Clause 6
Introduction
This video lesson provides an overview of Clause 6 in ISO 21434, a standard for automotive cybersecurity. Clause 6 focuses on planning, coordinating, and auditing cybersecurity activities throughout a vehicle development project.
Key Points:
- Clause 6 outlines 34 requirements divided into nine sections, including responsibilities, planning, reuse analysis, and post-development activities.
- The main objective is to create a cybersecurity plan that outlines tasks, assigns roles, and details how to handle reused components and off-the-shelf parts.
- This plan is a living document and should be updated as the project progresses.
- Challenges include coordinating with various teams (e.g., safety) and ensuring the plan incorporates activities for suppliers.
- Cybersecurity assessments should be ongoing to avoid rework at the project’s end. Ideally, an independent body should conduct these assessments.
- There are strong connections between safety and cybersecurity. Leverage existing safety practices and documents whenever possible.
Work Products:
- Clause 6 focuses on four main deliverables:
- Cybersecurity Plan: This outlines the project’s cybersecurity strategy.
- Cybersecurity Case: This justifies the cybersecurity requirements for the vehicle.
- Cybersecurity Assessment Report: This documents the findings of cybersecurity assessments.
- Post-Development Report: This summarizes cybersecurity activities after the vehicle’s development.
Implementation Considerations:
- The specific teams responsible for implementing Clause 6 will vary depending on your organization’s structure. It typically involves project management, product cybersecurity, and quality assurance teams.
- The cybersecurity plan should cover the entire vehicle development lifecycle, including concept phase, development, validation, release, and post-development activities.
Additional Resources:
- The video recommends Dr. Ahmad Nasser’s book “The Automotive Cybersecurity Engineering Handbook” for more on safety and security cooperation.
- VSEC (vsec.blockharbor.io) is mentioned as a resource for additional automotive cybersecurity training and tools.
Conclusion
Clause 6 redirects attention from the organization to the product, emphasizing the importance of managing competence and planning for cybersecurity. It also outlines expectations for developing components independently of their context and for integrating off-the-shelf components. Additionally, this clause introduces the concept of the cybersecurity case and sets criteria for evaluating a product’s readiness for release.
Contents:
- 4 Work Products
- 32 Requirements
- 2 Permissions
- 9 Cybersecurity activities (6.4.1 - 6.4.9)

6.4.1 Cybersecurity responsibilities
[RQ-06-01]
The responsibilities regarding the project’s cybersecurity activities shall be assigned and communicated in accordance with [RQ-05-03].
6.4.2 Cybersecurity Planning
[RQ-06-02]
In order to decide cybersecurity activities needed for the item or component, the item or component shall be analysed to determine:
a) whether the item or component is cybersecurity relevant;b) if the item or component is cybersecurity relevant, whether the item or component is a new development or a reuse; andc) whether tailoring in accordance with 6.4.3 is applied.
Cybersecurity relevance can also be determined based on experience and multiple expert judgements, e.g. involving safety experts and cybersecurity experts.
[RQ-06-03]
The cybersecurity plan shall include the:
a) objective of an activity;b) dependencies on other activities or information;c) personnel responsible for performing an activity;d) required resources for performing an activity;e) starting point or end point, and the expected duration of an activity; andf) identification of the work products to be produced.
[RQ-06-04]
The responsibilities for developing and maintaining the cybersecurity plan, and for tracking the progress of the cybersecurity activities against the cybersecurity plan shall be assigned in accordance with [RQ-05-03] and [RQ-05-04].
[RQ-06-05]
The cybersecurity plan shall either be:
a) referenced in the project plan for the development; orb) included in the project plan, such that the cybersecurity activities are distinguishable.
[RQ-06-06]
The cybersecurity plan shall specify the activities that are required for cybersecurity during the concept and product development phases in accordance with the relevant requirements of Clauses 9, 10, 11 and 15.
[RQ-06-07]
The cybersecurity plan shall be updated when a change or a refinement of the activities to be performed is identified.
[PM-06-08]
For threat scenarios of risk value 1 that are determined from an analysis in accordance with 15.8, conformity with 9.5, Clause 10 and Clause 11 may be omitted.
[RQ-06-09]
The work products identified in the cybersecurity plan shall be updated and maintained for accuracy until and at the release for post-development.
[RQ-06-10]
If cybersecurity activities are distributed, customer and supplier shall each define a cybersecurity plan regarding their respective cybersecurity activities and interfaces in accordance with Clause 7.
[RQ-06-11]
The cybersecurity plan shall be subject to configuration management and documentation management, in accordance with 5.4.4.
[RQ-06-12]
The work products identified in the cybersecurity plan shall be subject to configuration management, change management, requirements management, and documentation management, in accordance with 5.4.4.
6.4.3 Tailoring
[PM-06-13]
A cybersecurity activity may be tailored.
[RQ-06-14]
If a cybersecurity activity is tailored, then a rationale why the tailoring is adequate and sufficient to achieve the relevant objectives of this document shall be provided and reviewed.
