ISO/SAE 21434 Gap Analysis: Fixing TARA Management and Incident Handling

Winners Consulting Services Co., Ltd. points out that a significant 2023 study published on arXiv reveals systemic gaps in the ISO/SAE 21434 standard regarding cross-supply chain coordination for TARA management and vulnerability/incident handling processes. The paper proposes 13 new term definitions, 4 new process steps, and one complete new process as a supplementary solution. This offers immediately actionable insights for Taiwanese automotive suppliers currently implementing ISO/SAE 21434 or preparing for TISAX certification.

About the Authors and This Research

This paper was co-authored by three researchers: Magnus Almgren, Daniel Grimm, and Aljoscha Lautenbach. Almgren has a long-standing focus on industrial control systems and vehicle cybersecurity, with considerable citation impact in academia. Grimm and Lautenbach bring practical industry experience, having been involved in the actual implementation of automotive cybersecurity standards. The cross-disciplinary combination of these three authors allows the study to balance academic rigor with on-the-ground applicability, rather than being a purely theoretical exercise.

This research was published in 2023, a critical time when the global automotive industry is actively responding to the requirements of UNECE WP.29 (United Nations World Forum for Harmonization of Vehicle Regulations) R155. Since ISO/SAE 21434 was officially released in 2021, major Original Equipment Manufacturers (OEMs) and Tier 1 suppliers have rapidly cascaded the standard's requirements down the supply chain, creating unprecedented compliance pressure. This paper's emergence fills a cognitive gap that had not yet been systematically addressed by practitioners.

Systemic Gaps in ISO/SAE 21434: The Dual Challenges of TARA Management and Incident Handling

The research directly addresses the industry's two most challenging pain points: first, how to consistently manage the results of Threat Analysis and Risk Assessment (TARA) across different systems and lifecycle stages; and second, how to mature the vulnerability and incident handling processes to a level comparable with the IT security domain. Through a systematic gap analysis, the authors meticulously review the existing ISO/SAE 21434 framework and compare it against mature standards in IT security (such as CVSS, ISO/IEC 27035), proposing specific remedies.

Key Finding 1: TARA Management Lacks a Cross-Supply Chain Coordination Mechanism

Although ISO/SAE 21434 requires performing Threat Analysis and Risk Assessment during the concept and development phases, the current standard lacks clear guidelines on how to transfer, update, and integrate TARA results between different supplier tiers. The study points out that when a vehicle involves tens or even hundreds of suppliers, the TARA reports completed separately at each tier often become information silos, preventing effective risk aggregation and reassessment at the system integration level. To address this, the paper proposes a dedicated 'TARA Management Process,' defining a standard interface for cross-system information exchange and adding 4 new process steps to ensure TARA information can flow vertically and be integrated horizontally across the supply chain. This offers direct architectural guidance for many Taiwanese Tier 1 and Tier 2 suppliers who serve multiple OEM clients.

Key Finding 2: Significant Discrepancies Exist Between Vulnerability/Incident Handling Processes and IT Security Best Practices

The research finds that compared to established standards in the IT security field (like NIST SP 800-61, ISO/IEC 27035), the design of the cybersecurity incident handling process in ISO/SAE 21434 has clear deficiencies in areas such as incident classification, response trigger conditions, and cross-organizational notification mechanisms. Specifically, the paper identifies 13 new term definitions that need to be added, many of which relate to the logic for assessing vulnerability severity and prioritizing responses in vehicle-specific contexts. Furthermore, the authors propose 2 amendments to existing process steps and a complete new process for vehicle cybersecurity incidents—an area almost entirely absent in the original standard. Notably, with the rise of Connected Vehicles, the importance of incident handling in the later stages of the vehicle lifecycle (post-production) is rapidly increasing, which is precisely where the current standard is weakest.

