Gen 11

How to successfully pass a UN R155 CSMS audit: Best practice and recommendations

UN R155 CSMS audit

In line with the requirements of UN Regulation No. 155, the implementation and application of a Cybersecurity Management System (CSMS for short) forms the basis for cybersecurity in the vehicle – for the entire lifecycle. At least every three years, the Original Equipment Manufacturer (OEM) must have its established CSMS audited and provide evidence of fulfilment of the requirements with a Certificate of Compliance. How does a vehicle manufacturer pass such a CSMS audit? We answer this question below.

At present, measures to establish and expand cybersecurity around the vehicle are to a large extent still in the very early stages. While the major car manufacturers with their huge fleets began building up resources around CSMS as a field of action already years ago, smaller and niche OEMs are facing a different situation.

With the scope of UN R155 also covering semi-trailers, trailers and other special vehicles (ambulances, waste disposal, fire brigades and more) as well as UN R155 becoming applicable to motorbikes from July 2029, the range of organizations affected by CSMS is huge.

Management commitment as a catalyst

Consequently, many cybersecurity managers find themselves in a situation in which the mobilization of resources for the CSMS and the associated audit must be initiated before anything else.

The far-reaching impact of UN R155 and the special priority due to the relevance of the type approval must be fully understood at management level.

It should be made clear at management level that CSMS compliance is not just about adhering to a legally binding regulation with regard to the UNECE sales markets, but rather that the benefits of cybersecurity as a driver for the vehicle business should be recognized in general. It is about the proper set-up of cybersecurity as a driver for scalability and quality as well as opportunities for market outreach with cybersecurity as a competitive advantage.

The goal should be to provide adequate resources and budgets for the implementation and maintenance of the CSMS in the organization.

Establish working groups, steering committees, expert groups, etc.

However you want to label it, the management of a CSMS audit requires the establishment of a dedicated team to coordinate and monitor the entire audit process from start to finish.

It is essential to ensure proper information flows, effective communication and co-operation between all stakeholders involved.

Due to the breadth and depth of the functions involved in the CSMS – in our experience, this generally ranges from HR to the entire development, production and after-sales departments (and beyond) – the successful involvement of all parties within the organization across divisional and departmental boundaries plays a particularly important role.

Equally important is the efficient exchange with the auditing organization or the authority involved, usually a national authority such as the Federal Motor Transport Authority (KBA) in Germany.

CSMS: So, where do we actually stand?

Where does your own organization stand with the CSMS? In light of the fact that there is no “one solution”, but that organization-specific solutions must always be found when setting up a CSMS in order to meet the general requirements, it is often not trivial to be able to make definitive statements about the maturity level of a CSMS.

Nevertheless, it is essential that this assessment is carried out collectively in preparation for an audit.

Gap analyses or pre-audits (both in a systematic self-assessment as well as by mandating third parties) can be carried out here in order to compare the current status of the CSMS against the requirements of UN R155 and, if necessary, identify gaps and/or suggest possible solutions.

Once again, it is important to involve all stakeholders involved as much as possible in order to achieve a meaningful result.

A results report should then be used to draw up a clear and realistic action plan in which targets/milestones, corresponding scopes, deadlines, responsibilities and the resources required to eliminate the deficits and introduce adequate solutions are identified.

Laying the foundations for a CSMS + Analysis of documentation

As in any management system, the CSMS is also defined by the fact that it is closely interlinked with a number of existing guidelines, processes, responsibilities, procedures and roles.

It is important to have the relevant policies, objectives and strategies at hand for questions regarding the ensuring of cybersecurity. These should include a reflection of the management’s commitment and the necessities of quality management with regard to monitoring and improvement as well as evidence of expertise and capability. (More on this in our blog article: How to establish a CSMS in accordance with UN R155? A short, practical guide)

Special importance of documentation

It is never too early to initiate a review of existing records, documentation and evidence in line with the requirements of the CSMS. All too often, far-reaching updates and enhancements are necessary.

Especially since we are touching product development, security in engineering, testing and validation, incident management, continuous cybersecurity activities as well as quality and risk management.

