← Home
IEC 62443-2-1 Clause 6 – Organizational Security Measures
ISA/IEC 62443-2-1:2024, Clause 6 covers
organizational security measures as Security Program Element SPE 1
in the asset owner’s IACS Security Program.
SPE 1 makes sure the organisation can govern IACS cybersecurity: clear policies,
assigned roles, trained people, supply-chain expectations, ongoing review and physical
access control.
Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for
learning purposes. They are not a verbatim extract of the standard — always refer to the
published text for normative wording and assessment.
Reference: ISA/IEC 62443-2-1:2024, Clause 6
Related:
Security Program Requirements (2024)
|
CSMS (2010)
SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8
ORG 1 – Security related organization and policies
Reference: ISA/IEC 62443-2-1, Clause 6.2
ORG 1.1: Information security management system (ISMS)
Clause: 6.2.1
Summary
Where an ISMS already exists, the IACS Security Program must be aligned with it.
Where it does not, the Security Program itself must include the management processes
needed to run cybersecurity properly for the IACS.
ORG 1.2: Background checks
Clause: 6.2.2
Summary
Policies and procedures shall require background screening before anyone — staff,
contractors, consultants, suppliers or service providers — is given IACS access.
Where law allows, that screening should include identity confirmation and criminal
record checks.
ORG 1.3: Security roles and responsibilities
Clause: 6.2.3
Summary
The asset owner shall define and assign IACS security roles to suitably competent people,
covering employees and third parties who support the system.
ORG 1.4: Security awareness training
Clause: 6.2.4
Summary
Anyone who interacts with the IACS shall complete formal cybersecurity awareness training,
kept current through regular updates. This applies to employees and external parties alike.
ORG 1.5: Security responsibilities training
Clause: 6.2.5
Summary
Beyond general awareness, people shall receive role-specific cybersecurity training for their
IACS duties. The asset owner either delivers that training or formally accepts equivalent
training provided by others.
ORG 1.6: Supply chain security
Clause: 6.2.6
Summary
Policies shall set cybersecurity expectations for product and service suppliers that could
affect the IACS. Where practical, those expectations should also flow down through the
supplier’s own subcontractors.
ORG 2 – Security assessments and reviews
Reference: ISA/IEC 62443-2-1, Clause 6.3
ORG 2.1: Security risk mitigation
Clause: 6.3.1
Summary
The asset owner shall identify, record and treat IACS cybersecurity risk, including setting
what risk is acceptable and acting on anything above that threshold.
ORG 2.2: Processes for discovery of security anomalies
Clause: 6.3.2
Summary
Periodic checks — manual or automated — shall find and deal with unexpected IACS
conditions such as unknown equipment or software, undocumented network traffic,
untracked vulnerabilities, and other security gaps or non-conformances.
ORG 2.3: Secure development and support
Clause: 6.3.3
Summary
Policies shall address use of a secure development lifecycle for systems and components
that are built or supported for the IACS.
ORG 2.4: SP reviews
Clause: 6.3.4
Summary
The asset owner shall periodically review the SP defined in policies and procedures. The
policies and procedures are to verify the SP is properly applied, to validate the security
measures meet the security requirements, and address any changes to the organisation and
the IACS against threats, as well as make improvements where appropriate.
ORG 3 – Security of physical access
Reference: ISA/IEC 62443-2-1, Clause 6.4
ORG 3.1: Physical access control
Clause: 6.4.1
Summary
Physical access to IACS areas, equipment and cabling shall be controlled through policy
so that residual risk stays within agreed targets.
Key Takeaways
- SPE 1 prepares the organisation — governance, people, suppliers, reviews and physical access.
- Eleven ORG requirements (ORG 1–3) sit under Clause 6.
- Maturity levels describe how consistently the underlying processes are performed.
- See Security Program Requirements (2024) for SMS/SP context.