← Home

IEC 62443-4-1 Clause 11 – Security Update Management

ISA/IEC 62443-4-1:2018, Clause 11 defines Practice 7 – Security update management (SUM) in the Product Supplier’s secure product development lifecycle.

SUM ensures security updates for the product — including patches from the developer and from dependent components or platforms — are qualified for regressions, documented, delivered authentically and made available in a useful timeframe. Facility-side patch programmes (TR 62443-2-3) and service-provider patch expectations (Part 2-4) rely on this supplier work.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning. They are not verbatim extracts — always use the published standard for normative wording and assessment.

Reference: ISA/IEC 62443-4-1:2018, Clause 11
Related: Product Security Lifecycle overview | Practice 6 – Security-related issues | IEC 62443-2-3 Patch Management

Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG


Requirements in this practice


SUM requirement summaries

SUM-1: Security update qualification

Clause: 11.2

Summary
Verify that security updates actually fix the intended vulnerabilities and do not introduce regressions — whether the patch comes from the product developer, embedded component suppliers, or platforms the product depends on. Confirm the update does not conflict with operational, safety or legal constraints.

SUM-2: Security update documentation

Clause: 11.3

Summary
Give users documentation covering applicable product versions, how to apply patches (manual and automated), operational impacts (including reboot), how to verify installation, and risks / interim remediations when a patch is not approved or not yet deployed.

SUM-3: Dependent component or operating system security update documentation

Clause: 11.4

Summary
State clearly whether the product is compatible with dependent-component or OS security updates, and provide mitigations when the product supplier does not approve applying that update.

SUM-4: Security update delivery

Clause: 11.5

Summary
Make security updates for supported products and versions available through a channel that lets users verify authenticity — reducing the chance of fraudulent patches.

SUM-5: Timely delivery of security patches

Clause: 11.6

Summary
Release security patches within a reasonable timeframe once an issue is confirmed, so the window between disclosure and available remediation stays as short as practical for supported releases.

Key takeaways