ISO 21434 Automotive Cybersecurity Auditing and Assessment Certification

Course Duration: 5 Days - 8 Hours/day

This five-day seminar will provide the knowledge and skills required to perform audits and assessments for the ISO/SAE 21434 Cybersecurity Engineering standard. This class will give you the information to plan, conduct and report audit and assessment activities for ISO/SAE 21434. An overview of ISO/IEC 27001, United Nations (UN) regulation WP.29, and VDA ACMS (Automotive Cybersecurity Management System) will also be provided.

This course combines presentations with in-class group exercises to put what you are learning into practice. Concepts are reinforced by a series of breakout exercises on critical aspects of audits and assessments.

Learning Objectives

· List and apply the main processes at the organizational and product levels that impact audits and assessments

· Review and understand a product’s CS requirements, goals, and prepare a cybersecurity Plan

· Develop the Cybersecurity Concept & Refined Cybersecurity Design

· List appropriate evidence for supporting audits and assessments

· Use risk levels and CALs for achieving an acceptable residual risk

· List the main elements and develop the structure of Audit and Assessment reports.

Course Outline

Day One

· Introduction and Overview to ISO/SAE 21434, ISO/IEC 27001, WP.29, and VDA ACMS

o ISO/SAE 21434 Purpose, Scope and Framework

· Organizational Level Processes for Audit

o Overall Cybersecurity Management

o Project Dependent Cybersecurity Management

o Supporting Processes

o Cybersecurity Audit

o Cybersecurity Assessment

· Cybersecurity Goals & Requirements

o Tailoring of Cybersecurity Activities

o System or Component out of Context

o Cybersecurity Planning

o Cybersecurity Requirements

o Cybersecurity Goals

o Breakout Exercise 1: Safety Case Outline

· Preparing the Cybersecurity Plan

o Product Lifecycle

o The V-Model

o Cybersecurity Planning

o Components of the Cybersecurity Plan

o Cybersecurity Case

· Risk Assessment Methods (Clause 7)

o Cybersecurity Relevance

o Item Definition

o Asset Identification

o Breakout Exercise 2: Item Definition

Day Two

· Risk Assessment Methods (Clause 7) (cont’d)

o Vulnerability Analysis

o Breakout Exercise 3: Vulnerability Analysis

o Attack Feasibility Analysis

o Risk Determination

o Risk Treatment

o Threat Analysis and Risk Assessment (TARA)

o Breakout Exercise 4: Threat and Risk Analysis

o Breakout Exercise 5: Cybersecurity Requirements

· Cybersecurity Architecture

o System Level Architecture

o Hardware Level Architecture

o Software Level Architecture

o Implementation Considerations

· Cybersecurity Concept & Refined Cybersecurity Design

o Cybersecurity Concept

o Refinement of Cybersecurity Requirements

o Refinement of Cybersecurity Design

Seminar Agenda (cont’d)

Day Three

· Supporting Processes

o Quality Management Systems

o Change Management

o Documentation Management

o Configuration Management

o Requirements Management

o Verification

o Breakout Exercise 6: Confidence in Management Systems

o Tool Management

o Distributed Cybersecurity Activities

· Gathering Evidence for Achieving CS Goals

o Cybersecurity Assurance Levels (CAL)

o Usage of CALs

o List of Work Products

· Producing Arguments for Achieving CS Goals

o Architectural Arguments

o Design Arguments

o Breakout Exercise 7: Walkthrough vs. Inspection

o Implementation Arguments

o Verification Arguments

o Validation Arguments

Seminar Agenda (cont’d)

Day Four

· Preparing Work Products

o Management Oriented Work Products

o Work Products at the Concept Phase

o Work Products at the Product Development Phase

o Work Products at the Post-Development Phases

· Preparing the Cybersecurity Case

o Summary of the Cybersecurity Evidence

o Summary of the Cybersecurity Argument

o Elements of the Cybersecurity Case

o Breakout Exercise 8: Developing a Cybersecurity Case

Day Five

· Preparing the Audit Report

o Summary of Organizational Processes

o Elements of the Audit Report

· Preparing the Assessment Report

o Summary of the Cybersecurity Plan

o Summary of the Work Products

o Summary of the Cybersecurity Case

o Elements of the Assessment Report

Levels of Certification

Level 1 Internal Auditor Provisional Knowledge Requirements: · 1 week of Cybersecurity Auditor Training and candidates must pass exam.

Level 2 Certified Internal Auditor Knowledge Requirements: · 1 week of Cybersecurity Auditor Training and candidates must pass exam. Prerequisites: · 10 audits or assessments in the past 3 years.

Who Should Attend

Those involved in the design, development, and production of electrical and electronic based vehicle products, including the systems, software and hardware engineers, and managers. Basically, all those responsible for the development and implementation of hardware and software systems in motor vehicles.

Participants should be, or plan to be, actively managing, or involved in, or aware of electrical and/or electronic items, systems, or elements that are incorporated in vehicles. You should also have the abilities, education, and experience required for the above roles.

Course Materials

Each participant will receive a seminar manual including breakout exercises and case studies.

Note: Omnex does not provide copies of standard(s) during training courses, but clients are encouraged to have their own copy.


Participants should be involved in or aware of software and hardware development as it relates to the motor vehicle industry. A basic understanding of the ISO/SAE 21434 standard is recommended.

Upcoming Training