Clause 5
Introduction
Welcome to an exploration of ISO/SAE 21434 Clause 5, which focuses on the crux of cybersecurity within the realm of automotive engineering. This course is aimed at professionals tasked with the implementation of a Cybersecurity Management System (CSMS), offering insights into the clause’s requirements, facilitating gap analysis, and expediting remediation efforts.
Foundation of Cybersecurity Practices
Clause 5 sets the stage for all cybersecurity practices within an organization. It emphasizes the integral role of cybersecurity throughout the product development lifecycle, ensuring that automotive products are engineered with robust security from the ground up.
Scope and Application
This clause is universally applicable, encompassing the entire organization and its information management systems. Key areas such as Quality Management Systems (QMS), along with change, document, requirement, configuration, and tool management, are under its purview.
The Pillars of Clause 5
- Policy, Rules, and Processes: Establishing clear cybersecurity policies and processes is foundational. These guide the organization in maintaining a secure posture throughout its operations.
- Training and Competency Tracking: Competency management is crucial. Whether through a Learning Management System (LMS) or a skills matrix, ensuring that personnel are well-trained and aware of their roles in cybersecurity is non-negotiable.
- IT and Management Systems Integration: Clause 5 advocates for the integration of cybersecurity into broader IT and management systems, reinforcing the systemic approach required for effective cybersecurity management.
- Enterprise Tool Management: Identifying and managing tools that could impact the cybersecurity of products is essential. This involves a comprehensive understanding and management of the tools used in product development and maintenance.
- Independent Audits: Regular audits are vital for assessing the efficacy of the implemented cybersecurity measures, ensuring that the organization’s cybersecurity practices are up to standard.
Implementation Challenges
While Clause 5 is conceptually straightforward, its implementation poses significant challenges, primarily due to the extensive coordination required across various departments and the potential overhaul of existing policies and systems. Key to overcoming these hurdles is the establishment of a Quality Management System that addresses core areas pertinent to cybersecurity.
Work Products
The implementation of Clause 5 results in the creation of five critical work products:
- Cybersecurity Policy, Rules, and Processes
- Evidence of Competence Management
- Evidence of the Organization’s Management Systems
- Evidence of Tool Management
- Organizational Cybersecurity Audit Report
These documents are testament to the organization’s commitment to cybersecurity, providing a structured framework for managing and mitigating cybersecurity risks.
Practical Considerations
- Competency Management: Ensuring that staff are competent and aware of cybersecurity practices is fundamental. Utilize existing platforms or methodologies to manage and track competency effectively.
- Tool Management: A methodical approach is required to manage tools that influence cybersecurity. This involves maintaining an inventory of such tools and implementing access controls and authentication measures.
- Continuous Improvement: Feedback mechanisms should be in place to continually refine cybersecurity practices. This iterative process allows for the constant strengthening of cybersecurity measures.
Conclusion
Embracing the requirements of ISO/SAE 21434 Clause 5 is a strategic step towards fortifying automotive products against cybersecurity threats. Through diligent implementation, continuous improvement, and cross-departmental collaboration, organizations can achieve a robust cybersecurity posture, ensuring the security and integrity of their automotive products throughout their lifecycle.
Clause 5 emphasizes organizational cybersecurity management, highlighting the development of a strong cybersecurity culture, the implementation of information-sharing processes related to cybersecurity risks, and the support of systems such as configuration, change, and documentation management. It also underscores the importance of managing tools by identifying those exposed to cybersecurity threats and ensuring they are secured appropriately to prevent the spread of risks to automotive products, which could ultimately affect the vehicle.
Clause 5 emphasizes organizational cybersecurity management, highlighting the development of a strong cybersecurity culture, the implementation of information-sharing processes related to cybersecurity risks, and the support of systems such as configuration, change, and documentation management. It also underscores the importance of managing tools by identifying those exposed to cybersecurity threats and ensuring they are secured appropriately to prevent the spread of risks to automotive products, which could ultimately affect the vehicle.
Contents:
- 13 Requirements
- 4 Recommendations
- 5 Work products
- 7 Activities (5.4.1 - 5.4.7)

