← Home

ISO/IEC 27001, ISO/IEC 27002 and the ISA/IEC 62443 Series for Operational Technology Environments

ISO/IEC 27001/27002 and the ISA/IEC 62443 series are complementary cybersecurity standards that together support a risk-based approach to securing both Information Technology (IT) and Operational Technology (OT). Organisations with industrial operations typically need both: enterprise-wide governance from an ISMS, plus OT-specific guidance for industrial control systems.

Source: These notes summarise the relationship described in the ISA Global Cybersecurity Alliance white paper Applying ISO/IEC 27001, ISO/IEC 27002 and the ISA/IEC 62443 Series for Operational Technology Environments (June 2025), together with the referenced editions of ISO/IEC 27001:2022, ISO/IEC 27002:2022 and the ISA/IEC 62443 series.

ISO/IEC 27001

ISO/IEC 27001 sets out how to build and run an Information Security Management System (ISMS) — the management framework for identifying information security risks, deciding how to treat them, and improving over time through governance, policy and process.

Key characteristics include:

When an organisation seeks to demonstrate it follows ISO/IEC 27001, the management-system requirements in Clauses 4–10 are expected in full. Annex A is different: controls are chosen (and extra controls may be designed) according to the organisation’s risk picture.

ISO/IEC 27002

ISO/IEC 27002 complements ISO/IEC 27001 by providing detailed implementation guidance for the information security controls referenced in Annex A of ISO/IEC 27001. In the ISO/IEC 27000 glossary, a control is a measure that modifies risk.

It assists organisations in:

ISA/IEC 62443

ISA/IEC 62443 focuses specifically on Industrial Automation and Control System (IACS) cybersecurity within Operational Technology environments.

It does not replace an ISMS. Instead it extends cybersecurity thinking into plants, utilities, oil and gas, transport and similar settings — wherever automated or remotely controlled assets sit behind industrial or critical-infrastructure operations. The series is also used beyond classic process industry (for example building automation and medical systems) where those same patterns apply.

OT usually prioritises availability, integrity, safety and continuity differently from enterprise IT. Running outside those performance and integrity constraints can have health, safety or environmental consequences, so security choices must respect how the process actually runs.

The series provides:

Coordination with an ISMS: ISA/IEC 62443 is not a full ISMS in the ISO/IEC 27001 sense. Asset owners still need security management as part of their OT Security Program. Where an organisation already runs an ISMS, the OT Security Program should be aligned with it so policies, roles and risk treatment stay consistent (see IEC 62443-2-1).

IT vs OT Focus

ISO/IEC 27001 / 27002 ISA/IEC 62443
Information Technology (IT) Operational Technology (OT)
Information Security Management System (ISMS) Industrial Automation and Control System (IACS) security
Enterprise information security Industrial control system cybersecurity
Policies, governance and risk management Technical and operational cybersecurity requirements
Generic security controls OT-specific security controls and lifecycle requirements
Applicable to all organisations Designed for industrial and critical infrastructure environments

IT covers technologies for information processing — software, hardware, communications and related services — and generally excludes embedded technologies that do not generate data for enterprise use. OT is technology for detecting, managing or causing change through the monitoring or control of a physical entity (including the personnel and processes that manage those systems). IoT and Industrial IoT have blurred the boundary, but OT still faces distinctive integrity, availability and safety constraints.

Why Both Standards Are Required

Many organisations already operate an ISMS based on ISO/IEC 27001. Dropping unmodified IT security practices onto OT can still create operational or safety problems. Familiar failure modes include:

ISA/IEC 62443 is written for that OT context: controls and requirements are meant to support safe, reliable operation rather than simply import office IT habits. Dedicated safety functions also need security treatment that respects their unique role.

The reverse is also true. ISA/IEC 62443 alone does not give you every piece of an OT security picture — especially a complete security management system. It expects coordination with an ISMS. ISO/IEC 27001/27002 also retain some controls that still matter for OT but fall outside 62443’s scope. In practice you use both.

How the Standards Work Together

A practical combined approach is to:

  1. Establish and maintain an ISMS using ISO/IEC 27001 (Clauses 4–10).
  2. Implement ISO/IEC 27002 security controls based on organisational risk.
  3. Extend the ISMS to include OT environments without undermining the existing IT ISMS.
  4. Apply ISA/IEC 62443 — especially IEC 62443-2-1 — for OT-specific cybersecurity risks.
  5. Align the OT Security Program with the ISMS so governance stays coherent across the enterprise.

That keeps one security governance roof while allowing specialised treatment where industrial environments differ. Plant OT may sit inside corporate IT infrastructure or run more independently; either way, the complementary pair of standards still applies.

Extending the ISMS for OT

When extending the ISMS into OT, clarity is needed about:

Combining ISO/IEC 27002 Controls with IEC 62443-2-1

IEC 62443-2-1 is the practical bridge from the ISMS into OT. It groups asset-owner Security Program expectations into Security Program Elements (SPEs) — topics such as configuration management, network and communication security, component security, user access and data protection.

A useful working method is to list related ISO/IEC 27002 risk-treatment controls next to each SPE (or sub-SPE), then decide what applies through asset-owner risk analysis. Some 27002 topics are broad (contact with authorities, employment terms, intellectual property) and still need an OT-aware reading. Mapping a control to an SPE does not mean it must be implemented — selection remains risk-based.

Example – secure remote access: Many OT assets are maintained by external providers off-site. IEC 62443-2-1’s NET 3 material on secure remote access focuses on OT-specific hygiene: restricting which remote applications are allowed, recording enough about interactive sessions to support governance (who, why, how protected, how long), and closing idle remote sessions. ISO/IEC 27002 adds related enterprise themes — remote working, use of public networks for application services and transactions, information transfer rules, transfer agreements and confidentiality arrangements — that 62443-2-1 does not fully cover. A sound remote-access design usually draws on both.

Roles Covered by ISA/IEC 62443

Unlike ISO/IEC 27001/27002, ISA/IEC 62443 speaks directly to everyone who protects industrial systems. ISO/IEC 27001/27002 already include supplier-related controls (including 5.19 to 5.22); 62443 complements that by giving asset owners concrete OT expectations they can use with suppliers in named roles — including where third-party certification is useful.

Together those roles support defence in depth across the industrial cybersecurity lifecycle. Product suppliers and service providers may also own plants of their own, and then act as asset owners for those facilities.

See also IACS Cybersecurity Roles for how principal roles relate across the series.

Key Takeaways

Standards References


Related Topics
IACS Cybersecurity Roles
ISA/IEC 62443 Overview
Introduction to IACS Security
IEC 62443-2-1 Cybersecurity Awareness Training