Experiences with the automotive SPICE for cybersecurity assessment model and tools

Richard Messnarz*, Damjan Ekert, Georg Macher, Alexander Much, Tobias Zehetner, Laura Aschbacher

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


In August 2021 the ISO 21434:2021 standard for Road vehicles—Cybersecurity Engineering has been published. At the same time the blue book from VDA (Verein der Deutschen Automobilgesellschaft; German Automotive Association) for Automotive SPICE cybersecurity assessments has been released. In addition in the period September–December 2021 the training material for iNTACS (INTernational Assessor Certification Schema) certified Automotive SPICE for cybersecurity assessors has been developed. Since February 2022 the upgrade training of assessors worldwide has started. Beside the ASPICE (Automotive SPICE) for cybersecurity blue book also a red book from VDA has been published. The red book describes the questions to check in an ACSMS (Automotive CyberSecurity Management System) audit. This paper explains the main strategy and content for ASPICE for Cybersecurity assessments and how such assessments are integrated to the overall ACSMS strategy. Also, the paper outlines an example method and tool used in ASPICE for cybersecurity assessments and how such assessment results will look like.

Original languageEnglish
JournalJournal of Software: Evolution and Process
Publication statusE-pub ahead of print - 2022


  • capability adviser tool based assessment
  • CSMS audit
  • cybersecurity ASPICE assessment
  • first experiences

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Experiences with the automotive SPICE for cybersecurity assessment model and tools'. Together they form a unique fingerprint.

Cite this