Pass R155 Buyer Audits Without a Cert: A Supplier Playbook

Updated: August 2025 Who this is for: Swedish Tier-1 and Tier-2 teams that ship software or firmware into vehicles. Goal: Win buyer reviews with clear, repeatable proof.

How buyers run the review

They follow a simple path. You can match it.

1. Scope check.

   What product, what variants, what change.

2. Evidence scan.

   Do you have the right files and owners.

3. Deep dive.

   They trace one risk to code and back.

4. Open findings.

   They look for known CVEs and past incidents.

5. Decision.

   Green light, conditional, or rework.

What do buyers check first? A clean evidence index. You will ship that in the next section.

The 12 artifacts that get a "yes" Ship these in a single folder. Use short names. Keep owners and dates on page 1.

1. Evidence Index (index.md). One line per artifact, owner, link.

2. Product Scope (scope.pdf). HW, SW, networks, data flows, variants.

3. Threat Analysis (tara.pdf). Risks ranked with SFOP and notes.

4. Cybersecurity Goals (goals.xlsx). Linked to hazards and assets.

5. Security Requirements (sec-reqs.xlsx). Trace to goals and tests.

6. Cryptography Register (crypto.xlsx). Algorithms, modes, key sizes, use.

7. Key and Secret Handling (keys.pdf). Generation, storage, rotation, roles.

8. Static Analysis Report (sast.pdf). Ruleset, findings, waivers.

9. Fuzz and Fault-Injection Log (fuzz.xlsx). Targets, hours, crashes, fixes.

10. Third-Party Register (oss.xlsx). License, version, owner, approval.

11. SBOM set (sbom.cdx.json, sbom.spdx.json). Produced on each build.

12. Release Gate Record (gate.pdf). 24 checks, sign-off, rollback proof.

Map the evidence to ISO 21434 parts Part 4: Cybersecurity management. Owners, plan, reviews, training. Part 5: Project-level plan. Activities per milestone and roles. Part 6: Continuous risk management. Intake, triage, and fix loops. Part 7: Risk assessment. TARA, assets, impact, attack paths. Part 8: Concept. Cybersecurity goals linked to safety and functions. Part 9: Product development. Requirements, design, and code controls. Part 10: Production and operations. Keys, updates, incident flow. Part 11: Incident response. Contacts, SLAs, test of the runbook. Part 12: Work products. Index that ties the whole set together.