Engineers and organisations work within a layered landscape of technical standards, governance frameworks, regulations, and published guidance. Understanding how these documents differ — and how they relate to one another — is essential for designing, delivering, and operating automation systems responsibly.
Standards are officially recognised documents developed by authoritative organisations to ensure consistency, interoperability, quality, safety, and security across products, services, and processes.
Unlike regulations, standards are generally voluntary and are developed through a consensus-based process involving industry, government, and technical experts.
Although standards are voluntary, failure to follow recognised standards may still result in civil or criminal liability where negligence can be demonstrated. Courts may apply the "reasonable person" test to determine whether accepted industry practice was followed.
Contain requirements that must be satisfied. Common terminology includes:
| Term | Meaning |
|---|---|
| Shall / Must | Mandatory requirement |
| Should | Recommended practice |
| May / May Not | Permitted / Prohibited |
| Can | Capability or possibility |
Provide guidance, examples, explanations, and background information. Informative sections never contain mandatory requirements.
| Standard | Purpose |
|---|---|
| ISO/IEC 27001 | Requirements for establishing and maintaining an Information Security Management System (ISMS) |
| ISO/IEC 27002 | Best practice security controls supporting ISO 27001 |
| ISO/IEC 27019 | Security guidance for Industrial Control Systems (ICS) in energy utilities |
| ISO/IEC 15408 (Common Criteria) | Security evaluation framework for IT products using a Target of Evaluation (TOE) |
| ISO/IEC 21827 (SSE-CMM) | Capability Maturity Model for Systems Security Engineering |
| ISA/IEC 62443 | Cybersecurity standard series for Industrial Automation and Control Systems (IACS) |
Standards Development Organisations (SDOs) create standards using consensus among experts from industry, academia, and government. They develop technical specifications, best practices, testing methods, security requirements, and risk management guidance.
Standards may be national, regional, or international. Examples of SDOs include ISO, IEC, ISA, and IEEE.
Each country typically has a National Standardization Body (NSB) that coordinates standards within its jurisdiction. Responsibilities include developing national standards, adopting international standards, representing national interests within ISO and IEC, and participating in international standards development.
| Country | NSB |
|---|---|
| United States | ANSI |
| Australia | Standards Australia (SA) |
| United Kingdom | BSI |
| Germany | DIN |
| France | AFNOR |
| Canada | SCC |
| Japan | JISC |
| China | SAC |
European national bodies also participate through CEN, CENELEC, and ETSI.
Regulations are legally enforceable rules established by governments or authorised authorities. Unlike standards, compliance with regulations is mandatory. Failure to comply may result in legal penalties, fines, enforcement actions, or criminal prosecution.
Regulatory requirements vary by country, industry sector, and critical infrastructure designation. Examples relevant to automation and industrial environments include:
| Regulation / Guidance | Purpose |
|---|---|
| EU NIS2 Directive | Cybersecurity obligations across critical sectors in Europe |
| NERC CIP | Mandatory cybersecurity requirements for North American bulk electric systems |
| Sector-specific national regulations | Industry-specific cybersecurity and safety obligations |
Regulatory requirements differ by jurisdiction, but generally aim to reduce risk, improve resilience, and protect people, assets, and essential services.
A framework provides a structured approach for managing cybersecurity or engineering governance. Rather than prescribing exact controls, frameworks provide principles, processes, governance structures, assessment methods, and improvement models.
They help organisations organise and manage activities consistently, assess their current posture, define a target state, identify and prioritise risks, plan improvements, measure progress, and communicate strategy with stakeholders. Frameworks support continuous improvement rather than one-time compliance.
Special Publications (SPs) are authoritative guidance documents rather than formal standards. The best-known publisher is the U.S. National Institute of Standards and Technology (NIST). Although SPs are generally not legally mandatory, they are highly influential and widely adopted across industry.
As a result, many organisations treat them as de facto standards.
| Publication | Purpose |
|---|---|
| SP 800-53 | Security and privacy controls for federal information systems |
| SP 800-82 | Guide to securing Industrial Control Systems (ICS) |
| SP 800-171 | Protection of Controlled Unclassified Information (CUI) for U.S. DoD contractors |
NIST develops the Cybersecurity Framework (CSF), the SP 800 Series, risk management guidance, and technical security recommendations. These publications are widely used by government agencies, critical infrastructure operators, and private industry worldwide.
A Publicly Available Specification (PAS) is a fast-tracked standardization document developed to address rapidly evolving technologies. Unlike a full International Standard, a PAS:
PAS documents allow standards bodies to respond quickly to emerging technologies such as industrial cybersecurity, smart grids, Internet of Things (IoT), and artificial intelligence.
| Aspect | Standards | Frameworks | Regulations | Special Publications |
|---|---|---|---|---|
| Purpose | Define requirements and best practices | Provide structured approach | Legally enforce requirements | Provide detailed guidance |
| Mandatory | Usually voluntary | Voluntary | Mandatory | Voluntary |
| Enforcement | Consensus and industry adoption | Self-implemented | Government enforcement | Referenced through contracts or regulation |
| Focus | Technical requirements | Governance and risk management | Legal compliance | Implementation guidance |
| Examples | ISO/IEC 27001, ISA/IEC 62443 | NIST CSF, ISO 27001 ISMS | NIS2, NERC CIP | NIST SP 800-53, SP 800-82 |
Together, these documents form the foundation of modern engineering governance, risk management, and cybersecurity practice across industrial and automation environments.