[ISO/SAE 21434](/knowledge/glossary/iso-sae-21434/) is the international standard for cybersecurity engineering of road vehicles and the de-facto implementation path for [UN-R 155](/knowledge/glossary/un-r-155/) — the United Nations regulation mandating Cybersecurity Management Systems for new vehicle type approvals. For OEMs and Tier-1 suppliers, ISO/SAE 21434 readiness work is now operationally a type-approval prerequisite in most regulated markets. This solution covers the readiness path: CSMS gap assessment, [TARA](/knowledge/glossary/tara/) execution, cybersecurity-case documentation, and pre-audit remediation. ## Where Melina engages on ISO/SAE 21434 readiness ### CSMS process gap assessment ISO/SAE 21434 organizes work into overall cybersecurity management (governance), project-dependent cybersecurity management, continuous cybersecurity activities, concept phase, product development, cybersecurity validation, production, operations and maintenance, and decommissioning. We assess the existing organization against this structure, identifying where existing processes already meet the requirements (often more than expected — quality and safety frameworks share structural patterns with cybersecurity), where gaps exist, and where the path to closing gaps is straightforward versus structural. ### TARA execution and review [TARA](/knowledge/glossary/tara/) is the central risk-analysis artifact in ISO/SAE 21434. We execute TARA on items ranging from individual ECU classes to vehicle E/E architectures, working alongside the engineering team. For OEMs reviewing supplier-delivered TARA, we provide structured TARA review feedback against ISO/SAE 21434 requirements. A common scope: the OEM has drafted concept-phase TARA, the supplier has drafted item-definition-phase TARA, and the two need reconciliation at the cybersecurity-interface boundary. We run that reconciliation as a structured workshop output. ### Cybersecurity-case documentation The cybersecurity case is the per-project evidence package — TARA outputs, design decisions, verification artifacts, validation outcomes, traceability between them — that demonstrates the cybersecurity goals were met. We support cybersecurity-case preparation as a deliverable alongside the technical work. ### Cybersecurity-interface agreement Where OEMs and Tier-1 suppliers operate across the cybersecurity-interface boundary, the cybersecurity-interface agreement defines who is responsible for which security activities, how findings are exchanged, how design changes propagate, and how incident response is coordinated. We support cybersecurity-interface agreement design as a deliverable. ### Pre-audit gap remediation Before formal type-approval audit, we work with the OEM or supplier on gap remediation — process documentation, evidence collection, traceability reconstruction where prior work created the inputs but did not preserve the documentation trail. ## What this solution does not include - The formal third-party assessment for UN-R 155 type approval — performed by accredited Technical Services designated by the type-approval authority - ISO/SAE 21434 certification audit — issued by accredited certification body - Functional-safety work proper (ISO 26262) — we support cybersecurity work that interfaces with functional safety, but functional-safety engineering is a separate discipline ## Service mapping ISO/SAE 21434 readiness draws across: - [IoT & Embedded Security](/services/iot-embedded-security/) — for ECU-level technical work - [Architecture & Cloud Review](/services/architecture-cloud-review/) — for TCU back-end and connected services - [GRC services](/services/grc/) — for the CSMS process side ## Compliance and standards frame - ISO/SAE 21434:2021 (cybersecurity engineering of road vehicles) - UN-R 155 (vehicle type-approval cybersecurity) - UN-R 156 (Software Update Management System) - ISO/PAS 5112 (CSMS audit guidance) - ISO 26262 (functional safety — alignment, not coverage) - China-market: GB/T 44464 (passenger vehicle cybersecurity) and related GB-series standards ## Engagement model ISO/SAE 21434 readiness is typically [Custom Engagement](/engagement-models/custom-engagement/). Individual TARA execution can run as [Scoped Assessment](/engagement-models/scoped-assessment/). Ongoing CSMS support across multiple programs is typically [Retainer](/engagement-models/retainer/). ## What buyers ask us first Three questions surface in nearly every initial conversation with an automotive OEM or Tier-1 supplier: **"How much existing quality / safety process counts toward ISO/SAE 21434 readiness?"