ISO/IEC 42001 and ISO/SAE 21434 Gap Analysis Service for Autonomous Vehicle Pilot License
2025.10.30
The Hong Kong Transport Department issued its first pilot license for autonomous vehicles on November 29, 2024, authorizing trial operations in the North Lantau, Cyberport and the West Kowloon Cultural District under strict safety supervision (reference link: info.gov.hk). As the regulatory framework evolves, pilot license holders must demonstrate strong governance, risk management and performance monitoring to satisfy both legal and operational requirements.
Introducing ISO/IEC 42001
ISO/IEC 42001 is the emerging international standard that specifies requirements for a governance system tailored to autonomous driving. It addresses:
- Governance framework and organizational structure
- Stakeholder engagement and transparency
- Risk assessment and mitigation strategies
- Continuous performance evaluation and improvement
With ISO/IEC 42001, organizations can systematically manage the complex interplay between technology, safety, and public trust.
Introducing ISO/SAE 21434
ISO/SAE 21434 is the international standard for automotive cybersecurity engineering, designed to address the growing risks associated with connected and autonomous vehicles. It provides a structured framework for managing cybersecurity across the entire vehicle lifecycle - from concept and development to production, operation, and decommissioning. The standard emphasizes:
- Threat Analysis and Risk Assessment (TARA)
- Secure software and hardware development
- Incident response planning
- Supply chain cybersecurity controls
By adopting ISO/SAE 21434, autonomous vehicle stakeholders can safeguard systems against cyber threats, ensure regulatory compliance and build public trust in AV technologies.
How SGS’s gap analysis works
Our gap analysis service benchmarks your current AV program against ISO/IEC 42001 and ISO/SAE 21434 requirements to uncover areas for enhancement. The process involves:
- Initial assessment: review existing policies, processes and documentation related to AV trial operations
- Gap identification: map current practices to ISO/IEC 42001 and ISO/SAE 21434 clauses and pinpoint non-conformities or improvement opportunities
- Action plan development: provide a prioritized roadmap with clear recommendations, resource estimates, and timelines
- Follow-up support: coaching, workshops and pre-audit checks to ensure readiness for formal certification or performance audits
ISO/IEC 42001 vs. Cap. 374AA, Road Traffic (autonomous vehicles) regulation AI Governance Gaps
ISO/IEC 42001 focuses on responsible AI lifecycle management. Comparing it with Cap. 374AA reveals potential gaps:
| Area | Cap. 374AA Focus | ISO/IEC 42001 Requirement | Gap/Improvement |
| AI Risk Management | Safety and operational risk | Broader AI risks including bias, explainability, and misuse | AV holders may need to expand risk registers to include ethical and societal risks |
| Transparency | Technical disclosures to HKSAR Transportation Department | Stakeholder transparency and traceability | Improve public-facing documentation and decision traceability |
| Governance | Compliance with HKSAR Transportation Department’s Code of Practice | Formal AI governance structure | Establish AI ethics board or internal audit mechanisms |
| Monitoring & Feedback | Incident reporting | Continuous performance monitoring and feedback loops | Enhance real-time monitoring and adaptive learning systems |
ISO/SAE 21434 vs. Cap. 374AA Cybersecurity Gaps
ISO/SAE 21434 is tailored for automotive cybersecurity. Comparing it with Cap. 374AA reveals:
| Area | Cap. 374AA Focus | ISO/SAE 21434 Requirement | Gap/Improvement |
| Threat Analysis | General safety assurance | Detailed cybersecurity threat and risk assessment (TARA) | AV holders should conduct formal TARA for each vehicle platform |
| Lifecycle Security | Initial approval and pilot license | Security across development, deployment, and decommissioning | Extend security controls beyond pilot phase |
| Incident Response | Notify HKSAR Transportation Department of incidents | Formal incident response and recovery plans | Develop and test cybersecurity playbooks and response protocols |
| Supply Chain Security | Not explicitly covered | Secure software and hardware supply chain | Audit third-party components and firmware updates for vulnerabilities |
Benefits for AV pilot license holders
Our gap analysis service helps you to:
- Conduct internal audits: use ISO/IEC 42001 and ISO/SAE 21434 checklists to assess current practices
- Engage external assessors: work with certified bodies to validate compliance and identify gaps
- Update policies and SOPs: align internal documentation with international standards
- Report improvements to HKSAR transportation department: demonstrate proactive governance and cybersecurity to strengthen license renewal prospects
Who is SGS gap analysis for?
Our gap analysis service is for:
- Autonomous Vehicle Pilot license holders, such as Baidu Appollo International Ltd. and Kwoon Chung Motors Company.
- Third-party automotive insurance companies that safeguard autonomous vehicles
- Autonomous vehicle manufacturers, such as SenseTime
- AI developers and algorithm designers that enable autonomous vehicles
- Data centers hosting autonomous vehicles platforms
- Mobility-as-a-service providers
Next steps
To start your ISO/IEC 42001 and ISO/SAE 21434 gap analysis journey:
- Contact us at hk.ba@sgs.com to schedule a scoping workshop
- Receive a customized proposal with timelines and cost estimates
- Start the gap analysis and begin closing your ISO/IEC 42001 and ISO/SAE 21434 compliance gaps
See More Blog
