Protecting Connected Cars: What You Need to Know About ISO/SAE 21434

24 Nov, 2025

A modern car travelling down the motorway at 70 mph is no longer just a mechanical system, it’s a networked computing platform on wheels. According to Runsafe Security, fewer than one in five trust their car’s cybersecurity and 76% worry that remote hacking could endanger lives.

As vehicles become more connected, to the cloud, to mobile devices, even to each other, the stakes rise. Every new connection expands the attack surface, turning innovation into a potential entry point for cyber threats that can compromise safety, violate privacy, and erode brand trust.

To counter these risks, the automotive industry is turning to ISO/SAE 21434: the global road vehicles cybersecurity standard that defines how to build cybersecurity into every stage of the vehicle lifecycle.

This blog will discuss the following:

• What ISO/SAE 21434 covers, from organisational management to risk assessment.
• How compliance is assessed through CSMS audits and product-level assessments.
• How WHIS aligns with ISO/SAE 21434 with Threat Analysis and Risk Assessment (TARA), and its Enhanced Security Module (ESM) for SAFERTOS^®.

What is ISO 21434?

A new standard was introduced in August 2021 by the International Standard Organisation (ISO) and the Society of Automotive Engineers (SAE). The ISO/ SAE  21434 standard – Road Vehicles – Cybersecurity Engineering.

The standard is mandatory for Automotive OEMs and part of the standard also includes the assessment of the cybersecurity capabilities of their suppliers. These requirements also flow down to any Tier 1 and Tier N suppliers.

Unlike “ISO 26262: Road vehicles – Functional safety standard”, which addresses potential hazards caused by malfunctioning E/E systems of road vehicles through the entire vehicle lifecycle, ISO 21434 addresses intentional and malicious threats to vehicle systems. Together, they form a complementary framework for ensuring both safety and security in modern vehicles. Therefore, it is important to re-consider any safety hazards following cybersecurity analysis results if ISO 26262 is also being claimed.

Why ISO 21434 Matters

The rise of connected vehicles has dramatically increased the attack surface for cyber threats. From remote keyless entry systems to over-the-air updates, each digital interface presents a potential vulnerability.

Governments and automotive bodies are introducing cybersecurity regulations, such as the UNECE WP.29 framework, that effectively require compliance with standards such as ISO/SAE 21434.

Benefits of ISO/SAE 21434 compliance include:

• Increased customer and partner trust
• Improved product functional safety and reliability
• Access to global markets with cybersecurity mandates

In short, ISO/SAE 21434 is not just a technical requirement, it’s a strategic imperative for automotive businesses.

ISO/SAE 21434 Clauses and Key Components

The Standard is divided into several clauses where cybersecurity should be considered for automotive software engineering:

• Organisational cybersecurity management – Establishes company-wide cybersecurity policies, rules, and processes that govern all relevant activities.

• Product dependent cybersecurity management – Defines how cybersecurity is managed within specific projects, including planning, roles, and responsibilities.

• Distributed cybersecurity activities – Describes how cybersecurity responsibilities are assigned between customers and suppliers, including capability expectations and interface agreements.

• Continual cybersecurity activities – Covers ongoing monitoring of cybersecurity risks and vulnerabilities throughout the system’s lifecycle, including post-production.

• Concept – Focuses on identifying assets, assessing risks, and defining cybersecurity goals and requirements.
• Product development – Details how cybersecurity goals, risks, and requirements are implemented, verified, and integrated into system and software development.

• Cybersecurity validation – Ensures that cybersecurity goals are met and validated within the vehicle environment.

• Production – Addresses cybersecurity considerations during manufacturing and assembly, ensuring that secure practices are maintained up to vehicle integration.

• Operations and maintenance – Defines how organizations detect, respond to, and recover from cybersecurity incidents, including updates and patches.

• End of cybersecurity support and decommissioning – Specifies how cybersecurity is managed at the end of support or during decommissioning of a component or system.

• Threat analysis and risk assessment methods – Provides guidance on analyzing and assessing cybersecurity risks, determining their impact, and defining appropriate mitigations.

