From Standards to Strategy: Implementing ISO 21434 and ASPICE for Secure SDVs

Today’s software-defined vehicles (SDVs) have more than 100 million lines of code and can process 25 GB of data per hour. While new technologies enhance functionality and convenience, increased vehicle connectivity also exposes cars to greater cybersecurity risks. And these risks will only grow as vehicles increase their reliance on software (think autonomous mobility).

To address the rise in cyber risks, governments and regulatory bodies have introduced numerous in-vehicle requirements. Compliance with regulations and standards has serious business implications for OEMs of all shapes and sizes. Over the past year, there have been numerous “end of life” announcements from OEMs that considered the efforts required to comply with new cybersecurity regulations for particular models to be excessively complex and costly.

Among the most relevant standards for OEMs are ISO 21434 and ASPICE. Understanding the best way to implement these standards can help OEMs streamline their business and product development.

What Is ISO 21434?

ISO 21434 is a global standard for road vehicle cybersecurity engineering. This standard specifies engineering requirements for cybersecurity risk management regarding the concept, product development, production, operation, maintenance, and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces. ISO 21434 works to protect vehicle and automotive security, guiding on integrating cybersecurity into the product development process of road vehicles.

Although ISO 21434 is not mandatory, it has become the de facto guideline worldwide for the implementation of a CSMS, as required by UNR 155. The standard provides a detailed framework for how to meet the cybersecurity requirements and applies to both OEMs and their suppliers.

What Is ASPICE?

Issued by the German VDA, Automotive SPICE (ASPICE) defines a set of processes and practices that automotive software development organizations should follow to ensure that their software products meet the quality and safety standards required by the industry. ASPICE is a variant of ISO/IEC 15504, an international standard that focuses on the capability and maturity of software development processes.

ASPICE covers the entire software development lifecycle, from requirements elicitation to software testing and validation. Each level of the ASPICE framework has specific process requirements that organizations must meet to achieve compliance. The standard consists of six levels:

• Level 0 – Incomplete process: The process is not implemented and/or fails to achieve its purpose.
  
• Level 1 – Performed process: The process achieves its purpose, but it may not be properly managed.
  
• Level 2 – Managed process: The process is planned, tracked, controlled, and quality assured, with adequate resources and defined responsibilities.
  
• Level 3 – Established process: The process is implemented using a defined process that is capable of achieving its process outcome(s).
  
• Level 4 – Predictable process: The process operates within defined limits to achieve its outcome(s), and detailed measures of the process and its outputs are collected.
  
• Level 5 – Optimizing process: The process is continuously improving to meet current and future business goals, with a focus on improving process performance through incremental and innovative changes.

ASPICE assessments are a common component of joint project work between manufacturers and suppliers, covering topics such as system requirements analysis, system architectural design, software requirements analysis, and project management, among others.

Helping OEMs Implement ISO 21434 and ASPICE

Establishing a CSMS and achieving regulatory compliance is a complex and costly effort, requiring automotive cybersecurity knowledge, skilled resources, and purpose-built tools. At the organizational level, OEMs should have processes in place to monitor development and production, including procedures, policies, and strategies aligned with ISO/SAE 21434 quality management requirements.

By adopting a “cybersecurity by design” approach for their CSMS implementations, OEMs can efficiently implement cybersecurity practices across all their processes and phases. Based on our experience in CSMS implementations and our own internal quality processes, here are some tips that can help OEMs streamline their cybersecurity initiatives:

1. Adopt a “cybersecurity by design” approach. From a quality perspective, cybersecurity shouldn’t be mounted “on top” of functionality. Rather, it should be included as part of the software design process like any other functionality. This is how we work at PlaxidityX. When designing our product, we treat each potential cybersecurity threat as another functional requirement. By treating cybersecurity as part of the system functionality rather than a separate work package, companies can significantly reduce the complexity and time required to conduct the CSMS audit.
   
2. Align ASPICE and ISO 21434 for more efficient quality management. Since there are parallel activities and strategies between ISO 21434 and ASPICE, a well-planned CSMS implementation strategy can significantly reduce the overall compliance effort. As noted above, ASPICE establishes a baseline for compliance and continuous improvement in automotive software and systems engineering. When implementing the CSMS, OEMs can extend the baseline strategies, procedures, and processes developed for ASPICE to also cover the cybersecurity aspects (ISO 21434).
   
   For example, an OEM may already have a support process defined for incident handling (e.g., mechanical malfunction) in ASPICE. This existing document could then be updated to cover cybersecurity incidents. Another example is TARA (Threat Analysis and Risk Assessment), which is not fully covered in ASPICE and would require the creation of an additional document for ISO 21434 compliance.
   
3. Leverage cybersecurity know-how. Implementing a CSMS requires a deep and comprehensive understanding of automotive processes, cybersecurity know-how, and proven compliance experience. Using ISO 21434 and ASPICE Level 2 compliant automotive cybersecurity software products can help OEMs accelerate time-to-market for their SDVs, while also lowering development and production costs.
   
4. Stay up to date with the evolving regulatory landscape. OEMs require actionable implementation guidance to meet the compliance challenge. Given the complexity of vehicle ecosystems and the growing number of regulations and standards, keeping informed of new regulations and updates and translating the requirements into immediate actions is more critical than ever.

PlaxidityX Processes Are Fully Aligned with ISO21434 and ASPICE Level 2

Following a comprehensive audit performed by UL Solutions in mid-2025, PlaxidityX received confirmation that it has implemented all the processes required by ISO 21434. The scope of the audit included the following processes: organizational security management, project-dependent cybersecurity management, distributed cybersecurity activities, continual cybersecurity activities, concept, product development, cybersecurity validation, operations and maintenance, end of cybersecurity support and decommissioning, and TARA models.

With respect to ASPICE compliance, PlaxidityX has achieved Level 2 compliance for its onboard vehicle protection products (e.g., Host IDPS, Ethernet IDPS, CAN IDPS), validating that PlaxidityX’s software products are being developed at the highest quality levels using state-of-the-art development processes. The ASPICE Level 2 assessment covered the following processes: Software Requirements Management (SWE.1), Software Requirements Analysis (SWE.2), Software Architectural Design (SWE.3), Software Detailed Design and Unit Construction (SWE.4), Software Unit Verification (SWE.5), Software Integration and Integration Test (SWE.6), Quality Assurance (SUP.1), Configuration Management (SUP.8), Problem Resolution Management (SUP.9), Change Request Management (SUP.10), Project Management (MAN.3).

How PlaxidityX Can Help

OEMs and Tier 1 suppliers have come to understand the need to incorporate software design and cybersecurity as part of the “V-model” across the automotive ecosystem. Accordingly, many OEMs seek to partner with companies that understand both ASPICE and ISO 21434.

In addition to our cybersecurity expertise and numerous CSMS implementation projects with OEMs and Tier 1 suppliers, the PlaxidityX Cyber Research and Solutions department has “hands-on” experience and knowledge in implementing the ISO 21434 and ASPICE standards side-by-side within our own organization. Our proficiency with ASPICE Level 2 and ISO 21434 helps our customers meet global automotive cybersecurity standards. Based on our cybersecurity capabilities and our commitment to the highest development and quality standards, OEMs trust PlaxidityX to secure their vehicles and facilitate compliance with evolving cybersecurity regulations and standards.