← Home
IEC 62443-4-1 Clause 6 – Specification of Security Requirements
ISA/IEC 62443-4-1:2018, Clause 6 defines
Practice 2 – Specification of security requirements (SR) in the Product Supplier’s secure product
development lifecycle.
This practice captures what security the product must offer and under what assumptions — the product security context, threat model and testable security requirements that later design and SVV work against.
Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning.
They are not verbatim extracts — always use the published standard for normative wording and assessment.
Reference: ISA/IEC 62443-4-1:2018, Clause 6
Related:
Product Security Lifecycle overview
|
IEC 62443-4-2 Technical Requirements
Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG
Requirements in this practice
SR requirement summaries
SR-1: Product security context
Clause: 6.2
Summary
A process must be employed to ensure that the intended product security context is documented.
SR-2: Threat model
Clause: 6.3
Summary
A process must be employed to ensure that all products must have a threat model specific to the current development scope of the product with the following characteristics (where applicable): correct flow of categorized information throughout the system; trust boundaries; processes; data stores; interacting external entities; internal and external communication protocols implemented in the product; externally accessi…
SR-3: Product security requirements
Clause: 6.4
Summary
A process must be employed for ensuring that security requirements are documented for the product/feature under development including requirements for security capabilities related to installation, operation, maintenance and decommissioning.
SR-4: Product security requirements content
Clause: 6.5
Summary
A process must be employed for ensuring that security requirements include the following information: the scope and boundaries of the component or system, in general terms in both a physical and a logical way; and the required capability security level (SL-C) of the product.
SR-5: Security requirements review
Clause: 6.6
Summary
A process must be employed to ensure that security requirements are reviewed, updated as necessary and approved to ensure clarity, validity, alignment with the threat model (discussed in 6.3 SR-2: Threat model), and their ability to be verified. Each of the following representative disciplines must participate in this process.
Key takeaways
- Practice 2 (SR) is one of eight Part 4-1 practices that together form the secure product development lifecycle.
- Maturity levels (ML1–ML4) describe how thoroughly the supplier performs and improves these process requirements.
- See the Part 4-1 overview for how practices connect from design through support and guidelines.