There should be no doubt about the completeness and accuracy of the process documentations in all phases and aspects of the vehicle’s entire product lifecycle, especially in terms of consistency and traceability.

The following principle must apply here: What is not documented does not count. An evidence-based approach applies to both the audit and the type approval.

Detailed preparation for the audited functions and roles

It quickly becomes clear that the interdisciplinarity mentioned above makes it essential to include a number of stakeholders related to the CSMS.

In concrete terms, all relevant stakeholders should be informed in advance in workshops and preparation meetings about which information and evidence is required for the audit in order to achieve overall compliance with the requirements of the CSMS as an organization.

These workshops and the dialogue with the colleagues involved should generally be recorded so that the documentation obligations relating to the active maintenance of the CSMS can be met as a whole.

In practice, it is also advisable to train general cooperation with auditors. Not everyone involved has the necessary level of experience to be able to adequately interact with auditors. This is also relevant due to the fact that audits can take place in very different ways depending on the technical service involved.

Prepare the coordination with the authorities

With the aforementioned team for overall coordination, a central main contact person should be designated who takes over all communications and collaborations with the authority/institution involved, that is responsible for issuing the certificate for CSMS or conducting the audit as part of the type approval process.

Experience has shown that this does not necessarily have to be a cybersecurity manager; this can also be assigned to a member of the homologation team.

The designated contact person should initiate the dialogue at an early stage in order to be able to schedule the audits with sufficient time in advance.

In parallel, the central coordination between internal CSMS stakeholders and the authority/institution should be carried out in order to be able to harmonize the information and documents required for the audit as well as the preparation of the interviews.

In particular, the possibility of anticipating concerns and questions during this preparation should be utilized.

The auditing organization is usually very willing to provide guidance and instruction, as CSMS audits are still new territory for both sides.

First: Review the maturity level for the CSMS audit in advance

In any case, the vehicle manufacturer should always simulate the whole process in advance before the actual audit, for example in a pre-audit or with a trial audit.

This way, details regarding the correctness and appropriateness of the implementation of the CSMS can be systematically assessed in advance.

A pre-audit can also provide an opportunity to review completed documents and get to know the auditing organization and its priorities better – especially as there is no uniform guideline for UN R155 auditing.

In particular, the completeness and accuracy of the records in accordance with the UN R155 requirements should be carefully checked and evaluated to ensure that the documents and information provided are correct, accurate and easily accessible to the auditor.

Any deficiencies or potential risks that are identified at this point should be resolved accordingly in order to prevent any negative impact on the actual audit.

It is also advisable to anticipate emergency measures in advance as best as possible in case an unforeseen event occurs during the audit.

Bonus: Cybersecurity in day-to-day work + culture

Even though the CSMS audit can be seen as a very formal process around the type approval procedure, the immense importance of a strong cybersecurity culture in the organization can have a significant impact on the success of the audit. This should not be underestimated.

The awareness and understanding of security as an essential dimension of the product vehicle and the careful examination of security risks and practices at all levels make a significant difference to the extent to which cybersecurity is put into practice.

This becomes particularly clear in possible deficits due to deviations between processes and what is written on paper, and the reality of everyday working life, in which guidelines may be insufficiently observed and complied with.

Since auditors consider precisely these issues when assessing the effective implementation and application of the CSMS, sufficient priority should be given to fostering a culture that calls for cybersecurity compliance in everyday life. 

Especially because a strong cybersecurity culture is an essential component of an effective cybersecurity strategy and, as an aspect specifically required by ISO/SAE 21434 and UN R155, contributes to fulfilling the requirements of an organization’s cybersecurity.

Getting started

According to a PWC report, CSMS implementation takes around 30 months on average (Global Automotive CSMS Survey, 2022). At least 6-9 months can be estimated for the entire auditing process – with differences at national level always being taken into account.

The following therefore applies: Start the conceptualization early.

Feel free to get in touch with our international consulting teams to discuss your specific scenario.

Sign up for our CYRES Consulting Automotive Cybersecurity Newsletter

Stay informed! Receive regular insights into current topics related to cybersecurity in the automotive industry directly to your inbox.

Sign up here for the newsletter, free of charge and with no obligations.

X