The ISA/IEC 62443 series is the internationally recognized body of standards, technical reports, and related guidance for securing industrial automation and control systems (IACS). It began as the ISA99 initiative within the International Society of Automation and was later adopted by the International Electrotechnical Commission as IEC 62443. The same content is published in the United States as ANSI/ISA 62443. These designations are interchangeable; this site uses ISA/IEC 62443 as a convenient shorthand that reflects both publishing paths. When purchasing ISA editions, the ANSI/ prefix applies to standards only—not to technical reports.
This page maps the ISA/IEC 62443 standards family. Page links will be added when the related AEBOK notes are ready.
The organization of the documents in the ISA/IEC 62443 series is shown in Figure 1 (above).
| Standard | Description | Page Link |
|---|---|---|
| ISA/IEC 62443 Overview | Overview of the ISA/IEC 62443 cybersecurity standards family, structure, terminology and document relationships. |
IACS Cybersecurity Roles ISO/IEC 27001/27002 and ISA/IEC 62443 for OT |
| IEC TS 62443-1-1 | Introduces the terminology, concepts, and models used throughout the series. Intended for anyone wishing to become familiar with the fundamental concepts that form the basis for the series. | |
| IEC 62443-1-2 | Glossary, terms and abbreviations. | |
| IEC 62443-1-3 | Helps asset owner organizations improve their risk posture by providing a methodology for the development of quantitative system security conformance metrics that can be implemented for a wide range of IACS. | |
| IEC TR/TS 62443-1-4 | Provides a more detailed description of the underlying security lifecycle for IACS. | |
| IEC TR/TS 62443-1-5 | Security profiles — scheme for drafting cybersecurity profiles for the ISA/IEC 62443 series. | Security Profiles |
| IEC TR/TS 62443-1-6 | Application in IIoT. | |
| IEC 62443-2-1 | Describes what is required to define and implement an IACS cybersecurity management system (Security Program). Intended for end-users and asset owners responsible for the design and implementation of such a program. The 2010 edition defined a CSMS; the 2024 edition supersedes it with Security Program (SP) requirements. |
CSMS (2010) Security Program (2024) Maturity Levels · Conformance & Assessment Clause 6 · Clause 7 · Clause 8 · Clause 9 · Clause 10 · Clause 11 · Clause 12 · Clause 13 Awareness training |
| IEC 62443-2-2 | Defines the Security Protection Scheme (SPS) for an IACS — technical, physical and process measures in operation — and related Security Protection Ratings (SPR). Also associated with Automation Solution security lifecycle teaching notes. |
Security Protection Scheme (SPS) Automation Solution Security Lifecycle |
| IEC 62443-2-3 | Provides guidance on developing a patch management program for IACS. Intended for anyone responsible for the design and implementation of patch management processes and procedures. | Patch Management |
| IEC 62443-2-4 | Specifies requirements for suppliers of IACS systems and related components. Principal audience: suppliers of control systems solutions. Developed by IEC TC65 WG10. | Service Provider Requirements |
| IEC TR/TS 62443-2-5 (planned) | Will provide guidance on what is required to operate an effective IACS cybersecurity management system. Intended for end-users and asset owners responsible for the operation of such a program. | |
| IEC TR/TS 62443-3-1 | Describes the application of various security technologies to an IACS environment. Intended for anyone wishing to learn more about the applicability of specific technologies in a control systems environment. | |
| IEC 62443-3-2 | Addresses security risk assessment and system design for IACS. Primarily directed at asset owners or end-users. |
Cyber Risk Concepts Zone, Conduit & Risk Assessment (Clause 4) Clause 4.2 · Clause 4.3 · Clause 4.4 · Clause 4.5 · Clause 4.6 · Clause 4.7 · Clause 4.8 |
| IEC 62443-3-3 | Provides the foundations for assessing the security levels provided by an automation system. Principal audience: suppliers of control systems, system integrators, and asset owners. |
Foundational Requirements Clause 5 · Clause 6 · Clause 7 · Clause 8 · Clause 9 · Clause 10 · Clause 11 FR / SL Vector · Annex B mapping Security Levels |
| IEC 62443-4-1 | Describes the derived requirements that apply to the development of products (secure product development lifecycle). Principal audience: suppliers of control systems products and components included in control systems solutions. |
Product Security Lifecycle Clause 5 · Clause 6 · Clause 7 · Clause 8 · Clause 9 · Clause 10 · Clause 11 · Clause 12 |
| IEC 62443-4-2 | Contains derived requirements that provide a detailed mapping of system requirements to subsystems and components. Principal audience: suppliers of components embedded in control systems solutions. |
Technical Requirements Clause 4 · Clause 5–Clause 11 Clause 12 · Clause 13 · Clause 14 · Clause 15 Annex A · Annex B |
| IEC 62443-5-x | Placeholder for profile documents developed using the TS 62443-1-5 scheme. | Security Profiles |
| IEC TR/TS 62443-6-1 | Security evaluation methodology for IEC 62443-2-4. | Covered with Part 2-4 |
| IEC TR/TS 62443-6-2 | Security evaluation methodology for IEC 62443-4-2. | Covered with Part 4-2 |