The DIS of the ISO21434 considers controls as artifacts that are yielded in the development-phase of a product. In the concept-phase, they are rather called Cybersecurity Goals, which don’t describe the concrete implementation yet. Later when digested they will turn into Cybersecurity Requirements.
That’s why the TARA and concept chapters (chapter 8 and 9) don’t write about Security Controls. Only the Product Development chapter (chapter 10) works with them (in recommendation [RC-10-01]).
Practically, controls are an important input for refining the whole analysis. Since controls themselves introduce assets, their risks shall be assessed as well (requirement [RQ-10-01] c) ). Furthermore, the assets of controls should be included in the existing analysis. Consequently, this saves efforts because it avoids recreating parts of the analysis. That way, a single source of truth can carry the history of decisions throughout the whole lifecycle. As an additional benefit, such setting makes decisions consistent.
We have collected more details on ISO21434 and on TARA.
Got a comment? Want to discuss this further? Feel free to contact me.
Want to discuss further? Feel free to contact the itemis SECURE Team. Otherwise, read more on our insights from reading ISO21434.