ISO/SAE 21434:2021 官方目次 (Table of Contents)
來源:ISO/SAE FDIS 21434 公開預覽(iteh.ai 樣本,與正式版 ISO/SAE 21434:2021 結構一致)。
正式版 ISO OBP 入口:https://www.iso.org/obp/ui/en/#iso:std:iso-sae:21434:ed-1:v1:en
此頁僅整理目次,非完整條文。要查實際要求請取得官方標準。
文件結構
- Foreword(前言)
- Introduction(導論)
- 1 Scope(範圍)
- 2 Normative references(規範性引用)
- 3 Terms, definitions and abbreviated terms(術語、定義與縮寫)
- 4 General considerations(一般考量)
- 5–15 主體要求條款
- Annex A–H 附錄(全部 informative)
- Bibliography(參考書目)
Clause 詳細目次
1 Scope
2 Normative references
3 Terms, definitions and abbreviated terms
- 3.1 Terms and definitions
- 3.2 Abbreviated terms
4 General considerations
5 Organizational cybersecurity management
- 5.1 General
- 5.2 Objectives
- 5.3 Inputs
- 5.3.1 Prerequisites
- 5.3.2 Further supporting information
- 5.4 Requirements and recommendations
- 5.4.1 Cybersecurity governance
- 5.4.2 Cybersecurity culture
- 5.4.3 Information sharing
- 5.4.4 Management systems
- 5.4.5 Tool management
- 5.4.6 Information security management
- 5.4.7 Organizational cybersecurity audit
- 5.5 Work products
6 Project dependent cybersecurity management
- 6.1 General
- 6.2 Objectives
- 6.3 Inputs
- 6.3.1 Prerequisites
- 6.3.2 Further supporting information
- 6.4 Requirements and recommendations
- 6.4.1 Cybersecurity responsibilities
- 6.4.2 Cybersecurity planning
- 6.4.3 Tailoring
- 6.4.4 Reuse
- 6.4.5 Component out-of-context
- 6.4.6 Off-the-shelf component
- 6.4.7 Cybersecurity case
- 6.4.8 Cybersecurity assessment
- 6.4.9 Release for post-development
- 6.5 Work products
7 Distributed cybersecurity activities
- 7.1 General
- 7.2 Objectives
- 7.3 Inputs
- 7.4 Requirements and recommendations
- 7.4.1 Supplier capability
- 7.4.2 Request for quotation
- 7.4.3 Alignment of responsibilities
- 7.5 Work products
8 Continual cybersecurity activities
- 8.1 General
- 8.2 Objectives
- 8.3 Cybersecurity monitoring
- 8.3.1 Inputs
- 8.3.2 Requirements and recommendations
- 8.3.3 Work products
- 8.4 Cybersecurity event evaluation
- 8.4.1 Inputs
- 8.4.2 Requirements and recommendations
- 8.4.3 Work products
- 8.5 Vulnerability analysis
- 8.5.1 Inputs
- 8.5.2 Requirements and recommendations
- 8.5.3 Work products
- 8.6 Vulnerability management
- 8.6.1 Inputs
- 8.6.2 Requirements and recommendations
- 8.6.3 Work products
9 Concept
- 9.1 General
- 9.2 Objectives
- 9.3 Item definition
- 9.3.1 Inputs
- 9.3.2 Requirements and recommendations
- 9.3.3 Work products
- 9.4 Cybersecurity goals
- 9.4.1 Inputs
- 9.4.2 Requirements and recommendations
- 9.4.3 Work products
- 9.5 Cybersecurity concept
- 9.5.1 Inputs
- 9.5.2 Requirements and recommendations
- 9.5.3 Work products
Cybersecurity Claims 在哪?
