All published standards, technical reports, and specifications across the series — with status and scope for each part.
The series spans six numbered groups covering general concepts through to evaluation methodology. Not every part is a normative standard — many are Technical Reports (informative guidance), Technical Specifications (pre-normative), or Publicly Available Specifications (time-limited guidance), and several parts remain in development.
Foundational concepts, terminology, models, and metrics applicable to all roles
Published as a Technical Specification (IEC/TS 62443-1-1:2009), not a full International Standard. Establishes the foundational vocabulary, concepts, and models — IACS, security levels, zones, conduits — used throughout all subsequent parts. Informative in status; content is widely adopted in practice.
Intended to provide a consolidated, precise glossary for all terms used across the series. Not yet published — currently under development by the ISA99 committee. Terms are currently defined within individual parts.
Intended to define quantitative metrics and measurement approaches for evaluating compliance with security requirements. Not yet published — currently under development by the ISA99 committee.
Intended to describe the IACS security lifecycle from initial concept through decommissioning, with illustrative use-case examples. Not yet published — currently under development by the ISA99 committee.
Published as a Technical Specification (IEC/TS 62443-1-5:2023). Defines the methodology and requirements for authoring IEC 62443 security profiles — sector- or application-specific subsets of the standard used in conformity assessment. Underpins the planned Series 5 security profiles sub-series, no parts of which have been published yet.
Published as a Publicly Available Specification (IEC PAS 62443-1-6:2025). Provides guidance for asset owners and service providers on applying the 62443 series to IIoT environments, addressing new communication channels, distributed architectures, and IIoT-specific cybersecurity concerns. As a PAS it is automatically withdrawn after four years (2029).
Operational security management requirements — primarily directed at asset owners
Specifies requirements for establishing, implementing, and maintaining a Security Management System (SMS) for IACS. Covers risk analysis, security policies, organisational roles, and ongoing program management — the OT counterpart to ISO/IEC 27001.
Published as a Publicly Available Specification (IEC PAS 62443-2-2:2025) — informative guidance, not normative requirements. Provides mechanisms and procedures for developing, validating, operating, and maintaining a Security Protection Scheme (SPS) that manages cyber risk across an operating facility. Companion document to 62443-2-1. Also published by ISA as ISA-TR62443-2-2:2025.
Published as a Technical Report (IEC TR 62443-2-3:2015) — informative guidance, not normative requirements. Addresses the unique challenges of patching in operational environments where availability is paramount. Covers roles and responsibilities for asset owners and vendors, patch assessment processes, and approaches for systems that cannot be taken offline.
Defines security capabilities and practices that asset owners should require of their system integrators and service providers. Covers solution delivery, configuration, remote access, documentation, and ongoing support activities throughout the project lifecycle.
System-level security requirements for design and risk assessment — primarily for system integrators
Published as a Technical Report (IEC TR 62443-3-1:2009) — informative guidance, not normative requirements. Evaluates the applicability of common security technologies (authentication, encryption, firewalls, IDS, etc.) to industrial control environments. Note: published in 2009 and may not reflect the current technology landscape.
Defines a rigorous process for identifying and partitioning an IACS into security zones and conduits based on risk. Drives the determination of target security levels (SL-T) for each zone and provides the basis for selecting countermeasures during system design.
The normative core of the system series. Specifies 51 foundational requirements (FRs) across seven categories (IAC, UC, SI, DC, RDF, TRE, RA) and defines how each scales to Security Levels 1–4. Used directly in system acceptance testing and certification assessments.
Product-level requirements for hardware, software, and firmware — directed at manufacturers
Specifies secure development lifecycle (SDL) practices that product suppliers must follow. Covers security management, requirements, design, implementation, verification, defect management, patch management, and end-of-life handling. Basis for ISASecure SDLA certification.
Defines component-level technical requirements equivalent to the system requirements in 62443-3-3, scoped to individual embedded devices, host devices, network components, and software applications. Enables component capability security levels (CAP SL) used in product certification programmes.
Evaluation methodologies for conformity assessment against specific parts of the standard
Published as a Technical Specification (IEC/TS 62443-6-1:2024). Specifies a repeatable, reproducible evaluation methodology for assessing service providers against the requirements of IEC 62443-2-4. Intended for use in first-, second-, and third-party conformity assessment activities, including by certification bodies.
Published as a Technical Specification (IEC/TS 62443-6-2:2025). Specifies a repeatable, reproducible evaluation methodology for assessing IACS components against the requirements of IEC 62443-4-2. Companion to 6-1, extending structured evaluation to the product component layer.
Need help implementing IEC 62443 in your organisation? Get in touch ↗