← Home

IEC 62443-4-1 Clause 9 – Security Verification and Validation Testing

ISA/IEC 62443-4-1:2018, Clause 9 defines Practice 5 – Security verification and validation testing (SVV) in the Product Supplier’s secure product development lifecycle.

SVV is the evidence stage: show that written security requirements are met, modelled threats are mitigated, and the product still behaves securely under vulnerability and penetration testing.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning. They are not verbatim extracts — always use the published standard for normative wording and assessment.

Reference: ISA/IEC 62443-4-1:2018, Clause 9
Related: Product Security Lifecycle overview | IEC 62443-4-2 Technical Requirements

Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG


Requirements in this practice


SVV requirement summaries

SVV-1: Security requirements testing

Clause: 9.2

Summary
A process must be employed for verifying the product security functions meet the security requirements and that the product handles error scenarios and invalid input correctly. Types of testing must include: functional testing of security requirements; performance and scalability testing; and boundary/edge condition, stress and malformed or unexpected input tests not specifically targeted at security;

SVV-2: Threat mitigation testing

Clause: 9.3

Summary
A process must be employed for testing the effectiveness of the mitigation for the threats identified and validated in the threat model. Activities must include: creating and executing plans to ensure that each mitigation implemented to address a specific threat has been adequately tested to ensure the mitigation works as designed and creating and executing plans for attempting to thwart each mitigation.

SVV-3: Vulnerability testing

Clause: 9.4

Summary
A process must be employed for performing tests that focus on identifying and characterizing potential security vulnerabilities in the product. Known vulnerability testing must be based upon, at a minimum, recent contents of an established, industry-recognized, public source for known vulnerabilities. Testing must include: abuse case or malformed or unexpected input testing focused on uncovering security issues.

SVV-4: Penetration testing

Clause: 9.5

Summary
A process must be employed to identify and characterize security-related issues via tests that focus on discovering and exploiting security vulnerabilities in the product.

SVV-5: Independence of testers

Clause: 9.6

Summary
A process must be employed to ensure that individuals performing testing are independent from the developers who designed and implemented the product according to the following table.

Key takeaways