← Home

IEC 62443-2-1 Clause 6 – Organizational Security Measures

ISA/IEC 62443-2-1:2024, Clause 6 covers organizational security measures as Security Program Element SPE 1 in the asset owner’s IACS Security Program.

SPE 1 makes sure the organisation can govern IACS cybersecurity: clear policies, assigned roles, trained people, supply-chain expectations, ongoing review and physical access control.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 6
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


ORG 1 – Security related organization and policies

Reference: ISA/IEC 62443-2-1, Clause 6.2

ORG 1.1: Information security management system (ISMS)

Clause: 6.2.1

Summary
Where an ISMS already exists, the IACS Security Program must be aligned with it. Where it does not, the Security Program itself must include the management processes needed to run cybersecurity properly for the IACS.

ORG 1.2: Background checks

Clause: 6.2.2

Summary
Policies and procedures shall require background screening before anyone — staff, contractors, consultants, suppliers or service providers — is given IACS access. Where law allows, that screening should include identity confirmation and criminal record checks.

ORG 1.3: Security roles and responsibilities

Clause: 6.2.3

Summary
The asset owner shall define and assign IACS security roles to suitably competent people, covering employees and third parties who support the system.

ORG 1.4: Security awareness training

Clause: 6.2.4

Summary
Anyone who interacts with the IACS shall complete formal cybersecurity awareness training, kept current through regular updates. This applies to employees and external parties alike.

ORG 1.5: Security responsibilities training

Clause: 6.2.5

Summary
Beyond general awareness, people shall receive role-specific cybersecurity training for their IACS duties. The asset owner either delivers that training or formally accepts equivalent training provided by others.

ORG 1.6: Supply chain security

Clause: 6.2.6

Summary
Policies shall set cybersecurity expectations for product and service suppliers that could affect the IACS. Where practical, those expectations should also flow down through the supplier’s own subcontractors.

ORG 2 – Security assessments and reviews

Reference: ISA/IEC 62443-2-1, Clause 6.3

ORG 2.1: Security risk mitigation

Clause: 6.3.1

Summary
The asset owner shall identify, record and treat IACS cybersecurity risk, including setting what risk is acceptable and acting on anything above that threshold.

ORG 2.2: Processes for discovery of security anomalies

Clause: 6.3.2

Summary
Periodic checks — manual or automated — shall find and deal with unexpected IACS conditions such as unknown equipment or software, undocumented network traffic, untracked vulnerabilities, and other security gaps or non-conformances.

ORG 2.3: Secure development and support

Clause: 6.3.3

Summary
Policies shall address use of a secure development lifecycle for systems and components that are built or supported for the IACS.

ORG 2.4: SP reviews

Clause: 6.3.4

Summary
The asset owner shall periodically review the SP defined in policies and procedures. The policies and procedures are to verify the SP is properly applied, to validate the security measures meet the security requirements, and address any changes to the organisation and the IACS against threats, as well as make improvements where appropriate.

ORG 3 – Security of physical access

Reference: ISA/IEC 62443-2-1, Clause 6.4

ORG 3.1: Physical access control

Clause: 6.4.1

Summary
Physical access to IACS areas, equipment and cabling shall be controlled through policy so that residual risk stays within agreed targets.

Key Takeaways