← Home
IEC 62443-4-1 Clause 9 – Security Verification and Validation Testing
ISA/IEC 62443-4-1:2018, Clause 9 defines
Practice 5 – Security verification and validation testing (SVV) in the Product Supplier’s secure product
development lifecycle.
SVV is the evidence stage: show that written security requirements are met, modelled threats are mitigated, and the product still behaves securely under vulnerability and penetration testing.
Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning.
They are not verbatim extracts — always use the published standard for normative wording and assessment.
Reference: ISA/IEC 62443-4-1:2018, Clause 9
Related:
Product Security Lifecycle overview
|
IEC 62443-4-2 Technical Requirements
Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG
Requirements in this practice
SVV requirement summaries
SVV-1: Security requirements testing
Clause: 9.2
Summary
A process must be employed for verifying the product security functions meet the security requirements and that the product handles error scenarios and invalid input correctly. Types of testing must include: functional testing of security requirements; performance and scalability testing; and boundary/edge condition, stress and malformed or unexpected input tests not specifically targeted at security;
SVV-2: Threat mitigation testing
Clause: 9.3
Summary
A process must be employed for testing the effectiveness of the mitigation for the threats identified and validated in the threat model. Activities must include: creating and executing plans to ensure that each mitigation implemented to address a specific threat has been adequately tested to ensure the mitigation works as designed and creating and executing plans for attempting to thwart each mitigation.
SVV-3: Vulnerability testing
Clause: 9.4
Summary
A process must be employed for performing tests that focus on identifying and characterizing potential security vulnerabilities in the product. Known vulnerability testing must be based upon, at a minimum, recent contents of an established, industry-recognized, public source for known vulnerabilities. Testing must include: abuse case or malformed or unexpected input testing focused on uncovering security issues.
SVV-4: Penetration testing
Clause: 9.5
Summary
A process must be employed to identify and characterize security-related issues via tests that focus on discovering and exploiting security vulnerabilities in the product.
SVV-5: Independence of testers
Clause: 9.6
Summary
A process must be employed to ensure that individuals performing testing are independent from the developers who designed and implemented the product according to the following table.
Key takeaways
- Practice 5 (SVV) is one of eight Part 4-1 practices that together form the secure product development lifecycle.
- Maturity levels (ML1–ML4) describe how thoroughly the supplier performs and improves these process requirements.
- See the Part 4-1 overview for how practices connect from design through support and guidelines.