cyris360-framework

Instructions

This gap analysis document provides a simple framework for evaluation the current status of a CSMS according to ISO/SAE21434:2021 standard. The status column is marked by one of the following identifiers:

• V: Validated ; The associated item is compliant with the standard.
• P: Partial ; The associated item is partially compliant with the standard.
• M: Missing ; The associated item is NOT compliant with the standard.
• N/A: The associated item is not applicable.

The evidence shall be provided by the target user, while optional comment maybe added by the target user or the assessor.

Note: Due to the copyright restriction of ISO documents, the following gap assessment shall be used in combination with the ISO/SAE21434:2021 standard.

Part 1: Requirements |

Clause 5: Organizational Cybersecurity Management

Requirement	Status (V, P, M, N/A)	Evidence	Comments
5.4.1 Cybersecurity Governance (RQ-05-01..RQ-05-05)
5.4.2 Cybersecurity Culture (RQ-05-06..RQ-05-08)
5.4.3 Information sharing (RQ-05-09..RQ-05-10)
5.4.4 Management systems (RQ-05-11..RQ-05-13)
5.4.5 Tool Management (RQ-05-14..RQ-05-15)
5.4.6 Information security Management (RQ-05-16)
5.4.7 Organizational Cybersecurity Audit (RQ-05-17)

Clause 6: Project Dependant Cybersecurity Management

Requirement	Status (V, P, M, N/A)	Evidence	Comments
6.4.1 Cybersecurity responsabilities (RQ-06-01)
6.4.2 Cybersecurity planning (RQ-06-02..RQ-06-12)
6.4.3 Tailoring (RQ-06-13..RQ-06-14)
6.4.4 Reuse (RQ-06-15..RQ-06-17)
6.4.5 Component out-of-context (RQ-06-18..RQ-06-20)
6.4.6 Off-the-shelf component (RQ-06-21..RQ-06-22)
6.4.7 Cybersecurity case (RQ-06-23)
6.4.8 Cybersecurity assessement (RQ-06-24..RQ-06-32)
6.4.9 Release for post developement (RQ-06-33..RQ-06-34)

Clause 7: Distributed Cybersecurity Activities

Requirement	Status (V, P, M, N/A)	Evidence	Comments
7.4.1 Supplier capability (RQ-07-01..RQ-07-02)
7.4.2 Request for quotation (RQ-07-03)
7.4.3 Alignement of responsabilities (RQ-07-04..RQ-07-08)

Clause 8: Continual Cybersecurity Activities

Requirement	Status (V, P, M, N/A)	Evidence	Comments
8.3 Cybersecurity Monitoring (RQ-08-01..RQ-08-03)
8.4 Cybersecurity event evaluation (RQ-08-04)
8.5 Vulnerability analysis (RQ-08-05..RQ-08-06)
8.6 Vulnerability management (RQ-08-07..RQ-08-08)

Clause 9: Concept

Requirement	Status (V, P, M, N/A)	Evidence	Comments
9.3 Item definition (RQ-09-01..RQ-09-02)
9.4 Cybersecurity goals (RQ-09-03..RQ-09-07)
9.5 Cybersecurity concepts (RQ-09-08..RQ-09-11)

Clause 10: Product Development

Requirement	Status (V, P, M, N/A)	Evidence	Comments
10.4.1 Design (RQ-10-01..RQ-10-08)
10.4.2 Integration and verification (RQ-10-09..RQ-10-13)

Clause 11: Cybersecurity Validation

Requirement	Status (V, P, M, N/A)	Evidence	Comments
11 Cybersecurity Validation (RQ-11-01..RQ-11-02)

Clause 12: Production

Requirement	Status (V, P, M, N/A)	Evidence	Comments
12 Production (RQ-12-01..RQ-12-03)

Clause 13: Operations and Maintenance

Requirement	Status (V, P, M, N/A)	Evidence	Comments
13.3 Cybersecurity incident response (RQ-13-01..RQ-13-02)
13.4 Updates (RQ-13-03)

Clause 14: End of Cybersecurity and Decomissioning

Requirement	Status (V, P, M, N/A)	Evidence	Comments
14.3 End of Cybersecurity support (RQ-14-01)
14.4 Decomissioning (RQ-14-02)

Clause 15: Threat Analysis and Risk Assessement Methods

Requirement	Status (V, P, M, N/A)	Evidence	Comments
15.3 Asset identification (RQ-15-01..RQ-15-02)
15.4 Threat scenarion Identification (RQ-15-03)
15.5 Impact rating (RQ-15-04..RQ-15-07)
15.6 Attack path analysis (RQ-15-08..RQ-15-09)
15.7 Attack feasibility rating (RQ-15-10..RQ-15-14)
15.8 Risk value determination (RQ-15-15..RQ-15-16)
15.9 Risk treatment decision (RQ-15-17)

Part 2: Deliverables

Clause 5: Organizational Cybersecurity Management

• WP-05-01 Cybersecurity policy, rules and processes
• WP-05-02 Evidence of competence management, awareness management and continuous improvement
• WP-05-03 Evidence of organization’s management systems
• WP-05-04 Evidence of tool management
• WP-05-05 Organizational cybersecurity audit report

Clause 6: Project Dependant Cybersecurity Management

• WP-06-01 Cybersecurity plan
• WP-06-02 Cybersecurity case
• WP-06-03 Cybersecurity assessment report
• WP-06-04 Release for post-development report

Clause 7: Distributed Cybersecurity Activities

• WP-07-01 Cybersecurity interface agreement

Clause 8: Continual Cybersecurity Activities

• WP-08-01 Sources for cybersecurity information
• WP-08-02 Triggers
• WP-08-03 Cybersecurity events
• WP-08-04 Weaknesses from cybersecurity events
• WP-08-05 Vulnerabilty analysis
• WP-08-06 Evidence of managed vulnerabilties

Clause 9: Concept

• WP-09-01 Item defintion
• WP-09-02 TARA
• WP-09-03 Cybersecurity goals
• WP-09-04 Cybersecurity claims
• WP-09-05 Verification report for cybersecurity goals
• WP-09-06 Cybersecurity concept
• WP-09-07 Verification report for cybersecurity concept

Clause 10: Product Development

• WP-10-01 Cybersecurity specification
• WP-10-02 Cybersecurity requirements for post development
• WP-10-03 Documentation of modelling, design, or programming languages and coding guidelines
• WP-10-04 Verification report for the cybersecurity specifications
• WP-10-05 Weaknesses found during product development
• WP-10-06 Integration and verification specification
• WP-10-07 Integration and verification report

Clause 11: Cybersecurity Validation

• WP-11-01 Validation report

Clause 12: Production

• WP-12-01 Production control plan

Clause 13: Operations and Maintenance

• WP-13-01 Cybersecurity incident response plan

Clause 14: End of Cybersecurity and Decomissioning

• WP-14-01 Procedures to communicate the end of cybersecurity support

Clause 15: Threat Analysis and Risk Assessement Methods

• WP-15-01 Damage scenarios
• WP-15-02 Assets with cybersecurity properties
• WP-15-03 Threat scenarios
• WP-15-04 Impact ratings with associated impact categories
• WP-15-05 Attack paths
• WP-15-06 Attack feasibilty ratings
• WP-15-07 Risk values
• WP-15-08 Risk treatment decisions

This site is open source. Improve this page.