What Is a Cybersecurity Case?
ISO/SAE 21434 Clause 6.4.6 requires organizations to maintain a Cybersecurity Case — a structured argument supported by evidence that the product achieves an adequate level of cybersecurity. The case must show:
- Cybersecurity Goals have been defined for all identified threats
- Risk verdicts demonstrate that threats have been assessed
- Requirements derive from goals and are traceable
- Residual risks are at acceptable levels or have documented justification
The TARA solution automates this evidence assembly through a dashboard that queries live Polarion data, eliminating manual report compilation.
Assurance Argument Structure
The Cybersecurity Case dashboard contains five sections:
1. Cybersecurity Goals Summary
A table listing all cybersecurityGoal work items with:
| Column | Description |
|---|
| ID | Linked work item ID for navigation |
| Cybersecurity Goal | Goal title |
| CAL | Color-coded badge: CAL 1 (green), CAL 2 (orange), CAL 3 (red), CAL 4 (dark red) |
| CIAx | The goalCiaxProperty field showing which security property the goal protects |
| Status | Work item workflow status |
2. TARA Coverage Summary
Verdict distribution cards showing the count of TARA records at each verdict level (V1 through V5 plus Unclassified). Color-coded using the standard verdict palette:
- V1:
#4CAF50 (green) — V2: #8BC34A (light green) — V3: #FF9800 (amber) — V4: #f44336 (red) — V5: #b71c1c (dark red)
Conditional alert banners indicate the overall risk posture:
- Danger alert if any V4/V5 records exist
- Warning alert if V3 records exist but no V4/V5
- Success alert if all records are V1/V2
3. Cybersecurity Requirements Traceability
A table of requirements filtered by classification.KEY:cybersecurity, showing ID, title, and status. These are the requirements that derive from Cybersecurity Goals via the derivesRequirement link role and implement Risk Controls via the implements role.
4. Residual Risk Summary
A table of TARA records with verdict 4 or higher, showing:
- Damage Scenario
- Verdict (with color badge)
- Treatment Choice (
treatmentChoice)
- Treatment Status (
treatmentStatus)
If no high-risk records exist, a success alert confirms acceptable residual risk.
5. Conclusion
The dashboard computes a case status:
- OPEN (danger alert) — Displayed when V4/V5 records remain without completed treatment
- READY FOR REVIEW (success alert) — Displayed when all risks are at acceptable levels
Evidence Chain
The Cybersecurity Case draws evidence from multiple sources across the TARA solution:
| Evidence | Source | ISO Clause |
|---|
| Identified threats | TARA records in Risksheet modules | Clause 15 |
| Risk verdicts | verdictFormula computation | Clause 15 |
| Cybersecurity Goals | cybersecurityGoal work items with CAL | Clause 10 |
| Risk controls | riskControl work items via mitigates link | Clause 10 |
| CS Requirements | sysReq with classification=cybersecurity | Clause 10 |
| Verification | testCase items via verifies link | Clause 12 |
| Treatment decisions | treatmentChoice and treatmentStatus fields | Clause 15 |
Lifecycle Documents
Two Polarion LiveDoc documents complement the TARA analysis and feed into the Cybersecurity Case:
Cybersecurity Plan (CYBERSEC-PLAN) — ISO/SAE 21434 Clause 6.4.2. Defines activities, roles, responsibilities, methods, tools, and milestones for the cybersecurity engineering process. Contains 9 sections including scope, roles and responsibilities, activities, and review criteria.
Cybersecurity Concept (CYBERSEC-CONCEPT) — ISO/SAE 21434 Clause 10. Documents the technical cybersecurity requirements derived from goals and their allocation to system elements. Contains 6 sections covering introduction, scope, goals, requirements, allocation, and assumptions.
From Case to Compliance
The Cybersecurity Case is a key artifact for UNECE R155 compliance. R155 requires automotive manufacturers to maintain a certified Cyber Security Management System (CSMS) for type approval. The TARA process, documented through the Cybersecurity Case, provides auditable evidence that:
- Threats were systematically identified using a structured methodology
- Risks were quantified using ISO-aligned scoring
- Unacceptable risks received treatment (controls or goals)
- Requirements derive from goals and are verified by test cases
- Residual risk is at an acceptable level
Because the Cybersecurity Case dashboard queries live data, it always reflects the current state of analysis. As TARA modules progress from Draft through Approved to Published, the case automatically updates its evidence tables and conclusion status.
See Also
