← Home

Standards, Frameworks, Regulations & Guidance

Engineers and organisations work within a layered landscape of technical standards, governance frameworks, regulations, and published guidance. Understanding how these documents differ — and how they relate to one another — is essential for designing, delivering, and operating automation systems responsibly.

Standards, frameworks, regulations and guidance overview
Figure – How standards, frameworks, regulations, and guidance fit together in engineering governance.

Standards

Standards are officially recognised documents developed by authoritative organisations to ensure consistency, interoperability, quality, safety, and security across products, services, and processes.

Unlike regulations, standards are generally voluntary and are developed through a consensus-based process involving industry, government, and technical experts.

Key Characteristics

Conformance vs Compliance

Although standards are voluntary, failure to follow recognised standards may still result in civil or criminal liability where negligence can be demonstrated. Courts may apply the "reasonable person" test to determine whether accepted industry practice was followed.

Standard Structure

Normative Elements (Mandatory)

Contain requirements that must be satisfied. Common terminology includes:

Term Meaning
Shall / Must Mandatory requirement
Should Recommended practice
May / May Not Permitted / Prohibited
Can Capability or possibility

Informative Elements (Optional)

Provide guidance, examples, explanations, and background information. Informative sections never contain mandatory requirements.

Examples of Cybersecurity Standards

Standard Purpose
ISO/IEC 27001 Requirements for establishing and maintaining an Information Security Management System (ISMS)
ISO/IEC 27002 Best practice security controls supporting ISO 27001
ISO/IEC 27019 Security guidance for Industrial Control Systems (ICS) in energy utilities
ISO/IEC 15408 (Common Criteria) Security evaluation framework for IT products using a Target of Evaluation (TOE)
ISO/IEC 21827 (SSE-CMM) Capability Maturity Model for Systems Security Engineering
ISA/IEC 62443 Cybersecurity standard series for Industrial Automation and Control Systems (IACS)

Standards Development Organisations (SDOs)

Standards Development Organisations (SDOs) create standards using consensus among experts from industry, academia, and government. They develop technical specifications, best practices, testing methods, security requirements, and risk management guidance.

Standards may be national, regional, or international. Examples of SDOs include ISO, IEC, ISA, and IEEE.

National Standardization Bodies (NSBs)

Each country typically has a National Standardization Body (NSB) that coordinates standards within its jurisdiction. Responsibilities include developing national standards, adopting international standards, representing national interests within ISO and IEC, and participating in international standards development.

Country NSB
United States ANSI
Australia Standards Australia (SA)
United Kingdom BSI
Germany DIN
France AFNOR
Canada SCC
Japan JISC
China SAC

European national bodies also participate through CEN, CENELEC, and ETSI.


Regulations

Regulations are legally enforceable rules established by governments or authorised authorities. Unlike standards, compliance with regulations is mandatory. Failure to comply may result in legal penalties, fines, enforcement actions, or criminal prosecution.

Examples

Regulatory requirements vary by country, industry sector, and critical infrastructure designation. Examples relevant to automation and industrial environments include:

Regulation / Guidance Purpose
EU NIS2 Directive Cybersecurity obligations across critical sectors in Europe
NERC CIP Mandatory cybersecurity requirements for North American bulk electric systems
Sector-specific national regulations Industry-specific cybersecurity and safety obligations

Regulatory requirements differ by jurisdiction, but generally aim to reduce risk, improve resilience, and protect people, assets, and essential services.


Frameworks

A framework provides a structured approach for managing cybersecurity or engineering governance. Rather than prescribing exact controls, frameworks provide principles, processes, governance structures, assessment methods, and improvement models.

They help organisations organise and manage activities consistently, assess their current posture, define a target state, identify and prioritise risks, plan improvements, measure progress, and communicate strategy with stakeholders. Frameworks support continuous improvement rather than one-time compliance.

Examples


Special Publications (SPs)

Special Publications (SPs) are authoritative guidance documents rather than formal standards. The best-known publisher is the U.S. National Institute of Standards and Technology (NIST). Although SPs are generally not legally mandatory, they are highly influential and widely adopted across industry.

Why SPs Matter

As a result, many organisations treat them as de facto standards.

Important NIST Special Publications

Publication Purpose
SP 800-53 Security and privacy controls for federal information systems
SP 800-82 Guide to securing Industrial Control Systems (ICS)
SP 800-171 Protection of Controlled Unclassified Information (CUI) for U.S. DoD contractors

NIST's Role

NIST develops the Cybersecurity Framework (CSF), the SP 800 Series, risk management guidance, and technical security recommendations. These publications are widely used by government agencies, critical infrastructure operators, and private industry worldwide.


Publicly Available Specifications (PAS)

A Publicly Available Specification (PAS) is a fast-tracked standardization document developed to address rapidly evolving technologies. Unlike a full International Standard, a PAS:

PAS Characteristics

PAS documents allow standards bodies to respond quickly to emerging technologies such as industrial cybersecurity, smart grids, Internet of Things (IoT), and artificial intelligence.


Summary Comparison

Aspect Standards Frameworks Regulations Special Publications
Purpose Define requirements and best practices Provide structured approach Legally enforce requirements Provide detailed guidance
Mandatory Usually voluntary Voluntary Mandatory Voluntary
Enforcement Consensus and industry adoption Self-implemented Government enforcement Referenced through contracts or regulation
Focus Technical requirements Governance and risk management Legal compliance Implementation guidance
Examples ISO/IEC 27001, ISA/IEC 62443 NIST CSF, ISO 27001 ISMS NIS2, NERC CIP NIST SP 800-53, SP 800-82

Key Takeaways

Together, these documents form the foundation of modern engineering governance, risk management, and cybersecurity practice across industrial and automation environments.