Remediation Guide

AIS 189
Security Gap Diagnosis and Remediation Checklist

Why Most AIS 189 Programs Fail Before the Auditor Arrives

India's AIS 189 standard is no longer a distant regulatory obligation on the horizon. For OEMs, Tier-1 suppliers, and connected vehicle program owners, it is an active type approval dependency - one that determines whether your vehicles reach the market at all.

Yet across the automotive ecosystem, the same pattern repeats: compliance teams treat AIS 189 as a documentation exercise, security controls are bolted on at the end of the development cycle, and audit evidence is assembled under deadline pressure rather than built into the program from day one. The result is delayed type approvals, last-minute remediation costs that dwarf what early investment would have required, and - most critically - vehicles entering the field with unresolved security gaps. This guide exists to change that.

Why this Remediation Guide matters

AIS 189, aligned with ISO/SAE 21434 and UNECE R155, mandates a full-lifecycle Cybersecurity Management System (CSMS) - not a one-time security review. The standard requires documented governance, systematic Threat Analysis and Risk Assessment (TARA), verifiable secure development practices, production-phase security controls, a functioning Vehicle Security Operations Centre (VSOC) for post-production monitoring, and a structured decommissioning process. Every phase is auditable. Every gap is a potential non-conformance.

What makes AIS 189 particularly demanding for Indian automotive programs is its normative Annexure D threat catalogue - a structured reference that ARAI and ICAT auditors use directly to evaluate the completeness of your TARA. If your threat analysis does not address every category in Annexure D, that gap is automatically flagged. There is no room for assumption or informal coverage.

The Shieldworkz AIS 189 Security Gap Diagnosis and Remediation Checklist was built by practitioners who have worked through these programs from governance setup to audit evidence submission. It is not a compliance template. It is a field guide that operationalizes every material AIS 189 requirement - cross-referenced to ISO/SAE 21434 clauses, UNECE R155 obligations, and Annexure D - structured around the five mandatory phases of the vehicle cybersecurity lifecycle.

Why It Is Important to Download This Remediation Guide

The automotive industry's cybersecurity challenge is not a lack of standards - it is the execution gap between what standards require and what organizations actually have in place when an auditor walks through the door. Decision-makers overseeing AIS 189 programs need more than a clause list. They need to know precisely where their program stands, what evidence ARAI and ICAT will request, and which gaps carry the highest risk of disrupting type approval.

This checklist gives you exactly that - a structured diagnostic you can run internally, use in supplier conversations, and align your security investment against. It closes the gap between regulatory intent and operational reality.

Key Takeaways from the AIS 189 Remediation Guide

CSMS Governance is the foundation, not a formality. The guide covers 14 governance controls - from CSMS policy endorsement and Cybersecurity Officer authority to supplier clause management and ARAI/ICAT annual reporting obligations - each mapped to the evidence an auditor expects to see.

TARA must be living, traceable, and Annexure D-complete. The checklist includes 14 TARA control items with explicit traceability from damage scenarios through threat scenarios, risk values, security goals, implemented controls, and verification test cases. It also provides a full Annexure D coverage verification matrix - the exact cross-reference auditors use.

Secure engineering at the development phase is where compliance is won or lost. Fifteen development-phase controls cover SecOC implementation, Hardware Security Module (HSM) integration, secure boot with anti-rollback enforcement, firmware signing, memory protection mechanisms, SAST/DAST requirements, fuzz testing, penetration testing scope, and SBOM management - all with defined evidence requirements.

Production-phase security is the most systematically underinvested area in AIS 189 programs. Seven production controls address secure ECU key provisioning, end-of-line security testing, supply chain tampering detection, and production signing key infrastructure - areas that are routinely de-prioritized until an audit uncovers the gap.

Post-production obligations are non-negotiable. VSOC capability, OTA update security aligned with AIS 190, vulnerability disclosure programs, fleet-level anomaly detection, and incident response with regulatory notification timelines are normative AIS 189 requirements - not optional enhancements. The guide provides twelve post-production control items with evidence expectations for each.

Residual risk must be managed, not just accepted. The guide identifies eight common residual risk categories observed in real-world AIS 189 programs - including zero-day exposure, legacy ECU platform constraints, supply chain compromise, and state-sponsored threat actors - with compensating controls and defined acceptance thresholds by organizational authority level.

KPIs give your CSMS operational teeth. Twenty-five KPIs across governance, TARA and risk management, secure development, VSOC operations, and residual risk management are included - with targets, measurement frequency, and ownership assignments. Regulatory auditors increasingly expect trend data, not just policy documents.

The audit evidence master list eliminates submission surprises. A complete ARAI/ICAT audit evidence map - covering 21 evidence artefact categories from CSMS policy packs and penetration test reports to decommissioning procedures and annual monitoring reports - tells you exactly what to prepare before the auditor arrives.

How Shieldworkz Supports Your AIS 189 Journey

Shieldworkz brings deep operational experience to automotive cybersecurity compliance programs. We work alongside OEMs, Tier-1 suppliers, and program security leads to close the gap between where your program is today and where AIS 189 requires it to be.

AIS 189 Gap Assessment: A structured evaluation of your current CSMS against every material requirement of the standard, with a prioritized remediation roadmap and audit readiness score.

TARA Development and Review: End-to-end support for building or strengthening your Threat Analysis and Risk Assessment - including Annexure D coverage validation and traceability matrix development.

Secure Engineering Advisory: Hands-on support for HSM integration, SecOC configuration, PKI architecture, SBOM implementation, and secure development lifecycle alignment.

VSOC Design and Implementation: Architecture, detection rule development, and operational setup for Vehicle Security Operations Centre capabilities - including MITRE ATT&CK for ICS-aligned detection logic.

ARAI/ICAT Audit Preparation: Evidence package organization, pre-audit walkthroughs, and representation support to ensure your team walks into the conformity assessment prepared.

Ongoing Compliance Monitoring: Post-certification support including annual monitoring report preparation, CVE-to-SBOM correlation, OTA patch deployment tracking, and TARA update management.

Take the Next Step Toward AIS 189 Compliance

The window between where most automotive programs stand today and what AIS 189 demands at type approval is real - and it narrows with every development milestone. The organizations that close that gap systematically, early, and with the right evidence discipline are the ones that reach the market on schedule.

Download the AIS 189 Security Gap Diagnosis and Remediation Checklist to run your first structured compliance diagnostic. Then book a free consultation with the Shieldworkz automotive cybersecurity team to discuss your program's specific gaps, audit readiness, and the fastest path to CSMS certification.

Download your copy today!

Get our free AIS 189 Security Gap Diagnosis and Remediation Checklist and make sure you’re covering every critical control in your industrial network