Understanding the governance framework that supports Industrial Automation and Control System (IACS) cybersecurity throughout the system lifecycle.
Technical security controls alone are not enough to secure an Industrial Automation and Control System (IACS). A successful cybersecurity program also depends on clear governance that defines responsibilities, standardises processes, and promotes consistent security practices.
Within IEC 62443, Policies, Procedures, and Guidelines form the governance framework that supports the implementation of cybersecurity models, security controls, and organisational processes.
Together they ensure personnel understand:
A well-developed governance framework helps organisations:
Refer to: ISA/IEC 62443-1-1, Subclause 5.7
Governance documents establish the organisational framework required to implement and maintain cybersecurity throughout an Industrial Automation and Control System.
While technical controls protect systems from cyber threats, governance documents ensure that security activities are performed consistently, responsibilities are clearly defined, and cybersecurity objectives are understood across the organisation.
An effective governance framework enables organisations to:
Refer to: ISA/IEC 62443-1-1, Subclause 5.7
A Policy establishes the organisation's overall cybersecurity direction, expectations and mandatory requirements.
Policies define the rules, objectives and principles used to protect critical industrial systems and information assets. They communicate management's commitment to cybersecurity and provide the foundation upon which procedures, standards and security controls are developed.
Policies are mandatory and commonly serve as the benchmark for internal and external security audits.
A Procedure defines the detailed steps required to implement a policy.
Procedures translate high-level policy requirements into repeatable work instructions, ensuring security activities are performed consistently regardless of who performs them.
Policies typically reference one or more procedures and require them to be followed.
A Guideline provides recommended best practices that support cybersecurity objectives.
Unlike policies and procedures, guidelines are advisory rather than mandatory. They allow flexibility while encouraging recognised industry practices that improve security and operational performance.
Guidelines cannot normally be audited for compliance because they describe recommended approaches rather than enforceable requirements.
The three governance documents work together to create a complete cybersecurity management framework.
| Document | Purpose | Mandatory |
|---|---|---|
| Policy | Defines organisational direction and mandatory requirements (what must be achieved). | ✔ Yes |
| Procedure | Defines the detailed steps required to implement policies (how work is performed). | ✔ Yes |
| Guideline | Provides recommended methods and best practices. | ✖ No |
Together they provide the governance framework that supports the technical, administrative and operational requirements of IEC 62443.
Refer to: ISA/IEC 62443-1-1, Subclause 5.7