ISO/SAE 21434:2021 [PDF]
TÜV SÜD assessment of the AVCDL (release 2.5.14) with respect to ISO/SAE 21434:2021 clauses 7 through 15.
UNECE WP.29 R155 [PDF]
TÜV SÜD assessment of the AVCDL (release 3.13.3) with respect to UNECE WP.29 R155 paragraphs 7.1 through 7.4.
Documentation relating to the use of the AVCDL in the context of the above assessments can be found here.
The question arises as to what the TÜV SÜD's AVCDL assessment actually represents.
the AVCDL is a set of processes with a bunch of supporting material to explain those processes. It represents what an organization could do. In practice, an organization adopting the AVCDL would take each process and create one or more procedures to implement them. These procedures would be specific to their organization, whereas the AVCDL’s processes are generic.
TÜV SÜD has assessed the processes and supporting materials of the AVCDL against the above listed technical standards and regulations, comparing what each requires to what the AVCDL’s provides for.
You would generally take an actual product to be certified. When you do that, the certification body would review the actual processes, procedures, and supporting evidence (QMS, RMS, issue tracking, …) to establish that there was proof that the organization not only had policies, processes and procedures, but also followed them, and could show appropriate traceability as required by the regulations and standards.
It takes a long time to get any type of certification. In order to ensure that you have the best chance of attaining certification, you need to work with the certification body to establish that your processes don’t have any holes. No one want to have to go back to their management telling them that they can’t be certified because they forgot to do something that will take them 9 months to backfill.
Having the AVCDL assessed, not only against the technical standard (ISO/SAE 21434) but also UNECE WP.29 R155, ensures that we know all the bits and pieces required in order to achieve certification.
It would be easy to look at the standards and regulations, and create a checklist in some word processor. Any such list would not provide a sense of dependencies between activities or the involved groups. The list would say nothing about how suppliers should actually be tracked and evaluated. These are things that the AVCDL makes very clear.
Just announcing that you've adopted the AVCDL doesn’t mean you suddenly have cybersecurity. This is why the AVCDL elaborates on how to incrementally adopt it. It’s why there is material on continuous improvement. It’s why there’s a mechanism for establishing how mature an organization is. And, it’s why every document includes a list of references.