About the Author and This Research

Pooja Patil published this research on arXiv in 2025, positioning it at the intersection of automotive software engineering and cybersecurity compliance methodology. arXiv, as one of the world's most prominent open-access preprint repositories for engineering and computer science research, serves as a critical platform for capturing emerging industry challenges in near-real time. Patil's work directly addresses a structural tension that has long troubled automotive development teams: ISO/SAE 21434 mandates systematic, auditable cybersecurity engineering processes, but the linear, phase-gated nature of the traditional V-model makes it inherently difficult to respond to evolving threat landscapes mid-development. The paper's contribution lies not only in its theoretical synthesis but in its provision of a practical case study that demonstrates how iterative Threat Analysis and Risk Assessment (TARA) can be embedded within agile Sprint cycles to improve both compliance outcomes and risk management efficiency.

Core Findings: How Agile Transforms ISO/SAE 21434 Compliance

The paper's central argument is that the traditional V-model, while providing valuable structural discipline, is fundamentally ill-equipped to address the dynamic cybersecurity requirements of modern connected vehicles. With today's vehicles averaging over 100 ECUs and increasingly reliant on wireless communication interfaces, OTA update mechanisms, and cloud connectivity, the threat landscape at any given development milestone can differ substantially from what was assessed at project inception.

Finding 1: Iterative TARA Enables Earlier Risk Identification

By embedding TARA activities within each Sprint rather than performing a single comprehensive risk assessment at project initiation, the framework enables development teams to identify security defects at a stage where remediation costs are significantly lower. This "shift-left" principle, well-established in mainstream software engineering, is applied here specifically to automotive cybersecurity in alignment with ISO/SAE 21434 Clause 15's requirements for continuous cybersecurity activities. The case study demonstrates that this approach produces traceable risk registers and cybersecurity goal refinements that directly satisfy the auditability requirements of both ISO/SAE 21434 and TISAX assessments at evaluation levels AL 2 and AL 3.

Finding 2: Agile Integration Builds Organizational Secure-by-Design Culture

Beyond process efficiency, the framework promotes a cultural shift in how development organizations approach security. By embedding cybersecurity requirements—including asset identification, threat scenario construction, and attack feasibility analysis—into Sprint planning and Definition of Done criteria, security becomes a continuous shared responsibility rather than a compliance checkpoint managed by a dedicated security team at the end of development. This organizational dynamic aligns with ISO/SAE 21434 Clause 5's requirements for organizational cybersecurity management and supports the establishment of an auditable Cybersecurity Management System (CSMS) as required under UNECE WP.29 R155.

Implications for Taiwan's Automotive Cybersecurity Landscape

The regulatory context facing Taiwan's automotive supply chain has become substantially more demanding since 2022. UNECE WP.29 R155, which entered into force for new vehicle type approvals in July 2022, requires automotive manufacturers and their supply chains to demonstrate a certified CSMS. European OEMs have responded by requiring TISAX certification from their Tier 1 and Tier 2 suppliers as a condition of supply chain participation, with many extending this requirement to Tier 3 suppliers by 2025.

For Taiwan's automotive suppliers, three structural challenges emerge directly from this regulatory environment and are addressable through the framework Patil proposes. First, traceability gaps in existing V-model documentation make it difficult to produce the continuous evidence trail required for ISO/SAE 21434 audit readiness and TISAX assessment. Second, the absence of a formally designated Cybersecurity Manager role—as required under ISO/SAE 21434 Clause 5.4—creates accountability gaps in organizational cybersecurity governance. Third, supply chain cybersecurity management under ISO/SAE 21434 Clause 7 requires suppliers to evaluate and document the cybersecurity capabilities of their own sub-suppliers, a requirement that many Taiwan manufacturers currently manage informally at best.

The agile integration framework provides a pragmatic entry point for addressing these challenges: organizations do not need to discard their existing V-model processes, but can progressively embed iterative TARA and continuous security testing within their development cycles, generating the auditable evidence trail required for TISAX compliance as a natural output of their development process rather than a separate documentation exercise.

Winners Consulting Services Co. Ltd.: Supporting Taiwan's Agile Cybersecurity Transformation

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) supports Taiwan's automotive supply chain in achieving TISAX certification, implementing ISO/SAE 21434, and meeting UNECE WP.29 R155 vehicle cybersecurity requirements. Based on the framework presented in Patil (2025), we recommend the following concrete action steps for Taiwan automotive suppliers:

1. Gap Assessment Against ISO/SAE 21434 Clause Structure: Conduct a structured evaluation of existing V-model development documentation against the requirements of ISO/SAE 21434 Clauses 9 through 15, specifically identifying which development phases lack traceable TARA activity records. This assessment forms the foundation for designing an agile integration roadmap that preserves existing development culture while systematically building compliance evidence.
2. Sprint-Level TARA Template Deployment: Establish standardized TARA work templates suitable for Sprint-level execution, including asset identification worksheets, threat scenario libraries tailored to common automotive attack vectors (CAN bus injection, OTA update manipulation, V2X communication spoofing), and risk acceptance criteria aligned with ISO/SAE 21434's CVSS-based impact assessment framework. This ensures each Sprint produces auditable cybersecurity documentation without creating excessive process overhead.
3. Organizational Role and Governance Formalization: Formally designate Cybersecurity Manager and Cybersecurity Engineer roles as required under ISO/SAE 21434 Clause 5, and establish a cybersecurity governance structure that integrates with agile project management practices. This organizational foundation is a prerequisite for TISAX AL 2 and AL 3 assessment success and supports the long-term sustainability of the secure-by-design culture the framework aims to build.

