Skip to content
Melina Security

FAQ

ISO 21434 readiness vs certification

ISO/SAE 21434 itself is a process standard — it defines what activities your cybersecurity engineering process must perform, not a binary pass/fail certification. "Certification" against ISO/SAE 21434 typically refers to one of two things: a third-party assessment confirming your process complies (most common in automotive supply chains), or compliance with UN-R 155, which is a regulation that mandates CSMS (Cybersecurity Management System) and references ISO/SAE 21434 as the recommended implementation. Most buyers who say "we need ISO 21434 certification" are talking about UN-R 155 type approval, which is a regulatory requirement, not the optional ISO certification process.

Short answer

ISO/SAE 21434 itself is a process standard — it defines what activities your cybersecurity engineering process must perform, not a binary pass/fail certification. "Certification" against ISO/SAE 21434 typically refers to one of two things: a third-party assessment confirming your process complies (most common in automotive supply chains), or compliance with UN-R 155, which is a regulation that mandates CSMS (Cybersecurity Management System) and references ISO/SAE 21434 as the recommended implementation. Most buyers who say "we need ISO 21434 certification" are talking about UN-R 155 type approval, which is a regulatory requirement, not the optional ISO certification process.

Untangling the terms

- **ISO/SAE 21434:** a standard. Defines cybersecurity engineering for road vehicles across the product lifecycle. - **UN-R 155 (CSMS):** UNECE regulation, mandatory in EU + many other markets since 2024 for new vehicle types. Requires a Cybersecurity Management System; ISO/SAE 21434 is the de-facto implementation path. - **UN-R 156 (SUMS):** companion regulation, mandates a Software Update Management System. - **"ISO 21434 certification":** colloquially used to mean "third-party assessor confirms our 21434 implementation is sufficient." Common in OEM/Tier-1 supplier relationships as a contractual requirement.

Readiness vs certification work

**Readiness assessment** focuses on closing gaps before a formal evaluation:

- Gap analysis against ISO/SAE 21434 clauses - TARA on representative high-risk systems - Cybersecurity case documentation - Process artifacts (incident response, vulnerability management, secure development lifecycle) - Evidence package preparation

**Certification / type approval work** is the formal evaluation by an authorized auditor (for UN-R 155 type approval) or a third-party assessor (for ISO 21434 informal certification). Melina supports both — we typically run readiness assessment before our clients engage the formal auditor, since the auditor's role is to evaluate, not to consult on remediation.

What we typically recommend

For OEMs and Tier-1 suppliers facing UN-R 155 deadlines, start with readiness assessment 6-9 months before the planned auditor engagement. This gives time for remediation, TARA work on production systems, and process maturation. For suppliers facing OEM contractual requirements, scope can be narrower — typically gap analysis + select TARA + cybersecurity case documentation tailored to the specific contract.

Related FAQs

- Should we do TARA before ECU pentest?

Related services and solutions

- Automotive Security - ISO/SAE 21434 Readiness solution (P1.5) - ISO/SAE 21434 explainer (P1.5)

---

End of faq-batch-1/article.md (5 exemplar FAQ pages; remaining 5+ queued for next batch).