, and Work Products generated with traceability to source. You keep the workspace and the evidence after the engagement ends.

Why Agnile

Specialists Who Sign Their Work

Plenty of firms will sell you ISO/SAE 21434 slideware. Fewer will sit in the TARA workshop, argue Attack Feasibility with your architects, and put their name on the Cybersecurity Case.

  • Independent specialist. Automotive Cybersecurity is the core practice, not a side offering of a general consultancy — the same engineers do process work, product security work, and validation.
  • Certified operations. Agnile is ISO 9001:2015 and ISO/IEC 27001:2022 certified — the engagement itself runs under an audited quality and information-security system.
  • KAVACH advantage. Consulting delivered on our own ISO/SAE 21434 workspace means faster analysis, consistent Risk Scoring, and evidence that stays traceable after we leave.
  • Programme-tested. Delivery experience across global OEM and Tier-1 programmes — ECUs, ADAS systems, and connected vehicle platforms — under real audit pressure.
  • Built for what comes next. ISO/SAE 21434 is under systematic review, with second-edition development expected to start in 2026. We structure evidence so it carries forward rather than needing a rewrite.

Deliverables

How a Full Engagement Phases the 42 Work Products

Scope flexes — a Tier-2 delivering one component needs a fraction of this; an OEM platform needs all of it. The ISO/SAE 21434 Guide maps every clause behind these phases.

PhaseRepresentative Work ProductsOutcome
AssessGap report, remediation roadmap, Cybersecurity Plan (draft)A clause-by-clause baseline and a sequenced plan to close it
Govern — Clauses 5–8Cybersecurity Policy, organizational rules and processes, Cybersecurity Interface Agreements, monitoring and triage recordsAn operating CSMS aligned to UNECE R155 assessment expectations
Analyse — Clauses 9 and 15Item Definition, TARA, Cybersecurity Goals, Cybersecurity ConceptA risk-informed concept baseline your architects can build against
Develop and validate — Clauses 10–11Cybersecurity specifications, integration and verification reports, validation reportImplementation evidence traceable back to Cybersecurity Goals
Assure — Clause 6Cybersecurity Case, assessment-readiness packType Approval-facing evidence ready for KBA, RDW, or UTAC review
Operate — Clauses 12–14Production control plan, incident response plan, end-of-support documentationPost-production obligations covered through decommissioning

FAQ

ISO/SAE 21434 Consulting Questions

Scope Your ISO/SAE 21434 Engagement

A 60-minute scoping call: bring your assessment date, your supplier questionnaire, or your half-finished TARA. We respond to qualified enquiries within one business day.