ISO/SAE 21434 审核要求与WP的映射关系

《ISO/PAS 5112 Road vehicles-Guidelines for auditing cybersecurity engineering》是针对ISO/SAE 21434的审核标准，用于指导对CSMS的审核。ISO/PAS 5112在附录A给出了审核问卷的示例参考，包括6个模块，分别是：网络安全管理、持续性网络安全活动、风险评估及方法、概念及产品开发阶段、后开发阶段以及分布式网络安全活动。每个模块都有具体的问题和对应的证据示例，证据示例主要来自于ISO/SAE 21434中的WP和部分没有要求输出WP的RQ（之前《ISO 21434 工作产品与要求的映射关系》的文章也有说明，PS：欢迎关注公众号Vehicle CyberSecurity，获取更多内容）。

具体的审计问题与证据的映射关系如下。

 

Audit questionnaire	Evidence examples
A.2.1 Cybersecurity management
Q1.1 Are cybersecurity policy, rules and processes defined? Q1.1 是否定义了网络安全政策、规则和流程？	[WP-05-01] Cybersecurity policy, rules and processes
Q1.2 Are cybersecurity-relevant processes managed? Q1.2 是否对网络安全相关流程进行了管理？	[WP-05-01] Cybersecurity policy, rules and processes [WP-05-03] Evidence of organization’s management systems [WP-05-04] Evidence of tool management [WP-05-05] Organizational cybersecurity audit report
Q1.3 Are cybersecurity culture and cybersecurity awareness established, implemented, and maintained? Q1.3 是否建立、实施并维护网络安全文化和网络安全意识？	[WP-05-02] Evidence of competence management, awareness management and continuous improvement
Q1.4 Is a process established, implemented, and maintained to manage project dependent cybersecurity? Q1.4 是否建立、实施并维护流程以管理项目相关的网络安全。	[WP-06-01] Cybersecurity plan [WP-06-02] Cybersecurity case [WP-06-03] Cybersecurity assessment report
A.2.2 Continual cybersecurity activities
Q2.1 Is a process established, implemented, and maintained to monitor for cybersecurity information? Q2.1 是否建立、实施并维护流程以监视网络安全信息？	[WP-08-01] Sources for cybersecurity information [WP-08-02] Triggers [WP-08-03] Cybersecurity events
Q2.2 Is a process established, implemented, and maintained to evaluate cybersecurity events? Q2.2 是否建立、实施并维护流程以评估网络安全事件？	[WP-08-04] Weaknesses from cybersecurity events
Q2.3 Is a process established, implemented, and maintained to identify and analyse vulnerabilities? Q2.3 是否建立、实施并维护流程以识别和分析漏洞？	[WP-08-05] Vulnerability analysis
Q2.4 Is a process established, implemented, and maintained to manage identified vulnerabilities? Q2.4 是否建立、实施并维护流程以管理已识别的漏洞？	[WP-08-06] Evidence of managed vulnerabilities
A.2.3 Risk assessment and methods
Q3.1 Are methods established, implemented, and maintained to determine cybersecurity risks for an item across concept, product development and post-development phases? Q3.1 是否建立、实施并维护方法以确定相关项在概念、产品开发和后开发阶段的网络安全风险？	[WP-15-04] Impact ratings with associated impact categories [WP-15-06] Attack feasibility ratings [WP-15-07] Risk values
Q3.2 Is a process established, implemented, and maintained to perform a threat analysis and risk assessment (TARA) for an item across concept, product development and post-development phases? Q3.2 是否建立、实施并维护流程以对相关项在概念、产品开发和后开发阶段实施威胁分析和风险评估 (TARA)？	[WP-15-01] Damage scenarios [WP-15-02] Assets with cybersecurity properties [WP-15-03] Threat scenarios [WP-15-04] Impact ratings with associated impact categories [WP-15-05] Attack paths [WP-15-06] Attack feasibility ratings [WP-15-07] Risk value [WP-15-08] Risk treatment decisions
Q3.3 Is a process established, implemented, and maintained to treat cybersecurity risks for the item across concept, product development and post-development phases? Q3.3 是否建立、实施并维护流程以处理相关项在概念、产品开发和后开发阶段的网络安全风险？	[WP-09-04] Cybersecurity claims [WP-09-03] Cybersecurity goals [WP-09-02] TARA result
A.2.4 Concept and product development phase
Q4.1 Is a process established, implemented, and maintained to define the item and specify cybersecurity requirements? Q4.1 是否建立、实施并维护流程以定义相关项以及指定网络安全需求？	[WP-09-01] Item definition [WP-09-02] TARA [WP-09-03] Cybersecurity goals [WP-09-04] Cybersecurity claims [WP-09-05] Verification report for cybersecurity goals [WP-09-06] Cybersecurity concept [WP-09-07] Verification report for the cybersecurity concept
Q4.2 Is a process established, implemented, and maintained for verification of cybersecurity requirements on components during the development phase? Q4.2 是否建立、实施并维护流程以验证在开发阶段组件的网络安全需求？	[WP-10-04] Verification report for the cybersecurity specifications [WP-10-05] Weakness found during product development, if applicable [WP-10-06] Integration and verification specification [WP-10-07] Integration and verification report
Q4.3 Is a process established, implemented, and maintained for validation of cybersecurity goals and claims at an item level? Q4.3 是否建立、实施并维护流程以确认相关项层级的网络安全目标和声明？	[WP-11-01] Validation report
A.2.5 Post-development phase
Q5.1 Is there a process established, implemented, and maintained for release of an item or component for post development phases? Q5.1 是否建立、实施并维护流程以发布相关项或组件到后开发阶段？	[WP-06-04] Release for post-development report
Q5.2 Is a process established, implemented, and maintained to apply the cybersecurity requirements for post-development during production? Q5.2 是否建立、实施并维护流程以在生成阶段应用后开发阶段的网络安全需求？	[WP-12-01] Production control plan
Q5.3 Is a process established, implemented, and maintained to respond to cybersecurity incidents? Q5.3 是否建立、实施并维护流程以响应网络安全事件？	[WP-13-01] Cybersecurity incident response plan
Q5.4 Is a process established, implemented, and maintained for updates to items or components after production? Q5.4 是否建立、实施并维护流程以对生产后的相关项或组件更新。	Software update management related to cybersecurity Related work products which are required according to ISO/SAE 21434: 2021 from concept and product development phases
Q5.5 Is a procedure established, implemented, and maintained for communicating end of cybersecurity support? Q5.5 是否建立、实施并维护程序以传达网络安全支持的终止？	[WP-14-01] Procedures to communicate the end of cybersecurity support
Q5.6 Is a procedure established, implemented, and maintained for making available cybersecurity requirements for decommissioning? Q5.6 是否建立、实施并维护程序以实施报废阶段所需的网络安全需求？	Appropriate documentation (e.g. instructions, user manuals) relating to such requirements can enable decommissioning with regard to cybersecurity.
A.2.6 Distributed cybersecurity activities
Q6.1 Is a process established, implemented, and maintained to manage dependencies that may exist within the entire, relevant supply chain regarding the cybersecurity management system? Q6.1 是否建立、实施并维护流程以管理网络安全管理系统整体，以及相关供应链中可能存在的依赖关系？	[WP-07-01] Cybersecurity interface agreement Evidence of supplier capabilities Evidence of RFQs (requests for quotation)