Implementing and Testing Cybersecurity – An IATF 16949 Requirement

by Jonathan Hunt published on February 10, 2020

IATF 16949 requires the organization to conduct periodic Cybersecurity testing and conduct vulnerability assessments. These are not just focused in the offices for Design and Corporate, but extend to manufacturing systems as well. Omnex recommends that organizations consider a management systems’ approach versus an ad hoc approach when implementing Cybersecurity. ISO 27001 – IT Security looks at both Cybersecurity, i.e., external threats and internal threats and takes a comprehensive approach to implementing IT and Cybersecurity. In fact, the IATF FAQ on Cyberattacks, recommends an ISO 27001 approach.

The good news is that ISO 27001 adopts the High Level Structure of IATF 16949 and ISO 14001 and can be integrated into the same management system. The differences are in the required risk analysis and vulnerability analysis and applying controls to mitigate the risk. This is where NIST SP 800 series of standards come into play. NIST Standards are a requirement if you deal with the US Government. Omnex, who is ISO 27001 certified, is applying NIST SP 800-53 with its 256 controls. This though a requirement from Omnex top management was also required by an important customer.

When looking at vulnerability and testing, three types of tests need to happen – Enterprise, IOT, and Manufacturing. Find out what these are and the tools typically used. Then after, risk owners and risk controls need to be considered. So testing is important, but risk treatment and controls are even more important.