Standard

This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.

A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

This document is applicable to series production road vehicle E/E systems, including their components and interfaces, whose development or modification began after the publication of this document.

This document does not prescribe specific technology or solutions related to cybersecurity.

This document is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding mopeds. This document does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with disabilities.

NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series of standards or vice versa.

Systems and their components released for production, or systems and their components already under development prior to the publication date of this document, are exempted from the scope of this edition. This document addresses alterations to existing systems and their components released for production prior to the publication of this document by tailoring the safety lifecycle depending on the alteration. This document addresses integration of existing systems not developed according to this document and systems developed according to this document by tailoring the safety lifecycle.

This document addresses possible hazards caused by malfunctioning behaviour of safety-related E/E systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of safety-related E/E systems.

This document describes a framework for functional safety to assist the development of safety-related E/E systems. This framework is intended to be used to integrate functional safety activities into a company-specific development framework. Some requirements have a clear technical focus to implement functional safety into a product; others address the development process and can therefore be seen as process requirements in order to demonstrate the capability of an organization with respect to functional safety.

This document defines the vocabulary of terms used in the ISO 26262 series of standards.

IEC 62351-9:2017 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle public-key certificates and cryptographic keys to protect digital data and its communication. Included in the scope is the handling of asymmetric keys (e.g. private keys and public-key certificates), as well as symmetric keys for groups (GDOI). This document assumes that other standards have already chosen the type of keys and cryptography that will be utilized, since the cryptography algorithms and key materials chosen will be typically mandated by an organization’s own local security policies and by the need to be compliant with other international standards. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. The objective is to define requirements and technologies to achieve interoperability of key management. The purpose of this document is to guarantee interoperability among different vendors by specifying or limiting key management options to be used. This document assumes that the reader understands cryptography and PKI principles.

This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF.
Amongst PUF use cases, random number generation is out of scope in this document.

This document provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization.
The intended audience for this document is:
— governing body and top management;
— those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001;
— those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance.
This document is applicable to all types and sizes of organizations.
All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001.
This document focuses on the three types of ISMS organizations given in Annex B. However, this document can also be used by other types of organizations.

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).

For brevity, this Standard will be referred to as CAN/CSA-ISO/IEC 27007 throughout.

This Standard supersedes CAN/CSA-ISO/IEC 27007:13 (adopted ISO/IEC 27007:2011). At the time of publication, ISO/IEC 27007:2017 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).

For brevity, this Standard will be referred to as CSA ISO/IEC 27009 throughout.

This Standard supersedes CAN/CSA-ISO/IEC 27009:18 (adopted ISO/IEC 27009:2016). At the time of publication, ISO/IEC 27009:2020 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.

This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).

For brevity, this Standard will be referred to as CSA ISO/IEC 27007 throughout.

This Standard supersedes CAN/CSA-ISO/IEC 27007:18 (adopted ISO/IEC 27007:2017). At the time of publication, ISO/IEC 27007:2020 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.

This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).

For brevity, this Standard will be referred to as CSA ISO/IEC 27009 throughout.

This Standard supersedes CAN/CSA-ISO/IEC 27009:18 (adopted ISO/IEC 27009:2016). At the time of publication, ISO/IEC 27009:2020 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.

This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group.

Integration of life-cycle data for process plants including oil and gas production facilities — Part 14: Data model adapted for OWL2 Direct Semantic

ISO 15926-13:2018 specifies an ontology for asset planning for process plants, including oil and gas production facilities. In addition, it specifies an XML schema, derived from the ontology, for exchange of data used for asset planning.

The following are within the scope of ISO 15926-13:2018:

· portfolio, programme and project plans and schedules;

· operational modification and ongoing maintenance plans and schedules;

· calendars for plan execution;

· constraints on the temporal relationships between items within plans and schedules, including succession link, lag, free and total float;

· activity breakdown structures;

· locations of activities;

· resources required, including material, equipment and human resources, and their costs;

· interfaces to systems that process work orders and purchase orders;

· responsible organizations and people;

· progress tracking and resource usage;

· reference to standard classes of facility, activity and resource.

The following are outside the scope of ISO 15926-13:2018:

· standard classes of facility, activity and resource;

· production planning;

· plan simulation and optimization;

· hazard identification and risk analysis;

· manning and training of personnel;

· budgeting and cost allocation.