Cybersecurity Management System (CSMS)

Under UNECE R155, manufacturers must establish and operate a Cybersecurity Management System (CSMS) that governs how cybersecurity risks are identified, assessed, treated, and monitored across the vehicle lifecycle and supply chain. The CSMS is assessed as part of type approval and must be demonstrably effective in practice.

Purpose

The CSMS provides organizational capability for cybersecurity: policies, roles, processes, competence, tools, and evidence. It ensures consistent application of risk management to each vehicle type and supports continual improvement as threats evolve.

Core Elements of a CSMS

Policy & Objectives – documented intent, scope, and goals for cybersecurity.
Governance & Accountability – clear roles, responsibilities, and escalation paths.
Process Framework – risk management, verification/validation, incident response, vulnerability handling, change/configuration control.
Competence & Training – qualification criteria, curricula, and records.
Tools & Infrastructure – approved toolchains for analysis, testing, updates, and monitoring.
Work Products & Records – objective evidence enabling audits and type approval.
Continuous Improvement – lessons learned, KPIs, internal audits, corrective actions.

Lifecycle Integration

The CSMS applies across concept, development, production, operation/maintenance, and decommissioning . It mandates traceability from risks to requirements, design, tests, deployment, and operations. Results must be repeatable and auditable across projects and platforms.

Supplier & External Interfaces

Flow down cybersecurity requirements and acceptance criteria in contracts/SOWs.
Exchange essential artifacts (TARA excerpts, test reports, update procedures).
Perform supplier assessments/audits proportional to risk and criticality.
Define responsibility splits for incident handling, monitoring, and updates.

Monitoring, Vulnerabilities & Incidents

Establish channels for vulnerability intake (internal, suppliers, public reporting).
Define triage/severity criteria; link to risk treatment and corrective actions.
Operate field monitoring with thresholds, alerts, and escalation workflows.
Maintain communications plans for authorities, customers, and partners.

Competence Management

Maintain role definitions with required skills; implement onboarding and periodic training; record competence evidence for personnel involved in cybersecurity engineering, testing, production, service, and response.

Alignment with Standards

Many manufacturers implement CSMS processes using ISO/SAE 21434 (engineering work products and risk management). Software update governance is coordinated with UNECE R156 and ISO 24089. Safety coordination follows ISO 26262 where applicable.

Typical CSMS Outputs / Evidence

CSMS description (scope, org chart, roles, policy, KPIs, improvement cycle).
Process procedures & templates (risk mgmt., verification/validation, incident response, change control).
Competence & training records; tool qualification/approval records.
Project/application artifacts: TARA results, requirements/traceability, test reports, conformity statements.
Operational records: monitoring dashboards/reports, vulnerability tickets, incident post-mortems.
Supplier evidence packages, assessment results, and agreed responsibility splits.

Disclaimer: This page summarizes CSMS expectations under UNECE R155. For authoritative requirements, refer to the official regulation text and your approval authority’s guidance.