Frequently Asked Questions

How disruptive is it to integrate agile methodology into an existing V-model-based automotive development process?

The disruption is manageable if the integration is designed as a progressive overlay rather than a complete replacement. Patil's 2025 framework explicitly positions agile principles as complementary to the V-model structure, preserving the phase-gated discipline that automotive quality systems require while adding iterative TARA and continuous testing within each phase. In practical terms, ISO/SAE 21434 Clauses 9 through 12 define the work products required at each development stage—these remain applicable, but are produced through multiple refinement iterations within Sprint cycles rather than as single-pass outputs. For Taiwan suppliers with established IATF 16949 quality management systems, this integration can be designed to align with existing process audit trails.

What are the most common compliance challenges Taiwan automotive suppliers face when pursuing TISAX certification?

The three most common challenges are documentation traceability, organizational role formalization, and supply chain cybersecurity management. TISAX assessment at AL 2 and AL 3 levels requires suppliers to demonstrate a complete, traceable chain from asset identification through risk treatment decision, supported by ISO/SAE 21434-aligned work products. Many Taiwan suppliers lack this documentation trail because cybersecurity has historically been managed informally. Additionally, ISO/SAE 21434 Clause 5.4 requires a formally designated Cybersecurity Manager, a role that most mid-size Taiwan suppliers have not yet established. Finally, Clause 7 requires documented evaluation of sub-supplier cybersecurity capabilities, which adds complexity for suppliers managing multi-tier supply chains across Taiwan and Southeast Asia.

What are the core TISAX requirements and practical implementation timeline?

TISAX certification is based on the VDA ISA (Information Security Assessment) questionnaire and assessed at three evaluation levels: AL 1 (self-assessment), AL 2 (third-party assessment without on-site audit), and AL 3 (third-party assessment with on-site audit). Most European OEM customers require their Taiwan suppliers to achieve at least AL 2. A typical implementation timeline consists of four phases: gap analysis and current-state assessment (1 to 2 months); management system design and documentation establishment aligned with ISO/SAE 21434 (3 to 4 months); internal audit and mock assessment (2 to 3 months); and formal TISAX assessment application. The total timeline ranges from 7 to 12 months depending on the organization's existing cybersecurity baseline. Planning TISAX and UNECE WP.29 R155 CSMS compliance in parallel is strongly recommended to avoid duplicated effort.

What resources are required to implement iterative TARA within agile Sprint cycles, and what is the expected ROI?

Initial resource investment includes team training (typically 16 to 24 hours of structured cybersecurity engineering training for core development, security, and quality assurance personnel), TARA tooling (which can be initiated with structured spreadsheet templates before transitioning to dedicated tools), and external consulting support for framework design and initial TARA facilitation. The expected return on investment is substantial: industry experience indicates that identifying security defects during early design Sprints rather than during system integration testing reduces remediation costs by 40 to 60 percent. Additionally, the auditable TARA documentation produced as a natural output of Sprint activities directly satisfies ISO/SAE 21434 audit requirements and TISAX assessment evidence needs, reducing the duplicated effort of separate compliance documentation preparation.

Why should Taiwan automotive suppliers choose Winners Consulting Services Co. Ltd. for automotive cybersecurity support?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting organizations that combines deep ISO/SAE 21434 standard interpretation expertise, TISAX assessment preparation experience, and UNECE WP.29 R155 regulatory analysis capability within a single team. Our consultants continuously monitor developments from NIST, ENISA, and international standards bodies to ensure our guidance reflects the current regulatory environment. We provide end-to-end support from gap diagnosis through mechanism design, documentation establishment, and pre-assessment coaching, with the explicit objective of helping Taiwan automotive suppliers establish sustainable compliance mechanisms—not one-time documentation packages—within 7 to 12 months. Contact us to request a complimentary cybersecurity mechanism diagnostic.

アジャイルとISO/SAE 21434の統合：台湾の自動車サプライヤーがサイバーセキュリティ開発プロセスを刷新すべき理由

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、台湾の自動車ネットワークセキュリティ（AUTO）の専門機関として、2025年にarXivで発表されたPooja Patil氏の論文が提示する重要な洞察に注目している。この研究は、V字モデルを基盤としたISO/SAE 21434の実装にアジャイル手法を統合し、継続的なSecure-by-Design型の自動車サイバーセキュリティ開発を実現するフレームワークを提唱するものであり、TISAX認証やUNECE WP.29 R155法規への対応を進める台湾の自動車サプライヤーにとって、実践的なロードマップを提供している。