Team Structure as the Key to ISO/SAE 21434 Compliance: Lessons for Taiwan Auto Cybersecurity

Winners Consulting Services Co., Ltd. highlights that a doctoral research study, using the development process of ISO/SAE 21434 as its field of study, has revealed for the first time that the creation of an international standard is not just a technical issue, but a cross-organizational and cross-cultural "team engineering" challenge. The research found that Team Structure is the most critical IPO factor influencing the effectiveness of standard development, far more decisive than process design or resource allocation. For Taiwanese automotive supply chain manufacturers, this implies that the success of implementing ISO/SAE 21434 and obtaining TISAX certification often depends on whether the company has established a cybersecurity governance team with cross-functional collaboration capabilities.

About the Author and This Research

The author of this paper, Zhang Hengwei, is a scholar specializing in technology standardization research. The study was published on the arXiv platform and has accumulated 15 citations (h-index: 2). While the citation count is relatively modest, it reflects a reality: academic works focusing on the standard development process itself are extremely rare. This paper is one of the few in-depth qualitative studies that uses the development history of ISO/SAE 21434 as a case study.

The research design is rigorous. Over four months, the author conducted 18 semi-structured individual and group interviews (involving 24 participants) and collected 25 complete questionnaires. The subjects included core participants from both the ISO technical committee and the SAE International working group. This gives the study a unique methodological advantage of directly observing the "birthplace of the standard," rather than relying solely on secondary analysis of public documents. For researchers and corporate implementers, this paper offers a rare "behind-the-scenes perspective" on the organizational dynamics and decision-making trade-offs that shaped the standard's final text.

Core Insight from ISO/SAE 21434 Development: Team Structure Determines Standard Quality

The most significant conclusion of this research is that in the Input-Process-Outcome (IPO) model of international technical standard development, team structure is the primary factor affecting the final standard's quality and development efficiency, taking precedence over technical resources, process design, and the policy environment. The implications of this finding for corporate implementation are more profound than they appear.

Key Finding 1: The "Structural Tension" of Cross-Organizational Collaboration is the Biggest Variable

The study reveals that the first joint standard development between ISO (European-based) and SAE International (US-based) involved fundamental differences in organizational culture, voting mechanisms, and decision-making pace. This "structural tension" was not an obstacle but a key source of tension that contributed to the standard's ultimate breadth and global applicability. Using the IPO framework, the researcher systematically identified multiple factors and sub-components affecting team effectiveness, with role clarity, responsibility allocation, and cross-cultural communication norms being repeatedly mentioned by participants as the most impactful elements.

Notably, the study also introduces the ICO (Input-Choice-Outcome) framework, emphasizing that "choice" is an independent dimension in the standard-setting process. This includes who is included in the working group, which technical routes are prioritized for discussion, and which regional market voices are heard. These selective decisions often determine the final direction and practicality of the standard more than formally defined processes. This provides valuable interpretive context for Taiwanese companies to understand why certain clauses in ISO/SAE 21434 are designed to favor specific implementation methods.

Key Finding 2: "Lessons Learned" Form a Replicable Knowledge System for Standard Development

The research systematically extracts several Lessons Learned from the interview data, offering practical guidance for future international standard development. These lessons include the importance of defining terminology boundaries early, the long-term compliance friction caused by inadequate stakeholder representation, and the significant impact of personnel stability in the drafting team on document consistency. This finding provides a structural explanation for the discrepancies in interpretation and implementation that emerged globally after ISO/SAE 21434 was officially published in 2021.

Implications for Automotive Cybersecurity in Taiwan: From "Standard Adherence" to "Structural Development"

Taiwan's automotive supply chain is at a structural turning point. As Original Equipment Manufacturers (OEMs) increasingly require suppliers to obtain TISAX certification and specify compliance with ISO/SAE 21434 in procurement contracts, the compliance pressure on Taiwanese Tier 1 and Tier 2 manufacturers has escalated from "understanding the standard" to "implementing it effectively."

Zhang's research highlights a core issue often overlooked by Taiwanese companies during implementation: Does the internal cybersecurity governance team have an adequate cross-functional structure? A common model in many mid-sized Taiwanese suppliers is to assign an IT manager to also serve as the cybersecurity officer, supported by a few engineers for documentation. This "linear assignment" organizational design is fundamentally at odds with the cross-departmental collaboration required throughout the vehicle development lifecycle, as envisioned by ISO/SAE 21434.

Specifically, the UN R155 regulation under UNECE WP.29 (World Forum for Harmonization of Vehicle Regulations) requires vehicle manufacturers and their supply chains to establish a complete Cyber Security Management System (CSMS). This requirement cascades down to component suppliers, including those in Taiwan. TISAX (Trusted Information Security Assessment Exchange), as the information security assessment mechanism for the European automotive supply chain, has technical control requirements in its underlying VDA ISA standard that highly overlap with ISO/SAE 21434. However, its assessment focuses on the maturity of the Information Security Management System (ISMS), not just on documentary compliance.

Extrapolating from Zhang's research, if Taiwanese companies want to truly "utilize" ISO/SAE 21434 rather than just "pass" a document review, they must invest at the organizational level in a cybersecurity governance framework with clear roles, distinct responsibilities, and cross-functional integration—the corporate equivalent of the key IPO factors emphasized in the study. It is also worth noting that the role of Standard-Setting Organizations (SSOs), mentioned in the paper, is growing in importance in global AI governance and automotive cybersecurity standards. Taiwanese companies that can establish early connections with these organizations will gain a first-mover advantage in standard interpretation and early compliance strategy.

