Startseite » Blog » Cyber Security Plan: Explanation based on ISO 21434

Cyber Security Plan: Explanation based on ISO 21434

Cyber Security Plan erstellen im Auto

Are you wondering how to create a cyber security plan, what to look out for, or are you looking for practical tips? Then you’ve come to the right place. In this blog article, we will answer your questions and help you to understand and successfully implement the cyber security plan in your company or department.

Note: Although the focus here is on ISO/SAE 21434, the planning approach can also be applied to other processes that are NIS-2 or CRA-compliant, for example.

What is ISO/SAE 21434?

To what extent does the Cyber Security Plan affect ISO 21434?

iso 21434 overview diagram
Source: https://www.iso.org/obp/ui/en/#iso:std:iso-sae:21434:ed-1:v1:en
The cyber security plan refers specifically to section 6 of ISO 21434, which deals with the cyber security management of projects. As can be seen in the diagram, section 6.4.2 in particular focuses on cybersecurity planning. This is exactly where we start: We explain how the requirements of the standard can be met and how practical, efficient planning can be carried out in order to meet the security requirements.

What is a cyber security plan?

cyber security manager questioning cyber security plan.
 

According to ISO 21434, certain requirements must be met. It is important to emphasize that the following points are based on our own interpretation and have not been taken directly from the standard:

  • The product must be assessed to determine whether it is relevant to cyber security and what measures are required to ensure its security.
  • The cyber security plan must contain information on the following points
    • Objective of each activity
    • Dependencies between the activities
    • Assignment of responsibilities
    • Start and end time of each activity
  • A Cyber Security Management System (CSMS) in accordance with ISO 21434 must be in place, which serves as a guideline and defines the procedure.
  • The cyber security plan can either exist as a separate planning document that refers to the development project plan or be integrated directly into it.
  • It must be updated regularly as required, for example with every release or change request.
  • If tasks are delegated to customers or suppliers, they must also have a cyber security plan.
  • The plan must be treated as an essential document, versioned and maintained regularly.

A closer look at the requirements for the cyber security plan reveals that it is a classic planning task. So what is the special feature of the CS plan in relation to ISO 21434? As already mentioned, another compliant process can be used instead of a CSMS in accordance with ISO 21434.

Why is a cyber security plan important?

cyber security manager knows his cyber security plan

When developing secure products, project-specific planning is an essential part of cyber security. Even if a security process is already in place, the lack of clear planning inevitably leads to chaos in the project. Without a clear assignment of tasks and responsibilities, those involved do not know who has to do which task at what time. This is comparable to general project management: if there is a lack of coordination and everyone only works according to process specifications without supervision, unclear structures arise and important deadlines cannot be met.

In short, a (cyber) security plan is essential to effectively apply your security process.

What does a cyber security plan look like?

car driving towads his goal cyber security plan

The answer is: it depends on your (cyber) security process.

Each security process has an individual structure, different steps and specific work products. It is crucial that this process is translated into a plan that fulfills the aforementioned requirements.

Here is a short fictitious example:

Activity
Dependencies
Responsible
Start
End
Effort
Identify assets
-
Alice
12.12.2024
20.12.2024
20h
Identify Risks
1
Bob
02.01.2025
20.01.2025
30h
Identify Measures
2
Carl
01.02.2025
25.02.2025
100h

In this example, it is assumed that the security process used represents the steps in the table in the form of dependencies. First, the assets should be identified, followed by the risk analysis based on these assets, and finally the specification of the measures. The plan clearly shows when each task must be completed, who is responsible for it, by when the task should be completed and how much time the person responsible needs to complete it. This information is essential for effective project management.

However, it is possible that the assets, risks and measures are taken over from another project if the product differs little or not at all – which is rarely the case. In this case, the three tasks would be omitted. Instead, a new task would have to be formulated, for example “Review of the transferred cyber security documents”.

This would fulfill the core requirements of ISO 21434.

Hybrid or individual planning - that is the question here

Security Managers planning together
As a rule, several projects have to be managed simultaneously, which significantly reduces the time that can be spent on a single project. In such cases, a hybrid, integrated approach is recommended. “Hybrid” means that the security manager creates a specific initial plan for the project and integrates it into the overarching project plan in collaboration with the project manager. In this way, all relevant deadlines and overlapping tasks are recorded, which enables the project manager to manage the projects, including the safety tasks, more effectively.

Who should plan and who should coordinate?

security manager talks to other manager

As already mentioned, the initial planning should be drawn up by the person responsible for security, as they are best informed about which tasks need to be completed.

This planning should be integrated into the central project planning in close cooperation with the (technical) project manager in order to ensure the most efficient way of working.

If the security officer is responsible for several projects, it is more effective if coordination is carried out by the (technical) project manager. Otherwise, there is a risk that deadlines will not be met. In addition, the project manager acts as a coordinating authority and is able to prioritize tasks accordingly and decide when which measures should be taken. In comparison, a safety manager who is solely concerned with process compliance does not have the same authority as a project manager.

Conclusion

An effective cyber security plan is essential for the successful implementation of security processes in projects, especially in the automotive industry in accordance with ISO 21434. Project-specific planning plays a central role in creating clarity about tasks, responsibilities and time frames. A hybrid approach, in which the person responsible for safety creates the initial planning and integrates it into the central project planning together with the (technical) project manager, promotes an efficient way of working.

Coordination by the project manager is particularly important when several projects are being managed simultaneously in order to ensure that deadlines are met and to optimize the prioritization of tasks. While the safety manager oversees process compliance, the project manager has the authority to make strategic decisions and direct the necessary steps to implement safety requirements.

Overall, well-structured planning and close collaboration between the stakeholders involved is crucial to meeting cyber security requirements and ensuring the security of products in the long term.

Scroll to Top
WordPress Cookie Plugin by Real Cookie Banner