Prerequisites
- Risk treatment has been defined for TARA records (treatment choice selected, goals or claims linked)
- Risk controls exist and are linked to TARA records via the
mitigates link role
- Cybersecurity requirements (
sysReq with classification = cybersecurity) exist in the project
- Test cases (
testCase) exist and are linked to requirements via the verifies link role
Steps
1. Open the Req & Verification View
Switch to the 5. Req & Verification view in your TARA Risksheet. This view displays the downstream traceability columns:
| Column | Type | Content |
|---|
stakeholder | itemLink | Affected stakeholder |
damageScenario | text | Damage description |
threatScenario | itemLink | Linked threat |
cybersecurityGoal | itemLink | Linked goal |
goalCal | enum | CAL level of linked goal |
task | taskLink | Risk control ID |
taskTitle | text | Risk control title |
requirements | serverRender | Requirements linked to the control |
verification | serverRender | Test cases linked to the requirements |
2. Understand the Traceability Chain
The Requirements and Verification columns use Velocity server-side rendering to traverse Polarion link chains automatically. You do not enter data in these columns directly — they reflect links created elsewhere in the project.
Goal Track (top row): TARA Record -> Cybersecurity Goal -> Requirement (derivesRequirement) -> Test Case (verifies)
Control Track (bottom row): TARA Record <- Risk Control (mitigates) -> Requirement (implements) -> Test Case (verifies)
3. Create Cybersecurity Requirements
Outside the Risksheet, create sysReq work items for each cybersecurity requirement:
- Set the
classification field to cybersecurity to mark it as a cybersecurity requirement
- Link it to the cybersecurity goal using the
derivesRequirement link role
- Alternatively, link it to a risk control using the
implements link role
Requirements with classification = cybersecurity appear in the Cybersecurity Case dashboard’s traceability table, providing compliance evidence for ISO/SAE 21434 Clause 10.
4. Link Test Cases to Requirements
Create testCase work items and link them to requirements:
- On each test case, create a
verifies link pointing to the cybersecurity requirement
- The test case provides verification evidence that the requirement is satisfied
5. Review Traceability in the Risksheet
Return to the 5. Req & Verification view. The columns now display:
- Requirements column: shows all
sysReq and desReq items that link back to the risk control (via implements or back-link traversal)
- Verification column: shows all
testCase items that link back to those requirements (via verifies)
The Requirements and Verification columns use server-side Velocity rendering (serverRender) to traverse back-links. Changes to links may not appear immediately — reload the Risksheet if the columns appear stale.
6. Verify Completeness
Check each row in the Req & Verification view:
- Every Reducing-treated record should show at least one risk control in the
task column
- Every risk control should have at least one linked requirement in the Requirements column
- Every requirement should have at least one test case in the Verification column
Gaps in any column indicate missing traceability that should be addressed before the TARA document can be approved.
Use the Cybersecurity Case dashboard for a project-wide view of requirements traceability and verification coverage across all TARA modules. See Also
