Services
About Us

As a global safety science leader, UL Solutions helps companies to demonstrate safety, enhance sustainability, strengthen security, deliver quality, manage risk and achieve regulatory compliance. 

Overview
UL Solutions Consumer Information

See how we put safety science to work to help create a safer, more secure and sustainable world for you.

Learn more
Resources

Explore our business intelligence-building digital tools and databases, search for help, review our business information, or share your concerns and questions.

Overview
myUL® Client Portal

A secure, online source for increased visibility into your UL Solutions project files, product information, documents, samples and services.

Go to myUL
Certification Database — UL Product iQ®

Access UL certification data on products, components and systems, identify alternatives and view guide information with Product iQ.

Visit
Industries
View All
  • Software and Products

Software Intensive Systems

Combined Automotive Cybersecurity Audit and Assessment

A happy person surrounded by multiple monitors
Blog Team
Software Intensive Systems
View Author's Profile
December 9, 2025 | 3:21 pm CST
A happy person surrounded by multiple monitors
Blog Team
Software Intensive Systems
View Author's Profile

By Josmi Jose and Janine Funke

The automotive industry is undergoing rapid digital transformation, making cybersecurity a top priority throughout the vehicle life cycle. To support robust cybersecurity measures, organizations rely on evaluation based on frameworks and standards such as ISO/SAE 21434 cybersecurity audits and assessments as well as Automotive SPICE® (ASPICE) for Cybersecurity assessments. However, organizations may misunderstand the differences among these evaluations, leading to redundant efforts and inefficiencies. This article explores their distinctions and overlapping, and encourages organizations to take a structured approach to help streamline compliance, enhance process maturity and strengthen cybersecurity resilience.

ISO/SAE 21434 cybersecurity audits and assessments vs. ASPICE for Cybersecurity assessments: Key differences

Cybersecurity audits (ISO/SAE 21434 and ISO/PAS 5112)

An organizational cybersecurity audit is a formal evaluation of organizational processes to assess conformity with the requirements and objectives of ISO/SAE 21434. Guided by ISO/PAS 5112, an organizational cybersecurity audit reviews governance, roles and policies to determine whether cybersecurity risks are systematically managed across the organization when dealing with cybersecurity-relevant projects. A cybersecurity management system (CSMS) must be established in the organization. Another aspect of the CSMS audit is evaluating whether the CSMS is actively maintained and correctly implemented in projects. Examples and work products from selected projects of the organization need to be checked as evidence of implemented and applied CSMS processes. A technical deep dive into work products is not the goal of an organizational cybersecurity audit.

Cybersecurity assessments (ISO/SAE 21434)

A cybersecurity assessment evaluates the cybersecurity of an item or component, focusing on technical and project-specific implementations of cybersecurity measures. Unlike audits, which emphasize compliance, assessments examine whether cybersecurity activities were effectively carried out as planned within a development project. ISO/SAE 21434 provides limited direct guidance on conducting assessments, leaving organizations to define tailored approaches. The standard offers flexibility in how objectives and requirements are met, as well as in the methods used for the implementation.

Assessments often involve a combination of process evaluations (similar to audits) and implementation reviews defined in the cybersecurity plan, along with technical evaluations to determine whether the item or component meets ISO/SAE 21434 objectives with convincing arguments. This approach bridges organizational processes and technical implementation, emphasizing traceability, effectiveness and compliance.

ASPICE for Cybersecurity assessments

ASPICE for Cybersecurity assessments evaluate process capability within an organization or project, helping integrate structured cybersecurity practices into development processes. These assessments provide a framework for evaluating how well cybersecurity processes are defined, implemented and maintained at different capability levels. ASPICE for Cybersecurity includes:

  • Cybersecurity Requirements Elicitation (SEC.1) – Identifying security requirements
  • Cybersecurity Implementation (SEC.2) – Implementing security measures
  • (Cybersecurity) Risk Treatment Verification (SEC.3) and (cybersecurity) Risk Treatment Validation (SEC.4) – Confirming security controls work effectively
  • Cybersecurity Risk Management (MAN.7) – Managing the cybersecurity and determining risk treatment options
  • (Cybersecurity) Supplier Request and Selection (ACQ.2) –  Awarding suppliers with a contract or agreement

The term “assessment” differs between ASPICE for Cybersecurity and ISO/SAE 21434. While ASPICE assessments provide strong process traceability, they do not cover all aspects of an ISO/SAE 21434 cybersecurity assessment, particularly regarding technical deep dives, risk mitigation and compliance with cybersecurity governance frameworks.

Bridging the gap between ISO/SAE 21434 and ASPICE

Overlapping areas

  • Process compliance and quality management – Both ISO/SAE 21434 and ASPICE emphasize structured processes, governance and quality assurance. ASPICE Level 3 can support the organizational level. ISO/SAE 21434 requires quality management and lists ASPICE as evidence of conformity. Quality management is vital for every project and is a nonnegotiable foundation for implementing cybersecurity effectively. Cybersecurity must be built on an existing product development process governed by quality principles. Embedding quality management within the development life cycle helps organizations anticipate and mitigate cybersecurity risks so every project meets both quality and security standards. Cybersecurity measures are only as strong as the development processes they integrate with. Without quality management, compliance with ISO/SAE 21434 cannot be achieved.
  • Project-dependent cybersecurity management – ISO/SAE 21434 sets organizational guidelines, but effective implementation requires adapting them to the project context, considering unique risks, resources and technical challenges. ASPICE for Cybersecurity also evaluates how well cybersecurity practices are integrated into the project’s specific processes.
  • Product development phase – Integrating cybersecurity from the conceptual design phase through system, software and hardware development, as well as verification and validation, is essential. Both frameworks advocate for comprehensive integration so that cybersecurity is a foundational element of product design and development, not an afterthought.
  • Traceability – A core ASPICE requirement is traceability, which also supports ISO/SAE 21434 by linking cybersecurity goals, technical requirements and implementations.
  • Supplier management – ASPICE’s Acquisition Processes (ACQ.2) and ISO/SAE 21434 require suppliers to demonstrate capability and follow cybersecurity best practices.
  • Risk management – ASPICE Cybersecurity Risk Management (MAN.7) involves analyzing risks by identifying threat scenarios and damage scenarios, determining impact rating and attack feasibility rating, prioritizing risks for treatment, and defining risk treatment options in line with Clause 15, Threat Analysis and Risk Assessment.

