Online ISA-IEC-62443 Questions Video

In the ISA/IEC 62443 framework, Security Levels (SLs) are categorized into three distinct types:

Target SL (SL-T) – The security level required based on risk assessment

Capability SL (SL-C) – The level a component or system can support

Achieved SL (SL-A) – The level actually implemented in the system

“Three types of security levels are defined:

Target (SL-T): derived from risk analysis

Capability (SL-C): supported by the product or system

Achieved (SL-A): implemented and operational in the environment”

— ISA/IEC 62443-1-1:2007, Clause 3.2.4 and Table 3

This classification supports gap analysis and helps asset owners ensure their system meets both required and feasible security levels.

The first step in implementing ISO 27001, an international standard for information security management systems (ISMS), is to perform a security risk assessment. This initial step is critical as it helps identify the organization's information assets that could be at risk, assess the vulnerabilities and threats to these assets, and evaluate their potential impacts. This risk assessment forms the foundation for defining appropriate security controls and measures tailored to the organization’s specific needs. Starting with a risk assessment ensures that the security controls implemented are aligned with the actual risks the organization faces, making the ISMS more effective and targeted.

ISA/IEC 62443 Cybersecurity Fundamentals References:

Although ISO 27001 is not part of ISA/IEC 62443, it shares common principles in cybersecurity management by starting with a comprehensive understanding and assessment of security risks, which is a fundamental aspect in both standards for setting up effective security practices.

"A common pitfall is to attempt to initiate a CSMS program without at least a high-level rationale that relates cyber security to the specific organization and its mission."

A CSMS program is a Cybersecurity Management System program that follows the IEC 62443 standards for securing industrial control systems (ICS)1. A common pitfall when initiating a CSMS program is D. Immediate jump into detailed risk assessment. This is because a detailed risk assessment requires a clear definition of the system under consideration (SuC), the allocation of IACS assets to zones and conduits, and the identification of threats, vulnerabilities, and consequences for each zone and conduit2. These steps are part of the assess phase of the CSMS program, which is the first phase of the security program development process2. However, before starting the assess phase, it is important to have the management team’s support to ensure the CSMS program will have sufficient financial and organizational resources to implement necessary actions2. Therefore, jumping into detailed risk assessment without having the management buy-in is a common mistake that can jeopardize the success of the CSMS program.

The first step in the Cyber Security Management System (CSMS) development process is to “Initiate the CSMS program,” which involves establishing its purpose, obtaining organizational support, allocating resources, and defining the program’s scope. These foundational activities are required to ensure that the program is properly structured and supported before detailed risk assessments or architecture planning are performed.