← Home

IEC 62443-4-1 Clause 6 – Specification of Security Requirements

ISA/IEC 62443-4-1:2018, Clause 6 defines Practice 2 – Specification of security requirements (SR) in the Product Supplier’s secure product development lifecycle.

This practice captures what security the product must offer and under what assumptions — the product security context, threat model and testable security requirements that later design and SVV work against.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning. They are not verbatim extracts — always use the published standard for normative wording and assessment.

Reference: ISA/IEC 62443-4-1:2018, Clause 6
Related: Product Security Lifecycle overview | IEC 62443-4-2 Technical Requirements

Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG


Requirements in this practice


SR requirement summaries

SR-1: Product security context

Clause: 6.2

Summary
A process must be employed to ensure that the intended product security context is documented.

SR-2: Threat model

Clause: 6.3

Summary
A process must be employed to ensure that all products must have a threat model specific to the current development scope of the product with the following characteristics (where applicable): correct flow of categorized information throughout the system; trust boundaries; processes; data stores; interacting external entities; internal and external communication protocols implemented in the product; externally accessi…

SR-3: Product security requirements

Clause: 6.4

Summary
A process must be employed for ensuring that security requirements are documented for the product/feature under development including requirements for security capabilities related to installation, operation, maintenance and decommissioning.

SR-4: Product security requirements content

Clause: 6.5

Summary
A process must be employed for ensuring that security requirements include the following information: the scope and boundaries of the component or system, in general terms in both a physical and a logical way; and the required capability security level (SL-C) of the product.

SR-5: Security requirements review

Clause: 6.6

Summary
A process must be employed to ensure that security requirements are reviewed, updated as necessary and approved to ensure clarity, validity, alignment with the threat model (discussed in 6.3 SR-2: Threat model), and their ability to be verified. Each of the following representative disciplines must participate in this process.

Key takeaways