Constructive Critique: Methodological Limitations and Gaps in Taiwanese Practice

The contribution of this research is real and concrete, but as reviewers, Winners Consulting Services must also point out several methodological boundaries for readers to consider. First, the paper's gap analysis is implicitly based on the organizational structures and OEM-dominated supply chains of the European automotive industry. Taiwanese suppliers differ fundamentally in organizational scale, resource allocation, and customer relationship structures, so direct application of the paper's recommendations requires localization. Second, the 13 new term definitions and 4 new process steps proposed have not yet been formally adopted by ISO/SAE 21434. Companies should be cautious when citing them in compliance documents, labeling them as 'best practice recommendations' rather than current regulatory requirements. Third, the paper offers limited discussion on how smaller suppliers (like many of Taiwan's small and medium-sized auto parts manufacturers) can implement these enhancements in stages with limited resources—this is precisely where Winners Consulting Services continues to build its value through practical consulting methodologies.

Three Key Implications for Automotive Cybersecurity Practices in Taiwan

Taiwanese automotive suppliers are facing simultaneous pressure from European clients for TISAX certification and from global OEMs cascading ISO/SAE 21434 compliance requirements based on UNECE WP.29 R155/R156. This paper's findings have three specific layers of meaning for Taiwanese companies:

First: Re-evaluate the 'lifecycle validity' of TARA documents. Many Taiwanese suppliers complete their TARA during the concept phase and then archive it as a static document. The paper's findings clearly show that this approach is insufficient in the spirit of ISO/SAE 21434. TARA should be a living document, continuously updated throughout the product lifecycle, especially when new CVE vulnerabilities are disclosed or system architecture changes. There must be a clear trigger mechanism for TARA updates.

Second: Strengthen post-production incident response capabilities. The IS (Information Security) assessment in TISAX certification and the requirements for the post-production phase in Clauses 12 to 15 of ISO/SAE 21434 are often glossed over by Taiwanese companies with the logic that 'the product has been delivered to the customer, so subsequent responsibility lies with the OEM.' The paper clearly reveals this is a systemic weakness across the industry. Taiwanese suppliers should proactively clarify incident notification responsibilities and boundaries in their contracts with OEMs and establish a basic Product Security Incident Response Team (PSIRT) mechanism.

Third: Establish a standardized interface for cybersecurity information exchange within the supply chain. Taiwanese suppliers often serve different clients, each with varying requirements for TARA formats and risk rating methods. The TARA management process framework proposed in the paper can serve as a theoretical basis for Taiwanese firms to build a 'reusable across clients' TARA management architecture, fundamentally reducing the cost of redundant work.

How Winners Consulting Services Helps Taiwanese Companies Implement These Insights

Winners Consulting Services Co., Ltd. assists Taiwanese automotive suppliers in achieving TISAX certification, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. To address the two major systemic gaps revealed in this paper, Winners Consulting Services provides the following specific support:

1. TARA Lifecycle Management System Implementation: Based on Clause 15 of ISO/SAE 21434 and the TARA management process framework proposed in this paper, we help companies establish TARA update triggers, version control processes, and cross-supply chain information exchange interfaces. This ensures TARA documents remain valid throughout the product lifecycle and can meet the differentiated requirements of multiple OEM clients.
2. Post-Production Cybersecurity Incident Response Capability Building: We assist Taiwanese suppliers in establishing a lightweight PSIRT mechanism, including an incident classification matrix, response trigger definitions, and the design of notification interfaces with OEM clients. This fills the practical implementation gap in ISO/SAE 21434's vulnerability and incident handling processes. A foundational system can be established within 90 days.
3. TISAX Certification Gap Diagnosis and Rapid Enhancement: Combining the paper's gap analysis methodology with our local practical experience in Taiwan, we provide companies with a precise gap report comparing their existing security mechanisms against TISAX assessment criteria. We then develop a 7- to 12-month phased enhancement roadmap to prevent companies from discovering critical deficiencies just before the assessment.

