← Home

IEC 62443-4-1 Clause 12 – Security Guidelines

ISA/IEC 62443-4-1:2018, Clause 12 defines Practice 8 – Security guidelines (SG) in the Product Supplier’s secure product development lifecycle.

Security guidelines are the user-facing instructions: how to integrate, harden, operate, manage accounts and dispose of the product so its defence-in-depth strategy matches the documented security context.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning. They are not verbatim extracts — always use the published standard for normative wording and assessment.

Reference: ISA/IEC 62443-4-1:2018, Clause 12
Related: Product Security Lifecycle overview | IEC 62443-4-2 Technical Requirements

Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG


Requirements in this practice


SG requirement summaries

SG-1: Product defense in depth

Clause: 12.2

Summary
A process must exist to create product user documentation that describes the security defense in depth strategy for the product to support installation, operation and maintenance that includes: security capabilities implemented by the product and their role in the defense in depth strategy; threats addressed by the defense in depth strategy; and product user mitigation strategies for known security risks associated w…

SG-2: Defense in depth measures expected in the environment

Clause: 12.3

Summary
A process must be employed to create product user documentation that describes the security defense in depth measures expected to be provided by the external environment in which the product is to be used (see Clause 6, Practice 2 - Specification of security requirements).

SG-3: Security hardening guidelines

Clause: 12.4

Summary
A process must be employed to create product user documentation that includes guidelines for hardening the product when installing and maintaining the product.

SG-4: Secure disposal guidelines

Clause: 12.5

Summary
A process must be employed to create product user documentation that includes guidelines for removing the product from use.

SG-5: Secure operation guidelines

Clause: 12.6

Summary
A process must be employed to create product user documentation that describes: responsibilities and actions necessary for users, including administrators, to securely operate the product; and assumptions regarding the behaviour of the user/administrator and their relationship to the secure operation of the product.

SG-6: Account management guidelines

Clause: 12.7

Summary
A process must be employed to create product user documentation that defines user account requirements and recommendations associated with the use of the product that includes, but is not limited to: user account permissions (access control) and privileges (user rights) needed to use the product, including, but not limited to operating system accounts, control system accounts and data base accounts; and default accou…

SG-7: Documentation review

Clause: 12.8

Summary
A process must be employed to identify, characterize and track to closure errors and omissions in all user manuals including the security guidelines to include: coverage of the product’s security capabilities; integration of the product with its intended environment (see Clause 6, Practice 2 - Specification of security requirements); and assurance that all documented practices are secure.

Key takeaways