Furthermore, from a constructive criticism perspective, it is important to note that this research focuses on the standard development process before 2020, prior to the official release of ISO/SAE 21434 in August 2021. This means the study captures the organizational dynamics of the standard's "birth period," not the challenges of its "implementation period." When leveraging these insights, Taiwanese companies need to supplement them with a practical "implementer's perspective." While the standard's structural design reflects the organizational logic of its creation, the implementation path for resource-constrained small and medium-sized Taiwanese suppliers still requires localized consulting support.

Winners Consulting Services Helps Taiwanese Companies Build Automotive Cybersecurity Governance Structures

Winners Consulting Services Co., Ltd. assists Taiwanese automotive supply chain manufacturers in obtaining TISAX certification, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. Integrating the core insights on team structure from this research, we offer the following concrete recommendations:

1. Start with an Organizational Structure Diagnosis: Before initiating the TISAX certification process, assess the degree of cross-functional integration in your existing cybersecurity governance team. Refer to the organizational management requirements in Chapter 5 of ISO/SAE 21434 to clearly define a cybersecurity responsibility matrix (RACI) across departments (R&D, QA, Procurement, IT) to avoid the common structural risk of "single-point responsibility, multi-point failure."
2. Establish an Internal Knowledge Base for Standard Interpretation: Zhang's research shows that "selective decisions" during standard development profoundly influence the logic of its clauses. Companies should invest in creating internal standard interpretation documents that record the design intent behind each ISO/SAE 21434 control measure, rather than merely performing superficial compliance checks. Winners Consulting Services offers standard interpretation workshops to help companies build a sustainable corporate knowledge asset for compliance.
3. Use TISAX Certification as a Milestone, Aim for Continuous Compliance: TISAX certification (the assessment cycle for Level 2 is about 12-18 months) should not be the end goal, but the starting point for building long-term cybersecurity capabilities. Drawing on the spirit of continuous improvement from the ISO 56001 innovation management system, we recommend that companies immediately start the next compliance optimization cycle after certification, especially by establishing a response mechanism for the dynamic update requirements for CSMS under UNECE WP.29 UN R155.

Frequently Asked Questions

What practical help does research on the ISO/SAE 21434 development process offer for corporate implementation?

Understanding the standard's design logic is crucial for correctly interpreting its requirements. Zhang's research reveals that the structure of ISO/SAE 21434 was heavily influenced by the organizational and cultural negotiations between ISO and SAE. The flexibility in certain clauses, such as Chapter 15 on Threat Analysis and Risk Assessment (TARA), was intentionally designed to accommodate different industry practices in Europe and the US. By understanding this context, Taiwanese companies can develop more persuasive interpretations in their compliance documentation. Winners Consulting Services recommends conducting a 'Standard Intent Analysis' workshop during the initial implementation phase to build a sustainable corporate knowledge asset for compliance.

What are the most common organizational structure challenges Taiwanese companies face when implementing TISAX?

The most common challenge is the 'responsibility silo,' where cybersecurity is treated solely as an IT department's duty rather than a systemic function integrated throughout the product development lifecycle. The TISAX VDA ISA standard requires an Information Security Management System (ISMS) to cover multiple dimensions, including supplier management, physical security, and personnel security. This aligns closely with the cross-functional collaboration requirements in Chapter 5 of ISO/SAE 21434. Based on our consulting experience, Taiwanese Tier 1 suppliers typically need a 3 to 6-month organizational redesign period to establish a governance framework that meets TISAX Assessment Level 2 requirements. We advise planning for this adjustment phase early.

What are the core requirements of TISAX certification, and how long does implementation take?

The core of TISAX certification is the VDA ISA (Information Security Assessment) questionnaire, which covers 13 control domains including information security policies, access control, incident management, and supplier management. Assessment Level 2 involves a self-assessment verified by an external auditor, while Level 3 requires a full third-party audit. These requirements highly overlap with the CSMS demands of UNECE WP.29 UN R155, particularly in supply chain risk management and incident response. On average, it takes Taiwanese companies 9 to 12 months to progress from a gap analysis to completing Level 2 certification. This timeline can be shortened to 6 to 9 months if the organization already has an ISO 27001 certification.

What resources are needed to implement ISO/SAE 21434 and TISAX, and what are the expected benefits?

The resources required vary by company size. For a mid-sized Taiwanese auto parts supplier (200-500 employees), implementation typically involves consulting fees, the equivalent of 1 to 2 full-time employees dedicated for 12 months, and costs for system and tool deployment. The primary benefit is that TISAX certification grants direct access to the supply chains of major European OEMs, as clients like the BMW and Volkswagen Groups have made it a mandatory supplier requirement. In the long term, a systematic cybersecurity governance framework reduces the cost of security incidents. The average cost of a single incident in the global automotive industry now exceeds NT$30 million, making the return on investment significant.

Why choose Winners Consulting Services for automotive cybersecurity (AUTO) matters?

Winners Consulting Services Co., Ltd. is one of the few professional consulting firms in Taiwan with expertise in ISO/SAE 21434 implementation, TISAX certification consulting, and UNECE WP.29 regulatory interpretation. Our team combines practical automotive industry experience with international certification knowledge to help Taiwanese suppliers build sustainable cybersecurity governance from a business perspective. We serve suppliers from Tier 1 to Tier 3, offering a full range of services from free initial diagnostics to comprehensive certification guidance. We also provide post-certification support to ensure our clients maintain a stable level of compliance across multiple certification cycles.