ISA/IEC 62443-2-1:2024 Clause 5 explains what it means for an asset owner (and related roles) to claim conformance with Security Program requirements, how assessment measures that claim, what evidence typically looks like, and how risk evaluation and profiles shape which requirements are assessed.
Reference: ISA/IEC 62443-2-1:2024, Clause 5.1–5.3, Table 2
Related:
Security Program Requirements (2024)
|
Maturity Levels (Clause 4.2)
|
CSMS (2010)
Reference: ISA/IEC 62443-2-1, Clause 5.1
Formal vocabulary for conformance, conformity and assessment comes from sources such as ISO/IEC 17000. The ISA/IEC 62443 series adds role-specific guidance so asset owners, service providers and product suppliers understand how assessment works in this series. That guidance does not replace ISO/IEC 17000 definitions.
Conformity assessments may be self-assessments by the asset owner, service provider or product supplier, or assessments by a qualified independent third party. How third parties are credentialled varies widely and is out of scope for Part 2-1. The detailed design of assessment processes themselves is also out of scope.
Asset owners may combine several complementary pictures:
Using security-certified products, correctly installed and maintained by capable service providers, strengthens that picture — it does not replace the asset-owner SP. Product suppliers may pursue assessment against 3-3 / 4-1 / 4-2; service providers against 2-4.
Reference: ISA/IEC 62443-2-1, Clause 5.2 and Table 2
Proof can take many forms. Most requirements point assessors toward methods such as verifying technology use, capability and configuration; checking supporting processes; and validating capabilities through testing.
Typical evidence families (teaching paraphrase of Table 2 themes) include:
| Evidence family | Examples used in teaching / assessment |
|---|---|
| As-built & config records | Inventories, settings exports, patch status, similar live-system facts. |
| Agreements & legal papers | Contracts, subcontractor terms, signed statements, screening records, approvals. |
| People & roles | Org charts, job descriptions, assignment history for IACS-related duties. |
| Product information | Design notes, datasheets, knowledge articles, scan-tool docs. |
| UI captures | Screenshots showing configured behaviour. |
| Security assessment outputs | Risk, incident and vulnerability reports. |
| Security test packs | Test plans/results proving security properties of a product or installed system. |
| Service ways of working | How staff install, harden and maintain the Automation Solution. |
| Activity records | Checklists, threat models, architecture drawings, spreadsheets of review results. |
| System-generated reports | Automatic reports produced by the IACS. |
| Training design | Syllabi and course outlines showing what was taught. |
| Training attendance | Rosters, certificates or HR records of who completed which course and when. |
| User-facing docs | Manuals and instructions for operating and maintaining the IACS. |
| Independent test results | Tests by suitably trained people on a known configuration that verify specific expectations. |
Remember: from ML 2 upward, process documentation is already part of the maturity claim (see Maturity Levels). Assessment still expects you to state whether each requirement is met and at which ML.
Reference: ISA/IEC 62443-2-1, Clause 5.3
Before a conformance assessment, the asset owner evaluates each applicable requirement for how it guides mitigation of the risk that requirement addresses. If a requirement is judged not to apply, the owner must justify that decision and provide evidence showing specifically why it does not apply and how the related security risk is otherwise mitigated (or already managed to a tolerable level).
Which cybersecurity risks need mitigating is normally decided in the asset owner’s risk management process aligned with ISA/IEC 62443-3-2 (including risk-response ideas from 62443-1-1 / 3-2). Completing that risk work remains critical to IACS security even when no formal conformance assessment is run.
Industries and verticals may need a common subset and wording of 62443 requirements. IEC TS 62443-1-5 describes how to create a security profile: select requirements from one or more series parts, map them to sector context, and optionally set minimum security or maturity levels. Published profiles give a comparable basis for assessment.
In practice, owners prepare for conformity assessment by selecting requirements via:
A requirement may be out of scope simply because the live system has no such technology (for example no wireless or no safety instrumented system addressed by that requirement). Risk management stays essential whether or not assessment proceeds.