Whilst the standard is mandatory for automotive OEMs, not all clauses can necessarily be placed on suppliers. For example, it may not be possible for a supplier or sub-supplier to validate their component at the vehicle level prior to vehicle production. That said, most of the requirements of the standard can be implemented by a supplier organisation to give their customer the utmost confidence in the item or component being supplied.

This modular approach allows organisations to tailor their cybersecurity activities based on their role in the supply chain, while still aligning with the overall system-level security goals.

ISO/SAE 21434 Compliance and Assessment

Certification of ISO/SAE 21434 for suppliers of cybersecurity-related products to the automotive industry can be achieved at different levels:

Product Certification

This certification focuses on the cybersecurity of a specific product or component. The assessment is carried out through a comprehensive technical evaluation and testing by an independent third party. Typical activities include penetration testing and fuzz testing. Successful completion results in a certificate for the specific product or item.

Full Certification

This certification addresses the organisation’s overall Cybersecurity Management System (CSMS) and engineering processes applied across the entire product lifecycle. The assessment involves an external audit of the organisation’s structure, policies, and processes that support cybersecurity throughout the company. Achieving this certification demonstrates the organisation’s capability to develop and maintain secure products over time.

Achieving ISO/SAE 21434 compliance requires collaboration between engineering, compliance, and supplier management teams. Common challenges include aligning legacy systems, documenting processes, and ensuring supplier readiness. Early planning, training, and working with experienced auditors can mitigate these risks.

Future Outlook

The automotive cybersecurity landscape continues to evolve, driven by vehicle connectivity, AI, and software-defined vehicles. ISO/SAE 21434 is expected to adapt to emerging regulatory and technological changes, maintaining alignment with frameworks such as UNECE WP.29 (UN R155) and complementary standards such as ISO/PAS 5112.

Future updates may cover:

• Guidance on over-the-air updates
• Vehicle-to-everything (V2X) communications
• Integration with broader digital infrastructure

Organisations that proactively monitor these developments will be better positioned to innovate securely and maintain regulatory compliance.

WHIS’ Approach to ISO/SAE 21434 Compliance

At WHIS, we proactively monitor threats targeting both our products and corporate IT systems. While we are not an OEM and consequently cannot pursue full ISO/SAE 21434 certification or vehicle-level cybersecurity validation, we align our development processes with the standard’s relevant clauses.

This includes:

• Conceptual analysis and asset definition
• Threat Analysis and Risk Assessment (TARA)
• Secure coding practices and proactive vulnerability management
• Supporting customers in achieving ISO 21434 compliance for their own systems

By embedding cybersecurity into its engineering practices, WHIS helps customers deliver secure, reliable, and future-ready components.

The Enhanced Security Module (ESM) is a cybersecurity add-on for SAFERTOS^®, designed to strengthen system protection in automotive and industrial systems. Built to meet ISO/SAE 21434 standards, it isolates tasks, detects threats, and enforces strict access controls, helping developers achieve both safety and cybersecurity goals.

By integrating cybersecurity into our engineering practices, we give our customers confidence that our products are secure, reliable, and future-ready.

Explore how WHIS supports safety and security in embedded systems.

Conclusion

Cybersecurity is essential for modern vehicles. ISO/SAE 21434 provides a comprehensive, structured framework to manage risks across the entire vehicle lifecycle.

By adopting ISO/SAE 21434-aligned practices, organisations can protect their products, their customers, and their brand reputation. Proactive planning, cross-functional collaboration, and supplier alignment are key to creating safer, more secure connected vehicles.

Related blogs

Discover more expert insights on embedded system security, functional safety, and ISO/SAE 21434 alignment.

• Safety vs. Security: Understanding the Differences
• Securing Embedded Devices: A Multi-Layered Approach
• Performing the TARA Analysis

Author

Simon Hodges, Process and Quality Manager

Back to News

• Archives
• 2025
• 2024
• 2023
• 2022
• 2021
• 2020
• 2019
• 2018
• 2017
• 2016
• 2015
• 2014
• 2013
• 2012