5.4.1 Cybersecurity Governance
[RQ-05-01]
The organization shall define a cybersecurity policy that includes:
- acknowledgement of road vehicle cybersecurity risks; and
- the executive management’s commitment to manage the corresponding cybersecurity risks.
To note:
- The cybersecurity policy may reference the organization’s objectives and other relevant policies.
- The cybersecurity policy may include a statement on how generic threat scenarios are addressed in terms of risk treatment, taking into account the organization’s product or service portfolio and its internal and external context.
Policy definition A policy is a formal, authoritative document established by an organization’s leadership that articulates the organization’s principles, intentions, and commitment related to a specific area of concern. It provides a strategic direction and a framework for consistent decision-making, governance, and accountability across the organization.
Think of a policy as a steering wheel - it gives the organization direction.
Then, procedures are the brake, gas, and turn signals - they handle the details of how to act.
Policy example
Recognizing the increasing complexity and connectivity of modern vehicles, [Company Name] acknowledges that cybersecurity is critical to vehicle safety, reliability, and customer trust.
We accept that our products and services are exposed to cybersecurity risks, both from internal and external sources, including supply chain vulnerabilities and emerging threat actors.
The executive management team is fully committed to managing these risks by:
- Ensuring compliance with cybersecurity standards and regulations.
- Supporting cross-functional cybersecurity governance teams.
- Prioritizing cybersecurity in all stages of development and operations.
This policy supports our corporate risk management strategy and integrates with our quality and safety management systems. We also recognize and address generic threat scenarios such as remote attacks on ECUs, denial-of-service incidents, and unauthorized OTA updates, with defined treatment approaches in our risk management framework.
[RQ-05-02]
The organization shall establish and maintain rules and processes to:
a) enable the implementation of the requirements of this document; and
b) support the execution of the corresponding activities.
To note:
Definitions of processes, technical standards, guidelines, methodologies, and templates.
Cybersecurity risk management may take into account the balance between the effort required and the benefits gained from various activities.
Rules and processes may span the entire lifecycle—covering concept development, product development, production, operation, maintenance, and decommissioning. This includes TARA methodologies, information sharing, cybersecurity monitoring, incident response, and response triggers.
Rules and processes related to vulnerability disclosure—such as those included in information-sharing practices—can be defined in alignment with ISO 29147.
This may include process definitions, technical rules, internal guidelines, methods, and standardized templates. Cybersecurity risk management activities can consider effort-versus-benefit to ensure efficient and practical execution.
The organization’s rules and processes should cover the entire vehicle lifecycle—concept, development, production, operation, maintenance, and decommissioning.
These include TARA methods, information sharing, monitoring, incident response, and defined triggers. Vulnerability disclosure processes, as part of information sharing, may align with ISO 29147. Figure below illustrates how the cybersecurity policy, supporting rules and processes, assigned responsibilities, and allocated resources work together to form a cohesive cybersecurity management approach.

a) “Enable the implementation of the requirements of this document”
This means the organization must establish the foundational rules and processes necessary to apply ISO/SAE 21434 in practice. That includes defining how cybersecurity is managed — through TARA methods, incident response, secure development guidelines, etc.
b) “Support the execution of the corresponding activities”
This implies actively backing those processes — and yes, that includes:
- Allocating time (e.g., scheduling cybersecurity tasks into project timelines)
- Assigning qualified personnel (e.g., security engineers, TARA specialists)
- Providing tools and infrastructure (e.g., threat modeling tools, secure coding platforms)
- Budgeting financial resources (e.g., for training, third-party audits, penetration testing)
[RQ-05-03]
The organization shall assign and communicate the responsibilities and corresponding organizational authority to achieve and maintain cybersecurity.
To note: This applies to both organizational-level and project-specific activities.

[RQ-05-04]
The organization shall provide the resources to address cybersecurity.
To note: Resources encompass individuals responsible for cybersecurity risk management, development, and incident management, and may include skilled personnel and appropriate tools necessary to carry out cybersecurity activities effectively.

