ISA/IEC 62443-2-1:2024 specifies the requirements for establishing, implementing, maintaining, and continually improving an Industrial Automation and Control System (IACS) Security Program (SP).
ISA/IEC 62443-2-1:2024 provides a risk-based management framework that enables organizations to protect industrial control systems against evolving cybersecurity threats while supporting safe and reliable operations.
The standard applies primarily to Asset Owners and is designed to integrate with broader organizational Information Security Management Systems (ISMS), such as ISO/IEC 27001.
Although ISA/IEC 62443-2-1 and ISO/IEC 27001 both adopt a risk-based approach to cybersecurity, they focus on different environments.
| ISA/IEC 62443-2-1 | ISO/IEC 27001 |
|---|---|
| Industrial Automation and Control Systems (OT) | Enterprise Information Technology (IT) |
| Industrial operations and process control | Information Security Management System (ISMS) |
| Safety, availability and operational resilience | Confidentiality, integrity and availability of information |
| Industrial-specific cybersecurity requirements | Organization-wide information security management |
ISA/IEC 62443-2-1 complements ISO/IEC 27001 by extending information security principles into industrial control environments.
The 2024 edition replaces the original 2010 publication and introduces several significant improvements:
The standard distinguishes between two related concepts:
A management framework that establishes:
Typically aligned with ISO/IEC 27001.
The operational cybersecurity program for protecting industrial systems, including:
The Security Program is normally implemented within the organization's broader Security Management System.
The Security Program is organised into eight Security Program Elements, each addressing a major area of industrial cybersecurity.
| SPE | Focus Area |
|---|---|
| SPE 1 | Organization Security Measures |
| SPE 2 | Configuration Management |
| SPE 3 | Network and Communication Security |
| SPE 4 | Component Security |
| SPE 5 | Protection of Data |
| SPE 6 | User Access Control |
| SPE 7 | Event and Incident Management |
| SPE 8 | System Integrity and Availability |
Together, these elements implement a defense-in-depth cybersecurity strategy across the entire IACS lifecycle.
Establishes the organizational foundation for cybersecurity.
Key topics include:
Maintains accurate documentation and controlled system configurations.
Key topics include:
Protects industrial communications and network infrastructure.
Key topics include:
Protects hardware, software and embedded devices from cyber threats.
Key topics include:
Protects operational information against unauthorized disclosure and modification.
Key topics include:
Ensures only authorized users, devices and software processes can access IACS resources.
Key topics include:
Provides the capability to detect, record, investigate and respond to cybersecurity events.
Key topics include:
Maintains reliable operation of the IACS and supports system recovery following failures or cyber incidents.
Key topics include:
ISA/IEC 62443-2-1 introduces a maturity model that enables organizations to measure how effectively their Security Program has been implemented.
Rather than simply determining whether a requirement exists, the maturity model evaluates the consistency, effectiveness and sustainability of cybersecurity practices.
Typical maturity progression includes:
| Level | Description |
|---|---|
| Level 0 | Not Performed |
| Level 1 | Initial / Ad Hoc |
| Level 2 | Managed |
| Level 3 | Defined |
| Level 4 | Quantitatively Managed |
| Level 5 | Optimizing / Continual Improvement |
Higher maturity levels demonstrate increasingly consistent implementation, measurement and continuous improvement.
Conformance assessments determine whether an organization's Security Program satisfies the requirements of ISA/IEC 62443-2-1.
Assessments typically review:
Objective evidence is used to demonstrate that requirements have been implemented and are operating effectively.
Typical evidence includes:
Assessment results identify areas requiring improvement and support continual enhancement of the Security Program.
Primary Standard
Related Standards