Even though UNECE R155 regulation does not require explicit certification, obtaining it can provide great added value to any organization. And for getting it, the process will include what is commonly known as a certification audit: a regulated and independent assessment of the requirements of the standard that defines the management system.
In the two previous articles on ISO 21434 (available here and here), we explored the advantages of having a Project Management Office (or simply PMO) within an initiative to implement the ISO 21434:2021 Road vehicles — Cybersecurity engineering.
Aligned with the above, we will review the key role that a PMO can play in facilitating the audit process and helping to ensure that the organization is prepared and aligned with the certification requirements.
Certification Audit
A certification audit is a systematic, documented and objective process in which an independent entity examines and evaluates one or more organization’s system, its processes and controls to verify their conformity with the requirements of a specific standard.
In the context of the ISO 21434:2021 standard, the management system for cybersecurity will be evaluated, focusing more specifically on the identification and management of threats and risks through the TARA (Threat Analysis and Risk Assessment), the detection and subsequent management of threats and vulnerabilities throughout the vehicle’s life cycle and in generally speaking, in risk mitigation.
Although the ISO 17021-1:2015 standard “Conformity assessment — Requirements for bodies providing audit and certification of management systems” defines more steps for obtaining a certification, the audit is undoubtedly the best known and most significant activity in the entire process.
But despite what is known, it is essential to remember what the main characteristics of this activity are:
- The objective of the audit is to verify compliance of the requirements established within the standard to be audited.
- It is a rigorously structured activity. There is a previously defined and agreed agenda, with members of the work team assigned each block of the agenda according to the topic. The team to be audited must be informed of dates, duration, tools used, and have the information and resources necessary to answer the questions raised in the audit.
- The frequency for carrying out recertification and monitoring audits is set, being annual for a Cybersecurity Management System (CSMS).
- At the end of the audit, the audit team issues a compliance report, with corrective actions, if any.
Audit Preparation
Audits can generate a high level of pressure on work teams, especially if they are not used to dealing with this type of exercise. This is mainly due to two reasons:
- Implementing a management system is not the same as demonstrating its degree of covering requirements and its effectiveness.
- The overhead of assigned time and effort to related tasks: Audit preparation, the time of the audit itself and, hypothetically, the recovery plan in case non-conformities appear.
It is common for work teams to see these lines of work as having little added value or as being simply unnecessary. In this sense, a series of good practices can be taken from the point of view of operational management:
- Create awareness among the work team that audits are not an isolated event but part of the cybersecurity life cycle. However, plan audits to adapt to the rhythms of the different teams, in off-peak phases with a lower workload from the point of view of the Management System operations.
- From an initiative management perspective, allocate time to audit preparation and execution within the schedule, avoiding overload when performing this type of exercise.
- Record decisions related to implementation, or in other words what has been the interpretation of the ISO 21434 standard to facilitate its subsequent explanation.
- Third-party review of the status of critical documents to be reviewed within the various audits, such as TARA, definition and results of penetration tests, review of incident management, etc.
But more specifically, the PMO can take several actions that help mitigate the problems and underlying pressure of passing an audit. The PMO can prepare work teams not only to comply with the requirements, but also to effectively demonstrate such compliance to auditors. By improving communication, the message of a systematically defined, deployed and operated Management System is amplified. To do this, there are several strategies that, applied individually or in parallel, will increase our chances of success in the audit:
- Mock Audits: This practice helps teams anticipate questions, prepare documentation in an organized manner, and address any concerns that may arise during the “real” audit. This includes how to present evidence of compliance, answer technical questions, explain processes, and justify decisions made during product development. The PMO can develop practical guides to answer more complicated questions that arise during an audit or how to deal with aspects that are not as mature as the requirements of the standard.
- Developing communication skills: During an audit, it is not only important to have technical knowledge, but also the ability to communicate it clearly and effectively. Being able to create the right atmosphere through a friendly tone of voice and a smile can make a big difference, conveying transparency and confidence to the audit team. The PMO can offer training in presentation skills, handling difficult questions, and developing strong arguments.
- Coordination between teams: In complex audits, when involving multiple teams and multiple scenarios, the PMO can serve as a coordination bridge in the construction of a common story. It is not about creating false information, but about presenting existing information in a fluid and orderly manner. Through storytelling, we will be able to narrate the facts in a connected way so that risk prevention and problem-solving actions make sense.
- Coordinator for the audit itself. Due to the goal of the PMO, it is likely that he/she will not be part of the interviews. Therefore, he/she will be able to support both the audit team and the auditees in administrative tasks, such as schedule management, room reservation for in-person audits, software license reservation, export and sending of evidence to the auditor, etc.
- Debriefing of audits: Misunderstood responses, nervousness, excessive scrolling when presenting data on the screen, not guiding the audit team through the information being displayed at any given time, ignoring the auditor’s instructions, etc., are common situations or behaviors in teams not prepared for the exercise, and which are difficult to detect and correct without an external observer who provides feedback . The PMO as an observer team within the audit (real or simulated) can provide such feedback on these and similar cases, seeking not only to prevent them in future audits, but also commenting on the positive aspects of the team’s intervention.
Other tasks of the certification process
There are a number of additional tasks in which the project office can collaborate or directly lead, allowing the work team to be freed up and focused on the activities of the management system:
- Send all the information requested prior to the audit: These requests usually include a process map, roles, or a management system manual, etc., which must be made through appropriate channels and tools, thus maintaining confidentiality requirements.
- Management of audit logistics activities: From the organization of the topics of the agenda, invitations to key audit users, management of rooms and other resources, such as specific licenses, etc.
- Managing pending issues during interviews: It is common that certain information is not presented, or that a question must be answered by someone who was not invited. The PMO can therefore act as a support channel by not being the main interlocutor.
- Identifying documentary errors: Since they are not the main interlocutors, it is easy for the PMO team to detect certain errors in the documentation, which may have gone unnoticed by the audit team, such as outdated document templates, documents with incorrectly completed signature panels, etc. The PMO can take note of these findings that may not be present in the audit report.
- Non-conformity management: In the event that non-conformities are found, the PMO can lead the communication and management of the action plan, freeing up the technical team to focus on resolving the issues.
Conclusions
Audits are a demanding activity, where tension is often palpable due to the evaluative nature of the activity. Preparation for such an activity is critical if the certification objective is to be achieved. It requires meticulousness and appropriate tools to enhance communication and information presentation skills.
This is where, once again, having a Project Management Office integrated into the initiative to implement the ISO 21434:2021 Road vehicles — Cybersecurity engineering becomes a decisive factor for success, as it equips the company with other tools and techniques that , when applied systematically, will significantly increase the chances of defining, deploying and certifying our Cybersecurity Management System.
Leadership in uniting the group and enhancing its skills will mark a path towards continuous improvement and, ultimately, commitment to excellence that allows companies to remain relevant in a market as tense as the development of automotive components.