The DIS of the ISO21434 considers controls as artifacts that are yielded in the development-phase of a product. In the concept-phase, they are rather called Cybersecurity Goals, which don’t describe the concrete implementation of them yet. Later when digested they will turn into Cybersecurity Requirements.

That’s why the TARA and concept chapters (chapter 8 and 9) don’t write about Security Controls. Only the Product Development chapter (chapter 10) works with them (in requirement [RC-10-01]).

We have collected more details on ISO21434 and on TARA.

Got a comment? Want to discuss this further? Feel free to contact me.

What now?

Want to discuss this further? Feel free to contact me. Otherwise, read more on our insights from reading ISO21434.