6.4.4 Reuse
[RQ-06-15]
A reuse analysis shall be carried out if an item or component has been developed and:
a) modifications are planned;b) is planned to be reused in another operational environment; orc) is planned to be reused without modification and there are relevant changes to the information concerning the item or component.
[RQ-06-16]
A reuse analysis of an item or component shall:
a) identify the modifications to the item or component and the modifications of its operational environment;b) analyse the cybersecurity implications of the modifications, including the effects on the validity of cybersecurity claims and previously made assumptions;c) identify the affected or missing work products; andd) specify the cybersecurity activities necessary to conform with this document in the cybersecurity plan (see 6.4.2).
[RQ-06-17]
A reuse analysis of a component shall evaluate whether:
a) the component is able to fulfil the allocated cybersecurity requirements from the item or component, in which it is to be integrated; andb) the existing documentation is sufficient to support the integration into an item, or into another component.
6.4.5 Component Out-of-Context
Out-of-context - not developed in the context of a specific item.
Example: Processing unit with assumed cybersecurity requirements to be integrated in different items.
[RQ-06-18]
Assumptions on the intended use and context, including the external interfaces, for a component developed out-of-context shall be documented in the corresponding work products.
[RQ-06-19]
For the development of a component out-of-context, the cybersecurity requirements shall be based on the assumptions of [RQ-06-18].
[RQ-06-20]
For the integration of a component developed out-of-context, the cybersecurity claims and assumptions of [RQ-06-18] shall be validated.
6.4.6 Off-the-Shelf Component
[RQ-06-21]
When integrating an off-the-shelf component, the cybersecurity-relevant documentation shall be gathered and analysed to determine whether:
a) allocated cybersecurity requirements can be fulfilled;b) the component is suitable for the specific application context of the intended use; andc) existing documentation is sufficient to support the cybersecurity activities.
[RQ-06-22]
If the existing documentation is insufficient to support the integration of the off-the-shelf component, then the cybersecurity activities to conform with this document shall be identified and performed.
6.4.7 Cybersecurity Case
[RQ-06-23]
A cybersecurity case shall be created to provide the argument for the cybersecurity of the item or component, supported by work products.
- Some elements of the argument may be implicit; for example, if certain points are clearly demonstrated by the collected work products, those parts can be omitted.
- In distributed development, the cybersecurity case for an item may combine the cases from both the customer and suppliers, referencing evidence from work products produced by each party. This way, the overall argument for the item is supported by contributions from all involved parties.
- The cybersecurity case also addresses the cybersecurity requirements applicable after development [WP-10-02].
6.4.8 Cybersecurity Assessment
[RQ-06-24]
A decision whether to perform a cybersecurity assessment for an item or component shall be made supported by a rationale applying a risk-based approach.
- The rationale may be based on TARA results (see Clause 15), the complexity of the item or component being developed, and/or criteria established by organizational rules and processes (see 5.4.1).
- If a cybersecurity assessment is not conducted, the rationale should be documented within the cybersecurity case.
[RQ-06-25]
The rationale of [RQ-06-24] shall be reviewed independently.
[RQ-06-26]
The cybersecurity assessment shall judge the cybersecurity of the item or component.
[RQ-06-27]
A person responsible to plan and perform independently a cybersecurity assessment shall be appointed in accordance with [RQ-06-01].
[RQ-06-28]
A person who carries out a cybersecurity assessment shall have:
a) access to the relevant information and tools; andb) the cooperation of the personnel performing the cybersecurity activities.
[PM-06-29]
A cybersecurity assessment may be based on a judgement of whether the objectives of this document are achieved.
[RQ-06-30]
The scope of a cybersecurity assessment shall include:
a) the cybersecurity plan and all work products identified in the cybersecurity plan;b) the treatment of the cybersecurity risks;c) the appropriateness and effectiveness of implemented cybersecurity controls and cybersecurity activities performed for the project; andd) the rationales, if provided, that demonstrate the achievement of the objectives of this document.
[RQ-06-31]
A cybersecurity assessment report shall include a recommendation for acceptance, conditional acceptance, or rejection of the cybersecurity of the item or component.
To note: The assessment report may also contain suggestions for ongoing improvement.
[RQ-06-32]
If a recommendation for conditional acceptance in accordance with [RQ-06-31] is made, then the cybersecurity assessment report shall include the conditions for acceptance.
6.4.9 Release for Post-Development
[RQ-06-33]
The following work products shall be available prior to the release for post-development:
a) the cybersecurity case [WP-06-02];b) if applicable, the cybersecurity assessment report [WP-06-03]; andc) the cybersecurity requirements for post-development [WP-10-02].
[RQ-06-34]
The following conditions shall be fulfilled for the release for post-development of the item or component:
a) the argument for cybersecurity provided by the cybersecurity case is convincing;b) the cybersecurity case is confirmed by the cybersecurity assessment, if applicable; andc) the cybersecurity requirements for the post-development phases are accepted.
Provisions and Work Products Overview
