← Home

IEC 62443-4-1 Clause 10 – Management of Security-Related Issues

ISA/IEC 62443-4-1:2018, Clause 10 defines Practice 6 – Management of security-related issues (DM) in the Product Supplier’s secure product development lifecycle.

After release, suppliers need a repeatable pathway to receive, triage, assess, fix and disclose security-related issues for products configured to use their defence-in-depth strategy within the documented product security context.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning. They are not verbatim extracts — always use the published standard for normative wording and assessment.

Reference: ISA/IEC 62443-4-1:2018, Clause 10
Related: Product Security Lifecycle overview | Practice 7 – Security update management | IEC 62443-2-3 Patch Management

Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG


Requirements in this practice


DM requirement summaries

DM-1: Receiving notifications of security-related issues

Clause: 10.2

Summary
Provide a clear channel to receive and track security issues to closure from internal and external sources — including SVV testers, third-party component suppliers, developers/testers and product users (integrators, asset owners and maintainers). Make reporting instructions easy to find.

DM-2: Reviewing security-related issues

Clause: 10.3

Summary
Investigate reported issues promptly enough for the market: confirm they apply to the product, can be verified, and understand which threats trigger them. Unsubstantiated or out-of-scope reports should be filtered here.

DM-3: Assessing security-related issues

Clause: 10.4

Summary
Analyse impact against the discovery context, the product’s security context and its defence-in-depth strategy; score severity (for example with CVSS); identify other affected products/versions; and find root causes and related issues.

DM-4: Addressing security-related issues

Clause: 10.5

Summary
Decide and execute how each accepted issue will be handled — for example a security update, configuration/guidance change, compensating control, or justified deferred fix — and track that decision through to completion via the supplier’s lifecycle processes.

DM-5: Disclosing security-related issues

Clause: 10.6

Summary
Inform affected users appropriately about security-related issues and available remediations, balanced with responsible disclosure practice so attackers are not handed a free window before fixes exist.

DM-6: Periodic review of security defect management practice

Clause: 10.7

Summary
At least annually, review how security issues were managed since the last review — was the process complete, efficient, and did each issue reach resolution? Use findings for continuous improvement.

Key takeaways