← Home

IEC 62443-2-1 Clause 7 – Configuration Management

ISA/IEC 62443-2-1:2024, Clause 7 covers configuration management as Security Program Element SPE 2 in the asset owner’s IACS Security Program.

SPE 2 is about knowing what is installed, how it is connected and configured, and ensuring changes are authorised — so the live system matches the approved design across its lifecycle.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 7
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


CM 1 – Inventory management of IACS hardware/software components and network

Reference: ISA/IEC 62443-2-1, Clause 7.2

CM 1.1: Asset inventory baseline

Clause: 7.2.1

Summary
Policies shall keep a verified inventory of IACS devices, hardware, software, protocols and open ports for the whole life of the system. Typical record fields include ownership, manufacturer, model, versions, serial numbers, network details, addresses, patch level and change history.

CM 1.2: Infrastructure drawings/documentation

Clause: 7.2.2

Summary
Up-to-date drawings and related documents shall show physical and logical connectivity of IACS devices and software, and that baseline shall be checked and maintained.

CM 1.3: Configuration settings

Clause: 7.2.3

Summary
Approved configuration settings for IACS devices and applications shall be documented, and plant systems shall be checked to confirm they match those settings in operation.

CM 1.4: Change control

Clause: 7.2.4

Summary
Changes to the inventory baseline, drawings and configuration — including software revisions and patches — shall be authorised, validated and approved under controlled change processes.

Key Takeaways