verified_user
Standardful
Homechevron_rightStandardschevron_rightIEC 62443 (ISA/IEC 62443)
ActiveInternational Standardupdate Standard Updated: Ongoing seriesfact_check Fact checked: Jun 28, 2026

IEC 62443 (ISA/IEC 62443)

Industrial automation and control systems — Security

apartmentPublishing Organization:International Electrotechnical Commission (IEC)

Standard Introduction

IEC 62443 (ISA/IEC 62443) is an active standard published by International Electrotechnical Commission (IEC). It is commonly used across Manufacturing, Energy, Technology, Automotive, Electronics and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with IEC 62443 (ISA/IEC 62443).

security

Defense in Depth

Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.

groups

Stakeholder-Based Framework

Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.

shield

Security Levels

Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.

list_alt Series Structure

  • Part 1: General concepts, terminology, and models
  • Part 2: Policies, procedures, and security management system
  • Part 3: System-level security requirements and security levels
  • Part 4: Component and product development requirements
  • Zones and conduits model for network segmentation
  • Four security levels (SL 1–4) for risk-based protection
  • Secure product development lifecycle (IEC 62443-4-1)
  • Covers entire IACS lifecycle from design through decommissioning

Who Needs to Comply?

groups

Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.

Key Requirements

1

Security Risk Assessment

Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.

2

Zones and Conduits

Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.

3

Secure Development Lifecycle

Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.

4

Security Management System

Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.

5

Patch and Change Management

Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define industrial automation and control system cybersecurity scope

Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by IEC 62443. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for IACS security programs, zones and conduits, security levels, risk assessment, secure development, system integration, patching, remote access, monitoring, and incident response.

2
Phase 2schedule Duration: 4-10 weeks

Assess gaps and prioritize risks

Compare current practices with the expected industrial automation and control system cybersecurity approach. Review asset inventory, zone models, threat and risk assessment, access control, network segmentation, hardening, vulnerability handling, backup, recovery, supplier assurance, and security maintenance, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and records

Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain IACS asset registers, zone diagrams, risk assessments, security requirements, secure development records, patch decisions, access reviews, incident logs, backup tests, and supplier evidence as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, audit, and improve

Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Controls and evidence

checklist Monitoring and improvement

Penalties & Enforcement

warning

No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.

Frequently Asked Questions

Who needs IEC 62443?

expand_more

IEC 62443 is most relevant to asset owners, system integrators, product suppliers, and service providers securing OT and IACS environments. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.

Is IEC 62443 certifiable?

expand_more

IEC 62443 can support product, process, and site assessments depending on the part used and the certification scheme.

What should the implementation focus on first?

expand_more

Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.

What evidence is useful for IEC 62443?

expand_more

Useful evidence includes IACS asset registers, zone diagrams, risk assessments, security requirements, secure development records, patch decisions, access reviews, incident logs, backup tests, and supplier evidence. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.

Official Documentation

View All

Implementation Timeline

groups
2002
ISA99 committee established to secure critical infrastructure
description
2007
First standards published under ISA-62443 banner
warning
2010
Stuxnet malware accelerates urgency; formal IEC adoption begins
check_circle
2018
Key parts published: IEC 62443-4-1 (secure development) and 62443-4-2 (component requirements)
public
2021
IEC recognizes 62443 as a horizontal standard across all industries
update
2024
IEC 62443-2-1:2024 published — updated IACS security management system requirements

Related Categories