Scope of ISO/SAE 21434
The scope of ISO/SAE 21434:2021 defines the boundaries of the standard: what is covered, who it applies to, and which aspects of vehicle cybersecurity are addressed. It clarifies the lifecycle phases, stakeholders, and systems that fall under its requirements.
Lifecycle Coverage
ISO 21434 applies to all phases of a vehicle’s lifecycle:
- Concept phase – defining cybersecurity goals and high-level claims.
- Development phase – deriving cybersecurity requirements, design, and validation.
- Production – ensuring secure manufacturing and assembly.
- Operations and maintenance – monitoring, software updates, incident response.
- Decommissioning – secure end-of-life and disposal of components.
Systems and Components
The standard addresses electrical and electronic (E/E) systems in road vehicles, including:
- Control units and on-board networks.
- Interfaces such as OBD, diagnostic ports, and external communications (Wi-Fi, LTE, Bluetooth, V2X).
- Software, firmware, and configuration data used in these systems.
Stakeholders
ISO 21434 requirements apply not only to vehicle manufacturers (OEMs), but also to their suppliers and service providers:
- Tier-1 and Tier-2 suppliers delivering hardware or software components.
- Engineering service providers and integrators.
- Organizations responsible for software updates or aftermarket services.
What Is Out of Scope
While comprehensive, ISO 21434 does not prescribe specific technical countermeasures or encryption algorithms. Instead, it provides a process framework that organizations must tailor to their technology and risk profile. Functional safety (covered by ISO 26262) is referenced, but not the primary focus of ISO 21434.
Purpose of the Scope
By defining its scope clearly, the standard ensures that all stakeholders share a common understanding of what cybersecurity engineering in the automotive domain entails. This alignment supports compliance with international regulations such as UNECE R155 and R156.