[RQ-05-05]
The organization shall identify disciplines related to, or interacting with, cybersecurity and establish and maintain communication channels between those disciplines in order to:
- determine if and how cybersecurity will be integrated into existing processes; and
- coordinate the exchange of relevant information.
Key Requirements:
Identify Related Disciplines. The organization needs to identify the disciplines that are related to or interact with cybersecurity. These can include:
- Information Technology (IT) Security
- Functional Safety (ISO 26262)
- Privacy
- Establish Communication Channels:
To ensure effective collaboration, communication channels must be established and maintained between these disciplines.
Main Goals:
Integration of Cybersecurity into Existing Processes:
- The organization must assess how cybersecurity will be integrated into existing processes.
- This could involve identifying where cybersecurity considerations intersect with or enhance other processes.
Coordinating Information Exchange:
- Effective communication is crucial for exchanging relevant information between disciplines.
- This helps ensure that cybersecurity, functional safety, and privacy requirements align and do not conflict.
Examples of Interdisciplinary Exchange:
Threat Scenarios & Hazard Information:
- Information about threat scenarios and hazard analysis (from functional safety, like ISO 26262) must be shared. This helps cybersecurity teams understand the safety context and how cybersecurity threats may impact safety.
Cybersecurity Goals vs. Safety Goals:
- There must be an exchange of cybersecurity goals and functional safety goals to ensure both are addressed without conflicting. For example, a cybersecurity measure that might impact the vehicle’s safety functions needs coordination.
Conflicting or Competing Requirements:
- Cybersecurity requirements may conflict or compete with functional safety requirements. Communication between disciplines ensures that these conflicts are identified and resolved before they affect the product’s design.
5.4.2 Cybersecurity Culture
[RQ-05-06]
The organization shall foster and maintain a strong cybersecurity culture.
[RQ-05-07]
The organization shall ensure that persons to which cybersecurity roles and responsibilities are assigned have the competences and awareness to fulfil these.
[RQ-05-08]
The organization shall institute and maintain a continuous improvement process.
How to implement/create?
- Introduce frequent training
- Establish processes for information sharing and risk escalation
- Ensure adequate staffing
- Encourage a different way of thinking about cybersecurity rather than treating it as an
- afterthought
- Encourage mentoring
- Encourage an open exchange of ideas and questions
- Encourage sharing feedback
You can even find separate books on this topic, such as:

5.4.3 Information Sharing
[RQ-05-09]
The organization shall define the circumstances under which information sharing related to cybersecurity is required, permitted, or prohibited, internal or external to the organization.
[RC-05-10]
The organization should align its information security management of the shared data with other parties in accordance with [RQ-05-09].
How?
The organization must have a policy regarding communication channels for vulnerability disclosures, and how to handle sensitive information.
- Consider implementing a bug bounty program.
- Have a responsible disclosure process
Such processes must be aligned across various departments to prevent common mishaps such as disclosing vulnerabilities on behalf of suppliers who did not yet authorize such disclosure, or waiting too long before informing customers about critical vulnerabilities that will impact their products.

5.4.4 Management Systems
[RQ-05-11]
The organization shall institute and maintain a quality management system in accordance with International Standards, or equivalent, to support cybersecurity engineering, addressing:
- change management;
- documentation management;
- configuration management; and
- requirements management.
[RQ-05-12]
The configuration information required for maintaining cybersecurity of a product in the field shall remain available until the end of cybersecurity support for the product, in order to enable remedial actions.
[RC-05-13]
A cybersecurity management system for the production processes should be established in order to support the activities of Clause 12.
Configuration management
A system for systematically managing changes in system and item configurations to ensure integrity and operational stability. They track revisions and maintain consistency across system components, crucial for software development, IT operations, and manufacturing.
Documentation management
We need a system to organize our cybersecurity plans, manuals, and other documents. This system should keep track of who wrote each document, who it’s meant for, and any changes made to it. It should also allow us to review documents and control who can see them based on how important the information is.
Requirements Management
The main goal of managing requirements is:
- Making sure requirements are clear and well-defined.
- Keeping track of requirements throughout the project.
The system used for managing requirements helps:
- Classify requirements as security-related.
- Connect requirements to other project documents.
Example Tools:
- Jama
- Codebeamer
- IBM DOORS
Change management
Change management helps make sure any updates are done in a coordinated and documented fashion.
- Planning: Every change, big or small, gets a thorough check-up to see how it might affect the security (and safety, cost, timelines, etc.).
- Centralized Decision: Risks come from all over the organization. Cybersecurity is just one of them. Change requires analysis and decision.
- Security Must Have a Voice: Security experts make sure changes don’t create any new security risks.
- Tracking: Every change gets logged; this helps everyone understand why changes were made and what happened.
5.4.5 Tool Management
[RQ-05-14]
Tools that can influence the cybersecurity of an item or component shall be managed.
[RC-05-15]
An appropriate environment to support remedial actions for cybersecurity incidents (see 13.3) should be reproducible until the end of cybersecurity support for the product.
Examples:
- Maintaining a centralized list of all approved cybersecurity tools
- Granting least privilege access to security tools
- Implementing multi-factor authentication for access to security tools
- Regularly reviewing and revoking access for inactive users
- Regularly reviewing the list of cybersecurity approved tools and removing/adding new ones
5.4.6 Information Security Management
[RC-05-16]
Work products should be managed in accordance with an information security management system.
5.4.7 Organizational Cybersecurity Audit
[RQ-05-17] A cybersecurity audit shall be performed independently to judge whether the organizational processes achieve the objectives of this document (ISO/SAE 21434).
Audits may be conducted by individuals either within or outside the organization. To ensure that the organization’s processes continue to meet cybersecurity requirements, audits can be carried out on a regular basis.
Provisions and Work Products Overview
