Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA

Richard Messnarz*, Damjan Ekert, Georg Macher, Svatopluk Stolfa, Jakub Stolfa, Alexander Much

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


The Automotive SPICE for Cybersecurity Assessor Course has been developed in Q4/2021 and launched in Jan. 2022. From 6th July 2022 onwards Automotive projects need to declare the coverage of cybersecurity norms (UNECE 155, UNECE 156, ISO 21434) for the homologation of the vehicles in the EU. All car makers request in their customer requirements documents the performance of a TARA (Cybersecurity Threat and Risk Analysis) and all ASPICE assessments for cybersecurity need to evaluate the capability of the process MAN.7 Risk management for Cybersecurity. The Base Practices of MAN.7 are related to the steps of performing and tracking a TARA. In the EU project CyberENG a training for cybersecurity managers and cybersecurity assessors is currently developed which explains how such a TARA is performed and what steps and attributes need to be considered. For the development of the iNTACS ASPICE for cybersecurity assessor training the SOQRATES group contributed practical examples for MAN.7, and SEC.1 to SEC.4 to the course development. This paper outlines how the TARA based on ISO 21434 and ASPICE for cybersecurity is structured and uses the example from the CyberENG project to explain it in practice.

Original languageEnglish
Title of host publicationSystems, Software and Services Process Improvement
Subtitle of host publication29th European Conference, EuroSPI 2022, Proceedings
EditorsMurat Yilmaz, Paul Clarke, Richard Messnarz, Bruno Wöran
Place of PublicationCham
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages16
ISBN (Print)9783031155581
Publication statusPublished - 2022
Event29th European Systems, Software and Services Process Improvement: EuroSPI 202 - Salzburg, Austria
Duration: 31 Aug 20222 Sep 2022

Publication series

NameCommunications in Computer and Information Science
Volume1646 CCIS
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937


Conference29th European Systems, Software and Services Process Improvement
Abbreviated titleEuroSPI 202


  • Cybersecurity assessment
  • Cybersecurity threat and risk analysis
  • MAN.7 risk management for Cybersecurity
  • TARA

ASJC Scopus subject areas

  • Computer Science(all)
  • Mathematics(all)


Dive into the research topics of 'Automotive SPICE for Cybersecurity – MAN.7 Cybersecurity Risk Management and TARA'. Together they form a unique fingerprint.

Cite this