Claims 不是獨立節,而是 9.4 Cybersecurity goals 的產出之一。對於選擇 sharing/retaining 處置的風險,會以 Cybersecurity Claim 形式記錄(屬於 9.4.3 Work products 範圍)。
10 Product development
- 10.1 General
- 10.2 Objectives
- 10.3 Inputs
- 10.3.1 Prerequisites
- 10.3.2 Further supporting information
- 10.4 Requirements and recommendations
- 10.4.1 Design
- 10.4.2 Integration and verification
- 10.5 Work products
11 Cybersecurity validation
- 11.1 General
- 11.2 Objectives
- 11.3 Inputs
- 11.3.1 Prerequisites
- 11.3.2 Further supporting information
- 11.4 Requirements and recommendations
- 11.5 Work products
12 Production
- 12.1 General
- 12.2 Objectives
- 12.3 Inputs
- 12.3.1 Prerequisites
- 12.3.2 Further supporting information
- 12.4 Requirements and recommendations
- 12.5 Work products
13 Operations and maintenance
- 13.1 General
- 13.2 Objectives
- 13.3 Cybersecurity incident response
- 13.3.1 Inputs
- 13.3.2 Requirements and recommendations
- 13.3.3 Work products
- 13.4 Updates
- 13.4.1 Inputs
- 13.4.2 Requirements and recommendations
- 13.4.3 Work products
14 End of cybersecurity support and decommissioning
- 14.1 General
- 14.2 Objectives
- 14.3 End of cybersecurity support
- 14.3.1 Inputs
- 14.3.2 Requirements and recommendations
- 14.3.3 Work products
- 14.4 Decommissioning
- 14.4.1 Inputs
- 14.4.2 Requirements and recommendations
- 14.4.3 Work products
15 Threat analysis and risk assessment methods
- 15.1 General
- 15.2 Objectives
- 15.3 Asset identification
- 15.3.1 Inputs
- 15.3.2 Requirements and recommendations
- 15.3.3 Work products
- 15.4 Threat scenario identification
- 15.4.1 Inputs
- 15.4.2 Requirements and recommendations
- 15.4.3 Work products
- 15.5 Impact rating
- 15.5.1 Inputs
- 15.5.2 Requirements and recommendations
- 15.5.3 Work products
- 15.6 Attack path analysis
- 15.6.1 Inputs
- 15.6.2 Requirements and recommendations
- 15.6.3 Work products
- 15.7 Attack feasibility rating
- 15.7.1 Inputs
- 15.7.2 Requirements and recommendations
- 15.7.3 Work products
- 15.8 Risk value determination
- 15.8.1 Inputs
- 15.8.2 Requirements and recommendations
- 15.8.3 Work products
- 15.9 Risk treatment decision
- 15.9.1 Inputs
- 15.9.2 Requirements and recommendations
- 15.9.3 Work products
Annexes(全部 informative)
| Annex | 標題 | 對應筆記 |
|---|---|---|
| A | Summary of cybersecurity activities and work products | 跨章節 WP 對照 |
| B | Examples of cybersecurity culture | 02-Organizational-Management/02-Cybersecurity-Culture |
| C | Example of Cybersecurity interface agreement template | 04-Distributed-CS-Activities/02-Cybersecurity-Interface-Agreement |
| D | Cybersecurity relevance – example methods and criteria | 03-Project-Dependent/03-Tailoring |
| E | Cybersecurity assurance levels | 13-Annexes-Tools/01-CAL-Cybersecurity-Assurance-Level ⭐ |
| F | Guidelines for impact rating | 12-TARA-Methods/04-Impact-Rating |
| G | Guidelines for attack feasibility rating | 12-TARA-Methods/06-Attack-Feasibility-Rating ⭐ |
| H | Examples of application of TARA methods – headlamp system | 12-TARA-Methods/01-TARA-Overview |
⭐ = 高頻考題
Bibliography
位於文件末頁,列出規範引用以外的延伸參考文獻(含 ISO 26262 系列、SAE J3061 等)。
編號慣例(Provisions & Work Products)
ISO/SAE 21434 為條款內容指派唯一識別碼:
| 縮寫 | 全稱 | 性質 |
|---|---|---|
| RQ | Requirement | shall — 必須 |
| RC | Recommendation | should — 建議 |
| PM | Permission | may — 允許 |
| WP | Work Product | 活動的具體產出(文件) |
格式:[XX-NN-MM]
- XX:類別縮寫
- NN:所屬 Clause(兩位數)
- MM:在該 Clause 內的順序
範例:[RQ-05-14] = Clause 5 的第 14 條 Requirement;[WP-09-03] = Clause 9 的第 3 個 Work Product。