** More than expected. Organizations with mature ISO 9001 quality processes and ISO 26262 functional-safety processes typically satisfy 40-60% of the CSMS process requirements through existing process mapping. The gaps tend to live in cybersecurity-specific activities (TARA, vulnerability management, cybersecurity-interface agreements) rather than in the foundational governance layer. The readiness path is usually a CSMS overlay on existing process infrastructure, not a from-scratch program. **"What does TARA quality actually look like at audit?"** TARA quality is what cybersecurity-case auditors evaluate when they validate the work product chain. We've published the [Seven Anti-Patterns + Four-Question Review Protocol](/research/tara-quality-patterns/) as the practitioner catalog that lets internal reviewers self-assess TARA quality before external audit — typically catching three or four anti-patterns within an hour of focused review. **"Can readiness work proceed in parallel with active product development?"** Yes — and usually should. Sequential "finish development, then start CSMS readiness" produces TARA work that lags behind design decisions and cybersecurity-case evidence that has to be reconstructed retroactively. Parallel work integrates CSMS process into the active engineering rhythm, which produces better artifacts and a much shorter remediation cycle before audit. > "The teams that find ISO/SAE 21434 readiness painful are the teams treating it as a documentation exercise bolted onto finished engineering. The teams that find it manageable are integrating CSMS process into the active engineering rhythm. The standard is engineered to be implementable; the implementation pattern matters more than the team's prior cybersecurity-specific experience." — Tatiana K., CEO, Melina Security ## Frequently asked questions ### How long does end-to-end ISO/SAE 21434 readiness take? For a Tier-1 supplier with established quality processes and a single product line: 6-10 weeks for gap assessment and 3-6 months for full remediation alongside the supplier's engineering team. For an OEM building CSMS from a low maturity baseline, multi-quarter and structured as retainer rather than fixed assessment. ### Can you sign off as the third-party assessor for UN-R 155 type approval? No. UN-R 155 type-approval assessment is performed by accredited Technical Services designated by the type-approval authority. We provide assessment and engineering support that is input into the OEM's submission, not the type-approval decision. ### Do you work with Chinese automotive cybersecurity requirements as part of ISO/SAE 21434 readiness? Yes — Chinese-market vehicles operate under GB/T 44464 and related GB-series standards that share structural patterns with ISO/SAE 21434 but include China-specific elements. Engagements covering both frameworks are organized to reuse the technical analysis efficiently. ### How does the cybersecurity-interface agreement actually get drafted between an OEM and a Tier-1? A structured workshop with representation from both organisations' cybersecurity engineering teams produces the first draft within 2-3 working sessions. The artifact defines responsibility allocation across the cybersecurity activities (TARA portions, vulnerability response, design-change notification, incident-response coordination), the evidence-exchange protocol, and the escalation path for disputes. Legal and contractual integration happens after the technical workshop output is stable, not before. ### What happens at the cybersecurity case if we discover a gap during pre-audit remediation? Gap remediation falls into three categories: documentation reconstruction (the underlying work was done but evidence wasn't preserved — fastest to remediate), process retrofitting (the work pattern was wrong but the design intent is sound — moderate cost), and design-level remediation (the underlying engineering decision needs to change — most expensive). Pre-audit remediation typically resolves the first two categories in 4-8 weeks; the third may push the audit window depending on the design change required. ### Related - [What is TARA?](/knowledge/glossary/tara/) - [What is ISO/SAE 21434?](/knowledge/glossary/iso-sae-21434/) - [What is UN-R 155?](/knowledge/glossary/un-r-155/) - [Industries — Automotive](/industries/automotive/) - [Is UN-R 155 the same as ISO/SAE 21434? — FAQ](/knowledge/faq/un-r-155-vs-iso-21434/) - Companion research: [TARA Quality Anti-Patterns — A Practitioner Catalog and Four-Question Review Protocol](/research/tara-quality-patterns/)