How does ISO21434 relate to ISO31000?
ISO21434 requires ISO31000 to be fulfilled (Source: Requirement RQ-05-10 in Clause 5). Their use of vocabulary is naturally compatible, with minor differences on the two terms risk and stakeholder. First, ISO31000 includes positive consequences in a “Risk”, which ISO21434 does not. Second, ISO31000 has a quite inclusive definition of “stakeholder”, which the ISO21434 limits to those that may take damage. In general, ISO31000 introduces top-down risk management across industries and scopes. For that, it requires an iterative process. That iterative process reminds of the phases plan, do, check, and act, as they appear in the Deming cycle. In 31000, risk management is considered a leadership effort.
Here is an overview over the definitions of terms that appear in both norms:
|Control||“measure that maintains and/or modifies risk“||“measure that is modifying risk”|
|Risk management||“coordinated activities to direct and control an organization with regard to risk”
(definitions are the same)
|“Coordinated activities to direct and control an organization with regard to risk”
(definitions are the same even though the DIS of 21434 says it was “Modified from SOURCE of ISO31000:2018”)
|Risk||”effect of uncertainty on objectives”||“Effect of uncertainty on road vehicle cybersecurity expressed interms of attack feasibility and impact“|
|Stakeholder||“person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity”||“Person or organization that can be affected by a damage scenario”|
Differences in Terminology
While they are mostly compatible, ISO21434 introduced some terms that require some thoughts to map them to ISO31000. Let’s talk about risks first and then about stakeholders.
In ISO31000, a risk is an ”effect of uncertainty on objectives”. It is “Usually expressed in terms of […], their consequences and their likelihood“.
In ISO21434, a risk is an “Effect of uncertainty on road vehicle cybersecurity expressed interms of attack feasibility and impact“.
As we can see, the ISO31000 consequences are called impact in ISO21434. Notably, ISO31000 includes positive consequences. At the same time, ISO21434 focuses only on undesirable results, also known as damage.
Also, ISO 31000 defines likelihood as a “chance of something happening”, describable subjectively, qualitatively or even quantitatively. Correspondingly, ISO 21434 calls it attack feasibility as an attribute of each attack path, describing how easy it is to carry out such attack. In Appendix I, ISO21434 refers to ISO/IEC 18045 here. It suggests five core parameters that are used to determine the attack feasibility. The five parameters are: elapsed time, expertise, equipment, knowledge of the item or component, and window of opportunity. For each parameter, it suggests well-defined yet rather qualitative levels.
In ISO31000, a stakeholder is a “person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity”. Peculiarly, ISO31000 includes affectors and perceived affectees as stakeholders. As a result, a person that “can affect” an activity would include the attacker, which we commonly would not consider a stakeholder when talking about security. That may be, why ISO21434 doesn’t include the affectors:
ISO21434 defines a stakeholder as a “Person or organization that can be affected by a damage scenario”. Consequently, ISO21434 chooses to define it based on who suffers, including end-customers.
As visible in this comparison, there are two major differences between the two norms. First, ISO21434 focuses only on undesired effects of risks. Second, ISO21434 stakeholders are narrowed down to be people or organizations that may actually be damaged. I think, these two differences may come from the fact that 21434 is focused on the automotive domain and on the scope of cybersecurity.