Frequently Asked Questions

What are the practical challenges of ISO/SAE 21434's TARA requirements in cross-supply chain management?

The primary challenge is the lack of specific guidance on how to transfer and integrate Threat Analysis and Risk Assessment (TARA) results between Tier 1 and Tier 2 suppliers, despite Clause 9 of ISO/SAE 21434 mandating its execution. A 2023 gap analysis paper highlights that this creates information silos at each node of the supply chain, preventing effective risk aggregation at the system integration level. For Taiwanese suppliers, the most common issues are uncertainty about the required format for delivering TARA to OEM clients and whether their own TARA needs updating when upstream system architecture changes. It is recommended that suppliers confirm TARA delivery interface specifications with clients during the contracting phase and establish a version control system to ensure TARA functions as a living document, not a static report.

What are the most common compliance deficiencies for Taiwanese companies in vulnerability and incident handling processes when implementing TISAX?

The most common deficiency is the lack of a formalized Product Security Incident Response Team (PSIRT) and documented processes for vulnerability and incident handling. Many Taiwanese suppliers have not documented their procedures for monitoring and reporting CVE vulnerabilities and lack a clear incident notification interface with their OEM clients, which is a frequent area of non-compliance in TISAX assessments. According to the TISAX VDA ISA criteria and ISO/SAE 21434 Clauses 14-15, companies must demonstrate a systematic process for vulnerability identification, risk rating, and response. The gap analysis paper further notes that the standard's incident severity classification lags behind IT security best practices. Taiwanese firms can enhance their processes by referencing frameworks like NIST SP 800-61 and ensuring all related procedural documents are ready before the TISAX assessment.

What are the core requirements of TISAX certification, and how should Taiwanese companies plan for a 12-month implementation timeline?

TISAX's core requirements, based on ISO 27001, cover three main areas: information security management, prototype protection, and connected systems security, with assessment levels AL2 and AL3. For a 12-month implementation, Taiwanese suppliers should plan as follows: spend the first 3 months on a current-state diagnosis and gap analysis; the next 6 months on system implementation, documentation, and staff training; and the final 3 months on internal audits and assessment preparation. If a company already has an ISO 27001 certification, this timeline can potentially be shortened to 7-9 months. Key success factors include strong commitment from top management, dedicated resource allocation, and a correct understanding of automotive-specific contexts like UNECE WP.29 R155, rather than simply applying a generic IT security framework.

What resources are actually required to establish a post-production cybersecurity incident response mechanism compliant with ISO/SAE 21434?

Establishing a foundational post-production cybersecurity incident handling mechanism compliant with ISO/SAE 21434 typically requires one to two dedicated staff members and a 90-day focused implementation period for a mid-sized Taiwanese automotive supplier with 100-500 employees. Based on Winners Consulting Services' practical experience, core tasks include drafting a PSIRT charter, creating an incident classification matrix, designing a vulnerability monitoring process, documenting external notification interfaces (including OEM communication protocols), and conducting at least one tabletop exercise to validate the process. If implemented concurrently with TISAX certification efforts, the marginal cost can be significantly reduced, as the overlapping documentation allows for an integrated plan that can cut redundant work by 30% to 40%.

Why choose Winners Consulting Services for assistance with automotive cybersecurity (AUTO) issues?

Winners Consulting Services Co., Ltd. specializes in guiding Taiwan's automotive suppliers through TISAX certification and ISO/SAE 21434 compliance, with a deep understanding of how small and medium-sized enterprises can achieve compliance in stages with limited resources. Our core strengths include integrating the TISAX assessment framework, ISO/SAE 21434 technical requirements, and the UNECE WP.29 regulatory context to provide a coherent compliance roadmap. Our methodology balances academic rigor with practical applicability, ensuring clients not only pass assessments but also build sustainable cybersecurity management capabilities. We offer end-to-end support, from gap analysis and system design to documentation and assessment accompaniment, starting with a complimentary mechanism diagnosis.