The international standard for securing industrial automation and control systems. We hold ISA/IEC 62443 Expert-level certification — the full lifecycle, from risk assessment through system design to ongoing security management.
Four specialist certifications covering the complete IACS cybersecurity lifecycle.
The ISA/IEC 62443 Cybersecurity Expert certification requires mastery across all four domains — fundamentals, risk assessment, system design, and ongoing maintenance. It represents the highest level of demonstrated competency in industrial control system cybersecurity recognised by the International Society of Automation.
IEC 62443 is the only international standard purpose-built for securing industrial automation and control systems. It addresses the full ecosystem — asset owners, system integrators, and component suppliers — with a risk-based approach that scales from a single PLC to an enterprise-wide SCADA deployment.
Unlike ISO 27001 or NIST CSF, IEC 62443 was designed from the ground up for environments where availability outranks confidentiality, where patching requires outage windows, and where a misconfigured firewall rule can stop a turbine.
Regulation 71(3) permits CII owners to identify and adopt global best practices on their own initiative. IEC 62443 is the right technical anchor for energy, water, and transport CII — providing a defensible compliance position while delivering genuine security uplift.
62443 is unique in addressing asset owners (2-x), system integrators (3-x), and product suppliers (4-x) with specific requirements for each role. This matters when your OT vendor's security posture directly affects your regulatory exposure.
IEC 62443 is structured into four series, each addressing a different layer of industrial cybersecurity. Together they provide a complete framework from policy through to component-level security requirements.
Establishes the foundational concepts, security models, and terminology used across the entire standard. Defines the zone and conduit model, security levels, and the roles of asset owners, integrators, and suppliers.
Requirements for establishing and maintaining an IACS security program. Covers governance, risk management, personnel security, patch management, and the organisational processes that sustain security over time.
The technical core. Defines how to conduct a security risk assessment for system design (3-2) and the system-level security requirements organised by security level (3-3). This is where zone/conduit architecture, SL-T assignment, and control selection happen.
Requirements for product suppliers and component manufacturers. Defines secure development lifecycle requirements (4-1) and technical security requirements for IACS components (4-2). Critical for supply chain security and vendor assessment.
IEC 62443 organises security controls around seven foundational requirements. Each is assessed across four security levels (SL 1-4), from protection against casual violation through to state-sponsored attack.
Identify and authenticate all users (human, software, device) before granting access to the IACS.
Enforce assigned privileges to authorised users for actions on the IACS, supporting segregation of duties.
Ensure the integrity of the IACS to prevent unauthorised manipulation of system behaviour.
Ensure the confidentiality of information on communication channels and in data repositories.
Segment the IACS via zones and conduits to restrict unnecessary data flows between zones.
Respond to security violations by notifying the proper authority, reporting evidence, and taking corrective action.
Ensure the availability of the IACS against degradation or denial of essential services.
Expert-level certification means we work across the full 62443 lifecycle — not just one slice. From initial risk assessment through to system design, implementation support, and ongoing program management.
Zone and conduit identification, threat modelling, consequence analysis, target security level assignment. The structured risk assessment that drives every decision downstream.
Current security level (SL-A) assessment against target (SL-T) across all seven foundational requirements. Identifies exactly where your OT environment falls short and what controls close the gap.
Architecture assessment against 62443 zone/conduit principles. Network segmentation, remote access design, safety system isolation, and DMZ architecture for IT/OT convergence.
Establish and maintain the IACS security management system — policies, procedures, roles, training, and continuous improvement. Aligned to SOCI CIRMP requirements where applicable.
Evaluate OT product suppliers and system integrators against 62443-4-1 (secure development) and 62443-2-4 (service provider requirements). Build security into procurement.
Risk-prioritised implementation plan that accounts for operational constraints — outage windows, legacy systems, budget cycles, and the reality that you can't patch a running plant.
IEC 62443 provides the framework. Expert certification provides the depth. Let's apply both to your operational environment.