← Home

IEC 62443-2-1 Clause 12 – Event and Incident Management

ISA/IEC 62443-2-1:2024, Clause 12 covers event and incident management as Security Program Element SPE 7 in the asset owner’s IACS Security Program.

SPE 7 is about detecting security-related activity, recording it reliably, analysing it quickly, responding to incidents and closing out vulnerabilities.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 12
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


EVENT 1 – Event and incident management

Reference: ISA/IEC 62443-2-1, Clause 12.2

EVENT 1.1: Event detection

Clause: 12.2.1

Summary
Detected IACS security events shall be reported, logged, analysed and acted on — either at once or later — in support of security management.

EVENT 1.2: Event reporting

Clause: 12.2.2

Summary
Security-related IACS events shall be reported promptly to the right people.

EVENT 1.3: Event reporting interfaces

Clause: 12.2.3

Summary
Event reporting shall use interfaces commonly accepted in industrial and security practice.

EVENT 1.4: Logging

Clause: 12.2.4

Summary
Security events shall be written to one or more protected audit/event logs and kept for a useful retention period.

EVENT 1.5: Log entries

Clause: 12.2.5

Summary
Log content shall support non-repudiation and time-aligned investigation of events.

EVENT 1.6: Log access

Clause: 12.2.6

Summary
Access to security logs shall use interfaces commonly accepted in industrial and security practice.

EVENT 1.7: Event analysis

Clause: 12.2.7

Summary
Security events shall be analysed quickly enough to recognise attacks, compromises and incidents.

EVENT 1.8: Incident handling and response

Clause: 12.2.8

Summary
A maintained process shall evaluate and respond to IACS security incidents.

EVENT 1.9: Vulnerability handling

Clause: 12.2.9

Summary
Known and newly found IACS vulnerabilities shall be identified, treated and closed out in a timely way.

Key Takeaways