Gaps and challenges

  • Coverage of the life cycle – ASPICE for Cybersecurity does not cover the full vehicle life cycle, including post-development, operations, production, maintenance and ongoing cybersecurity activities.
  • Organizational rules – For a management system, it is vital that the organizational processes are followed, so the standard process must be understood to evaluate the project correctly. ASPICE is effective for assessing process capability and improvements, but it does not require adherence to standard processes or a comprehensive CSMS at Capability Levels 1 and 2. Capability Level 3 ASPICE assessments are rare, creating gaps and inconsistencies with organization rules and variability in cybersecurity practices across projects.
  • Assessor qualification – A cybersecurity assessment requires assessors to understand organizational-level processes, their implementation in project- and product-specific domains, and technical challenges. Cybersecurity controls are heavily influenced by the technology and product being evaluated, and without in-depth product knowledge, assessments may miss critical factors. This knowledge is not mandatory for an ASPICE assessor because deep technical reviews are outside ASPICE’s scope.
  • Redundant activities – Identifying overlapping activities across cybersecurity audits, assessments and ASPICE assessments can be challenging because many processes and controls are evaluated across multiple frameworks, often creating redundancy and ambiguity in responsibility.

A coordinated approach: Aligning cybersecurity evaluations

To minimize redundancies and promote comprehensive cybersecurity evaluation, organizations must:

  1. Define clear evaluation scopes.

    Organizational cybersecurity audits assess organizational governance and process compliance.

    Cybersecurity assessments evaluate technical effectiveness and project-level cybersecurity execution. 

    ASPICE assessments evaluate process capability, traceability and process-related product risks from engineering areas such as system, software and hardware. ASPICE for Cybersecurity often extends beyond ISO/SAE 21434 by offering a more detailed, process-oriented evaluation, supplier management throughout the product development life cycle and broader stakeholder integration.

  2. Use ASPICE as input for organizational audits and cybersecurity assessments.

    ASPICE for Cybersecurity can provide evidence of process adherence for ISO/SAE 21434 audits and assessments.

    Separate technical evaluations (such as vulnerability testing and confirmation reviews) remain necessary for cybersecurity assessments.

  3. Develop standardized processes and guidelines and strengthen assessor skills.

    ISO/SAE 21434 offers limited guidance on conducting cybersecurity assessments, and interpretations of assessment criteria can vary. Organizations should establish internal guidelines, checklists and standardized evaluation metrics. Clear evaluation criteria aligned across cybersecurity audits, cybersecurity assessments and ASPICE assessments promote consistency, cross-usability and comparability. Defining clear roles and responsibilities for each evaluation type should be part of this effort.

    Assessors must have specialized knowledge of both ASPICE and the technical aspects of cybersecurity relevant to specific automotive products or systems.

  4. Implement an iterative, integrated audit and assessment strategy.

    Cybersecurity evaluations should be conducted throughout the development life cycle, from concept phase to post-production.

    Organizational audit, cybersecurity assessment and ASPICE assessment timelines should be synchronized to align inputs and outputs and avoid duplication of efforts.

Conclusion

While ISO/SAE 21434 cybersecurity audits and assessments and ASPICE for Cybersecurity assessments have distinct aims, they can complement each other when aligned properly. ASPICE provides strong process validation, while ISO/SAE 21434 focuses on compliance and technical cybersecurity effectiveness. An ASPICE for Cybersecurity assessment can identify gaps and process weaknesses in projects implementing cybersecurity activities according to ISO/SAE 21434. These gaps and weaknesses serve as input for improving cybersecurity processes and should inform both organizational cybersecurity audits and ISO/SAE 21434-based cybersecurity assessments.

By implementing effective improvement measures derived from assessment results, organizations can adjust and refine the CSMS. The cybersecurity assessment based on ISO/SAE 21434 cannot be replaced, especially because ASPICE does not include a deep technical review, but parts of it can complement ASPICE. By harmonizing these evaluations, organizations can strengthen cybersecurity maturity at both organizational and project levels, optimize compliance efforts and improve their resilience against cyber threats.

About the authors

Josmi Jose
Senior Consultant at UL Solutions Software Intensive Systems, intacs® Data Management SPICE working group contributor

Janine Funke 
Lead Strategic Area Cybersecurity, Lead Consultant, Software Intensive Systems
 

Disclaimer: This article is for general information purposes only and is not intended to convey legal or other professional advice.
 

Within UL Solutions we provide a broad portfolio of offerings to many industries. This includes certification, testing, inspection, assessment, verification and consulting services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers brands, UL Solutions has processes in place to identify and manage any potential conflicts of interest and maintain the impartiality of our conformity assessment services.