← Home

IEC 62443-3-2 Clause 4.5 – Risk Comparison

ISA/IEC 62443-3-2:2020, Clause 4.5 covers risk comparison as zone and conduit requirement ZCR 4.

ZCR 4 is the decision gate between the initial assessment and deeper work. Compare the initial risk from ZCR 2 with the organisation’s tolerable risk. If initial risk already sits within that tolerance, detailed assessment may not be required; if it exceeds tolerance, ZCR 5 becomes mandatory.

Teaching note: The summaries below paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-3-2:2020, Clause 4.5
Related: Zone, Conduit and Risk Assessment (Clause 4) | ZCR 2 – Initial Risk Assessment | ZCR 5 – Detailed Risk Assessment

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7


Requirements in this ZCR


ZCR 4 – Risk comparison

Reference: ISA/IEC 62443-3-2, Clause 4.5

ZCR 4.1: Compare initial risk to tolerable risk

Clause: 4.5.2

Summary
Initial risk from ZCR 2 shall be compared with the organisation’s tolerable risk. Where initial risk exceeds that tolerance, the organisation shall perform the detailed cybersecurity risk assessment defined in ZCR 5.

Tolerable risk is an organisational policy choice, typically expressed through the same risk matrices or criteria used elsewhere in the business. ZCR 4 does not invent a new scale; it forces an explicit yes/no on whether the design effort moves into per-zone detailed analysis.


Key Takeaways