ISO/PAS 5112 附录A 与21434 WPs的映射关系

Audit questionnaire

Evidence examples

A.2.1 Cybersecurity management 网络安全管理

Q1.1 Are cybersecurity policy, rules and processes defined?
Q1.1 是否定义了网络安全政策、规则和流程？

[WP-05-01] Cybersecurity policy, rules and processes

Q1.2 Are cybersecurity-relevant processes managed?
Q1.2 是否对网络安全相关流程进行了管理？

[WP-05-01] Cybersecurity policy, rules and processes
[WP-05-03] Evidence of organization’s management systems
[WP-05-04] Evidence of tool management
[WP-05-05] Organizational cybersecurity audit report

Q1.3 Are cybersecurity culture and cybersecurity awareness established, implemented, and maintained?
Q1.3 是否建立、实施并维护网络安全文化和网络安全意识？

[WP-05-02] Evidence of competence management, awareness management and continuous improvement

Q1.4 Is a process established, implemented, and maintained to manage project dependent cybersecurity?
Q1.4 是否建立、实施并维护流程以管理项目相关的网络安全。

[WP-06-01] Cybersecurity plan
[WP-06-02] Cybersecurity case
[WP-06-03] Cybersecurity assessment report

A.2.2 Continual cybersecurity activities 持续性网络安全活动

Q2.1 Is a process established, implemented, and maintained to monitor for cybersecurity information?
Q2.1 是否建立、实施并维护流程以监视网络安全信息？

[WP-08-01] Sources for cybersecurity information
[WP-08-02] Triggers
[WP-08-03] Cybersecurity events

Q2.2 Is a process established, implemented, and maintained to evaluate cybersecurity events?
Q2.2 是否建立、实施并维护流程以评估网络安全事件？

[WP-08-04] Weaknesses from cybersecurity events

Q2.3 Is a process established, implemented, and maintained to identify and analyse vulnerabilities?
Q2.3 是否建立、实施并维护流程以识别和分析漏洞？

[WP-08-05] Vulnerability analysis

Q2.4 Is a process established, implemented, and maintained to manage identified vulnerabilities?
Q2.4 是否建立、实施并维护流程以管理已识别的漏洞？

[WP-08-06] Evidence of managed vulnerabilities

A.2.3 Risk assessment and methods 风险评估及方法

Q3.1 Are methods established, implemented, and maintained to determine cybersecurity risks for an item across concept, product development and post-development phases?
Q3.1 是否建立、实施并维护方法以确定相关项在概念、产品开发和后开发阶段的网络安全风险？

[WP-15-04] Impact ratings with associated impact categories
[WP-15-06] Attack feasibility ratings
[WP-15-07] Risk values

Q3.2 Is a process established, implemented, and maintained to perform a threat analysis and risk assessment (TARA) for an item across concept, product development and post-development phases?
Q3.2 是否建立、实施并维护流程以对相关项在概念、产品开发和后开发阶段实施威胁分析和风险评估 (TARA)？

[WP-15-01] Damage scenarios
[WP-15-02] Assets with cybersecurity properties
[WP-15-03] Threat scenarios
[WP-15-04] Impact ratings with associated impact categories
[WP-15-05] Attack paths
[WP-15-06] Attack feasibility ratings
[WP-15-07] Risk value
[WP-15-08] Risk treatment decisions

Q3.3 Is a process established, implemented, and maintained to treat cybersecurity risks for the item across concept, product development and post-development phases?
Q3.3 是否建立、实施并维护流程以处理相关项在概念、产品开发和后开发阶段的网络安全风险？

[WP-09-04] Cybersecurity claims
[WP-09-03] Cybersecurity goals
[WP-09-02] TARA result

A.2.4 Concept and product development phase 概念及产品开发阶段

Q4.1 Is a process established, implemented, and maintained to define the item and specify cybersecurity requirements?
Q4.1 是否建立、实施并维护流程以定义相关项以及指定网络安全需求？

[WP-09-01] Item definition
[WP-09-02] TARA
[WP-09-03] Cybersecurity goals
[WP-09-04] Cybersecurity claims
[WP-09-05] Verification report for cybersecurity goals
[WP-09-06] Cybersecurity concept
[WP-09-07] Verification report for the cybersecurity concept

Q4.2 Is a process established, implemented, and maintained for verification of cybersecurity requirements on components during the development phase?
Q4.2 是否建立、实施并维护流程以验证在开发阶段组件的网络安全需求？

[WP-10-04] Verification report for the cybersecurity specifications
[WP-10-05] Weakness found during product development, if applicable
[WP-10-06] Integration and verification specification
[WP-10-07] Integration and verification report

Q4.3 Is a process established, implemented, and maintained for validation of cybersecurity goals and claims at an item level?
Q4.3 是否建立、实施并维护流程以确认相关项层级的网络安全目标和声明？

[WP-11-01] Validation report

A.2.5 Post-development phase 后开发阶段

Q5.1 Is there a process established, implemented, and maintained for release of an item or component for post development phases?
Q5.1 是否建立、实施并维护流程以发布相关项或组件到后开发阶段？

[WP-06-04] Release for post-development report

Q5.2 Is a process established, implemented, and maintained to apply the cybersecurity requirements for post-development during production?
Q5.2 是否建立、实施并维护流程以在生成阶段应用后开发阶段的网络安全需求？

[WP-12-01] Production control plan

Q5.3 Is a process established, implemented, and maintained to respond to cybersecurity incidents?
Q5.3 是否建立、实施并维护流程以响应网络安全事件？

[WP-13-01] Cybersecurity incident response plan

Q5.4 Is a process established, implemented, and maintained for updates to items or components after production?
Q5.4 是否建立、实施并维护流程以对生产后的相关项或组件更新。

Software update management related to cybersecurity

Related work products which are required according to ISO/SAE 21434: 2021 from concept and product development phases

Q5.5 Is a procedure established, implemented, and maintained for communicating end of cybersecurity support?
Q5.5 是否建立、实施并维护程序以传达网络安全支持的终止？

[WP-14-01] Procedures to communicate the end of cybersecurity support

Q5.6 Is a procedure established, implemented, and maintained for making available cybersecurity requirements for decommissioning?
Q5.6 是否建立、实施并维护程序以实施报废阶段所需的网络安全需求？

Appropriate documentation (e.g. instructions, user manuals) relating to such requirements can enable decommissioning with regard to cybersecurity.

A.2.6 Distributed cybersecurity activities 分布式网络安全活动

Q6.1 Is a process established, implemented, and maintained to manage dependencies that may exist within the entire, relevant supply chain regarding the cybersecurity management system?
Q6.1 是否建立、实施并维护流程以管理网络安全管理系统整体，以及相关供应链中可能存在的依赖关系？

[WP-07-01] Cybersecurity interface agreement

Evidence of supplier capabilities
Evidence of RFQs (requests for quotation)