How to reach CSMS certification and cybersecurity vehicle type approval

Successfully implementing UNECE WP.29 cybersecurity & ISO/SAE 21434

17 Sep 2020
Dr. Christopher Kusch, ESCRYPT & Joachim Jeanneret, KPMG Sweden

The number and reach of potential attack scenarios for modern vehicles has drastically increased. Consequently, activities are underway worldwide to regulate and standardize automotive cybersecurity. They all share three main trends: a stronger focus on the specifics of the automotive industry; the challenge and requirement to maintain security over the entire lifecycle; and the increasingly compulsory nature of regulations such as the inclusion of cybersecurity at type approval. These trends are particularly visible in the recently adopted UN Regulation from the UNECE WP.29 and the upcoming ISO/SAE 21434. They define and mandate explicit Cybersecurity Management Systems (CSMS) for the protection of vehicles.

On June 24, the UNECE World Forum for Harmonization of Vehicle Regulations adopted the new UN regulations on cybersecurity and software updates for connected vehicles. In addition to the 54 signatories, which include Germany and the EU, South Korea and Japan will also adopt the agreement. The UNECE regulations will come into force from January 2021 and will be compulsory for all new vehicle types from July 2022, and for all new vehicles manufactured from July 2024. Considering typical development times, manufacturers and suppliers need to consider the new requirements today. Ensuring successful type approval in accordance with the new regulations while avoiding an overspending has become a critical business success factor.

Industry trends & developments

In the absence of finalized certification schemes, OEMs and supplier need a clear roadmap that focuses on the key “big picture” issues now while allowing for adaptions to the final, detailed requirements later. Using insights from our engagements in all regions worldwide, we address relevant activities and major questions that arise in the buildup of a CSMS. We discuss in this webinar:

  • The UNECE WP.29 test phase
  • Relevant working groups (e.g. at the ISO or VDA)
  • The relationship of information security and cybersecurity
  • Security for the entire lifecycle
  • Impact on the manufacturer/supplier relationship
  • Cybermaturity in the ecosystem, in particular in the supply chain
Optimizing your cybersecurity approach with PROOF

The “Product Security Organization Framework” (PROOF) enables organizations to optimize their CSMS development. It builds on global insights & benchmarks from decades of experience in auditing and automotive security engineering. Its auditing approach provides transparency into an organization’s maturity relative to the ISO/SAE 21434, the UNECE WP.29, and further standards. The leads to clear and goal-oriented CSMS roadmaps so manufacturers and supplier can focus their resources (time, money, expertise) where they have the greatest impact and so they can track progress and perform validation checks before the final certification.

ESCRYPT and KPMG introduce in this webinar a proven methodology to roll out a CSMS and prepare for vehicle type approval using PROOF. The methodology combines lessons learned from successfully applying regulations in many different industries with the automotive security specific expertise that is necessary to take into account the dependencies of cybersecurity with functional safety, environment protection, and theft protection.

Your hosts

This live webinar will be presented by Dr. Christopher Kusch, Security Consultant at ESCRYPT and Joachim Jeanneret, Manager Cyber Security at KPMG Sweden.

Register here.



CSMS & vehicle type approval: New requirements for automotive cybersecurity
Impact on manufacturers, suppliers, and their relationship
Industry trends & lessons learned for establishing an automotive CSMS
Leveraging existing strengths to optimize resources for vehicle type approval
A look beyond UNECE WP.29 and ISO/SAE 21434
Q & A


ISO 9001:2015 Home