《ISO/SAE 21434: 2021 Road vehicles — Cybersecurity engineering 道路车辆网络安全工程》标准解读之(11)

5 Organizational cybersecurity management 组织网络安全管理/5.4 Requirements and recommendations 要求和建议/5.4.5 Tool management 工具管理

5.4.5 Tool management 工具管理

[RQ-05-14] Tools that can influence the cybersecurity of an item or component shall be managed.
[RQ-05-14] 应管理能影响项目或组件网络安全的工具。

EXAMPLE 1 Tools used for concept or product development, such as model based development, static checkers, verification tools.

EXAMPLE 2 Tools used during production such as a flash writer, end of line tester.

EXAMPLE 3 Tools used for maintenance, such as an on-board diagnostic tool or reprogramming tool.

NOTE Such management can be established by:
— application of the user manual with errata;
— 应用带有勘误表的用户手册;
— protection against unintended usage or action;
— 防止意外使用或操作的保护;
— access control for the tool users; and/or
— 工具用户的访问控制;
— authentication of the tool.
— 工具的身份验证。

[RC-05-15] An appropriate environment to support remedial actions for cybersecurity incidents (see 13.3) should be reproducible until the end of cybersecurity support for the product.
[RC-05-15] 在产品网络安全支持结束之前,支持网络安全事件补救措施的适当环境(见13.3)应该是可复制的。

EXAMPLE 4 Testing, software build and development environments for reproducing and managing vulnerabilities.

EXAMPLE 5 Toolchain and compilers used for building the software of the product.


  1. 条款“5.4.5 Tool management 工具管理”的网络安全活动有1个要求(RQ):[RQ-05-14],1个建议(RC):[RC-05-15];
  2. [RQ-05-14]应识别出能影响项目或组件网络安全的工具,形成清单,并制定相应的管理规范;
  3. [RC-05-15]应针对产品整个网络安全支持的生命过程中,识别出支持网络安全事件补救措施的适当环境,并确保这些环境是可以复制的。


  1. 影响项目或组件网络安全的工具清单,及其管理规范;
  2. 支持网络安全事件补救措施的环境清单,及其确保其可复制的方案。


  1. 是否识别出能影响项目或组件网络安全的工具,并形成清单;
  2. 是否制订影响项目或组件网络安全的工具的管理规范,验证其中工具是否按规范进行管理;
  3. 是否识别出支持网络安全事件补救措施的环境清单,并确定环境能够复制。