Skip to main content
Switch Language
  • Guide

Cybersecurity Management System (CSMS)

Learn what is necessary for your organization to integrate cybersecurity into your process landscape.

A management system is about structures, processes, measures and competencies. The United Nations Economic Commission for Europe (UNECE) has published UN Regulation No. 155 (UN R155) requiring automotive manufacturers to implement a cybersecurity management system (CSMS) for all vehicles manufactured in July 2024 or later.

UN R155 CSMS requirements

UN R155 defines a CSMS as “a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.”

In other words, the CSMS structures your company's approach to safety and security and governs what actions must be taken by whom and when to keep the connected vehicle secure until the end of its service life. It includes your company’s:

  • Cybersecurity culture.
  • Organizational structure.
  • Documentation of required development processes and procedures.
  • Monitoring of whether the work performed is in accordance with established processes and procedures.
  • Monitoring of whether the work results in appropriately secure products.
  • Necessary infrastructure.
  • Required skills and competencies.

The UNECE requires OEMs and suppliers to: 

  • Design products to be secure throughout their life cycle.
  • Constantly evaluate new vulnerability information.
  • Take action accordingly.

ISO/SAE 21434: A comprehensive approach to cybersecurity

The international standard ISO/SAE 21434, Road Vehicles — Cybersecurity Engineering, published in 2021, takes a comprehensive approach to connected vehicle cybersecurity and identifies the engineering requirements for a CSMS.

The CSMS coordinates ongoing comprehensive cybersecurity tasks at the corporate, business and project level. Risks differ at each level, and the management system’s level of detail relates to the nature of the risks. At the appropriate levels, companies should derive corresponding subsystems with structures, processes, measures and competencies. Industry best practices recommend integrating cybersecurity requirements into your existing process landscape rather than deploying an additional isolated management system.

Continuous cybersecurity activities

A cybersecurity management system can help companies thoroughly carry out necessary cybersecurity activities for development, production and post-production until the vehicle series reaches the end of its service.

To this end, Clause 8 of ISO/SAE 21434, in particular, requires that manufacturers continually check whether the risk assumptions and countermeasures are up to date.

Carefully implementing the CSMS and fostering a cybersecurity culture in your organization can help your team members more effectively integrate cybersecurity concerns into their work and develop cybersecurity by design.

Cybersecurity management system chart

Cybersecurity services from UL Solutions Software Intensive Systems

UL Solutions Software Intensive Systems can support automotive original equipment manufacturers (OEMs) and suppliers in your efforts to:

  • Foster awareness for the need for comprehensive end-to-end safeguards.
  • Provide detailed assessments of any threats posed.
  • Match your cybersecurity policies to processes, products and IT requirements.
  • Manage involved specialists.
  • Assess and improve your development processes with respect to security issues.
  • Adapt existing workflows and procedures to address key cybersecurity issues.
  • Navigate conformance to UNECE systems homologation guidelines.
  • Define and introduce new development processes that meet the requirements of ISO/SAE 21434.
  • Evaluate, develop and implement cybersecurity management systems.
  • Select relevant security technology and industry standards according to your requirements (we offer ISO-compliant kits and templates).
X

Get connected with our team

Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.

Please wait…

Within UL Solutions we provide a broad portfolio of offerings to many industries. This includes certification, testing, inspection, assessment, verification and consulting services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers brands, UL Solutions has processes in place to identify and manage any potential conflicts of interest and maintain the impartiality of our conformity assessment services.