Cyber security: Revisions of clause 6.1.2.3 Contingency Plans As per IATF 16949:2016 – Sanctioned Interpretations

Cyber security: Revisions of clause 6.1.2.3 Contingency Plans  As per  IATF 16949:2016 - Sanctioned Interpretations

Cyber security is important in these modern days as our entire daily life base on the internet and data which include every part of life including society, Industries and different type of organizations.

For any changes in the standard Sanctioned Interpretations are applicable.

All the changes through revision as per IATF 16949:2016 —Sanctioned Interpretations are welcome, important and shall be made part of organization Automotive Management System in line with SIs and to be maintained as per mentioned effective date. Till effective from June 2022, there are total 25 Sanctioned Interpretations from October 2017.

Whereas this is interesting to see Sanctioned Interpretations regarding Cyber Security in clause 6.1.2.3 Contingency Plans as compare to first mentioned in standard and then revision through Sanctioned Interpretations SI 3 and SI17 then again SI3 was revised and the revised content are shown here in blue colour.

THE CLAUSE 6.1.2.3 CONTINGENCY PLANS– As per IATF 16949 1st edition which was published on October 2016 and was effective from 1 January 2017.

“The organization shall:

a) identify and evaluate internal and external risks to all manufacturing processes and infrastructure equipment essential to maintain production output and to ensure that customer requirements are met;

b) define contingency plans according to risk and impact to the customer;

c) prepare contingency plans for continuity of supply in the event of any of the following: key equipment failures (also see Section 8.5.6.1.1); interruption from externally provided products, processes, and services; recurring natural disasters; fire; utility interruptions; labour shortages; or infrastructure disruptions;

d) include, as a supplement to the contingency plans, a notification process to the customer and other interested parties for the extent and duration of any situation impacting customer operations;

e) periodically test the contingency plans for effectiveness (e.g., simulations, as appropriate);

f) conduct contingency plan reviews (at a minimum annually) using a multidisciplinary team including top management, and update as required;

g) document the contingency plans and retain documented information describing any revision(s), including the person(s) who authorized the change(s).

THE CLAUSE 6.1.2.3 CONTINGENCY PLANS – As per Sanctioned Interpretations SI 3(Revised)

“The organization shall:

a) identify and evaluate internal and external risks to all manufacturing processes and infrastructure equipment essential to maintain production output and to ensure that customer requirements are met;

b) define contingency plans according to risk and impact to the customer;

c) prepare contingency plans for continuity of supply in the event of any of the following, but not limited to: key equipment failures (also see Section 8.5.6.1.1); interruption from externally provided products, processes, and services; recurring natural disasters; fire, pandemics; utility interruptions; cyber-attacks on information technology systems; labour shortages; or infrastructure disruptions;

d) include, as a supplement to the contingency plans, a notification process to the customer and other interested parties for the extent and duration of any situation impacting customer operations;

e) periodically test the contingency plans for effectiveness (e.g., simulations, as appropriate);For cybersecurity testing may include a simulation of a cyber-attack, regular monitoring for specific threats, identification of dependencies and prioritization of vulnerabilities. The testing is appropriate tothe risk of associated customer disruption;

Note: cybersecurity testing may be managed internally by the organization or subcontracted as appropriate.

f) conduct contingency plan reviews (at a minimum annually) using a multidisciplinary team including top management, and update as required;

g) document the contingency plans and retain documented information describing any revision(s), including the person(s) who authorized the change(s).

h) include in contingency plans the development and implementation of appropriate employee training and awareness”

THE CLAUSE 6.1.2.3 CONTINGENCY PLANS – As per Sanctioned Interpretations SI 17

SI 17 was issued in October 2019, effective from January 2020 and again combines with SI3 revised and reissued July 2021, effective November 2021.