CYBER SECURITY – Changes in IATF16949:2016,applicable Sanctioned Interpretations are SI 18, SI 21 and SI 22

Posted on: December 21st, 2022  /  By:  /  Posted in: #QUALiTYViVA, Cyber Attack, FMEA, IATF, ISO, ISO 9001:2015, QUALiTYViVA, Sanctioned Interpretations  /  Comment: 0

CYBER SECURITY – Changes in IATF16949:2016,applicable Sanctioned Interpretations are SI 18, SI 21 and SI 22

Cyber-attack is a threat on the information system and on the data available. Whereas Cyber security is play an important role in safeguarding all type of information system and data.

As cyber security has to be look form Implementation of cyber protection of system, risk analysis of cyber-attack and training & awareness on information system, attempt of cyber-attack and potential equipment failure.

The above important points are taken care while changes are made through revision and the applicable Sanctioned Interpretations are SI 18, SI 21 and SI22 and shown here in blue colour.


The change made through the addition of sr no c in clause Clause Plant, facility, and equipment planning considers the importance of utilization of information system, equipment and computerized control in manufacturing process along with support function and office areas in the organization which would at risk of cyber-attack.

This addition of sr no c is energise, motivate put leadership effort to implement the necessary cyber protections which ensures continued operation and production to meet customer requirements.

Clause Plant, facility, and equipment planning

The organization shall use a multidisciplinary approach including risk identification and risk mitigation methods for developing and improving plant, facility, and equipment plans. In designing plant layouts, the organization shall:

a) optimize material flow, material handling, and value-added use of floor space including control of nonconforming product; and

b) facilitate synchronous material flow, as applicable; and

c) implement cyber protection of equipment and systems supporting manufacturing.


The cyber-attack on the organization’s information system, computerized control and equipment installed in manufacturing are always at risk of data damage and stoppage, so sub clause b is added and it is expected to execute the risk analysis of cyber-attack threats to information technology systems.

Clause6.1.2.1 Risk Analysis

The organization shall include in its risk analysis, at a minimum,:

a) lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework,

b) cyber-attack threats to information technology systems.

The organization shall retain documented information as evidence of the results of risk analysis.


As we see that cyber-attack is a risk on the organization so it is important to educate the employee in the organization about the cyber security and cyber-attack through training and development and so this clause Clause 7.2.1 Competence – supplemental has be widened with emphasis on prevention and employee responsibility about cyber-attack.

Clause 7.2.1 Competence – supplemental

The organization shall establish and maintain a documented process(es) for identifying training needs including awareness (see Section 7.3.1) and achieving competence of all personnel performing activities affecting conformity to product and process requirements. Personnel performing specific assigned tasks shall be qualified, as required, with particular attention to the satisfaction of customer requirements.

To reduce or eliminate risks to the organization, the training and awareness shall also include information about prevention relevant for the organization’s working environments and employees’ responsibilities, such as recognizing the symptoms of pending equipment failure and/or attempted cyber-attacks.