ISO/SAE 21434 + UNECE R155 — overlap with your FuSa case by design.

What we cover

Concept & risk (ISO/SAE 21434 clauses 9, 15)

• Item definition — cybersecurity scope, asset identification, communication interfaces, attack surface.
• TARA — Threat Analysis & Risk Assessment per clause 15.3-15.9. Threat scenarios, attack feasibility (CVSS / clause 15.6), impact rating, risk determination, risk-treatment decision.
• Cybersecurity goals + claims — derived from TARA outputs; allocated to architectural elements.
• Cybersecurity assurance level (CAL) — equivalent of ASIL for the cybersecurity domain.

Development phase (clauses 10-13)

• Cybersecurity requirements at concept, system, hardware and software level.
• Architectural mitigations — secure boot, message authentication, key management, secure storage, intrusion detection.
• Verification & validation — security testing, penetration testing, vulnerability analysis.

Operations & CSMS (clauses 7, 8, 14)

• Cybersecurity Management System — UNECE R155 type-approval prerequisite. Process, roles, evidence catalogue.
• Monitoring & incident response — vulnerability triage workflow, disclosure handling.
• Software Update Management System (SUMS) — UNECE R156 conformance. OTA campaign integrity, rollback safety, vehicle communication.

Cross-domain — FuSa + Cyber overlap

We don’t run cybersecurity as a parallel track. Instead, the cybersecurity case shares the item definition, the HSI, the safety-mechanism catalogue, and the verification evidence with the ISO 26262 safety case. This cuts duplication by ~30-40% on average and produces one coherent assessment story for both assessors.