ISA/IEC 62443
Also known as: IEC 62443
ISA/IEC 62443 is the international standard series for the cybersecurity of Industrial Automation and Control Systems (IACS), jointly developed by ISA and IEC, used across manufacturing, energy, transportation, and critical infrastructure to protect operational technology from cyber threats.
Last updated: April 2026
Key Facts
- Term
- ISA/IEC 62443
- Also known as
- IEC 62443, ANSI/ISA 62443
- Published by
- International Society of Automation (ISA) and International Electrotechnical Commission (IEC)
- Number of parts
- Four parts with multiple subparts
- Risk classification
- Security Levels (SL 1 to SL 4)
- Certificate programme
- Four ISA certificates (Fundamentals, Risk Assessment, Design, Maintenance) plus Cybersecurity Expert
- Course codes
- IC32, IC33, IC34, IC37, IC48 (fast track)
- Audiences
- Asset owners, system integrators, product suppliers
- Industries
- Manufacturing, energy, oil and gas, water, transportation, critical infrastructure
- Alternative certification bodies
- Kiwa/IBEX, exida, PECB
What is ISA/IEC 62443?
ISA/IEC 62443 is a multi-part standard that covers the full cybersecurity lifecycle of industrial control systems. It applies to asset owners, system integrators, and product suppliers, and addresses risk assessment, secure design, secure operation, and ongoing maintenance.
The series is structured into four major parts with multiple subparts. The standard is the only globally consensus-driven cybersecurity framework purpose-built for industrial environments, distinct from IT-focused frameworks such as ISO 27001 or NIST CSF.
ISA/IEC 62443 Structure
| Part | Title | Audience |
|---|---|---|
| Part 1 | General — concepts, terminology, models (1-1, 1-2, 1-3) | All audiences |
| Part 2 | Policies and procedures (2-1, 2-3, 2-4) | Asset owners, service providers |
| Part 3 | System level — security technologies, requirements (3-1, 3-2, 3-3) | System integrators |
| Part 4 | Component level — secure development, technical requirements (4-1, 4-2) | Product suppliers |
Part 1 establishes the lexicon and reference models including zones, conduits, and security levels. Part 2 governs how asset owners and service providers run cybersecurity programmes. Part 3 covers system-level requirements. Part 4 covers product-level requirements for component suppliers.
How ISA/IEC 62443 Differs from ISO 27001 and NIST CSF
- ISA/IEC 62443: Purpose-built for IACS and operational technology. Recognises real-time and safety constraints, long asset lifecycles, and OT-specific threat models.
- ISO 27001: Information security management for IT environments. Less suited to OT-specific concerns.
- NIST CSF: Risk-based cybersecurity framework, IT-leaning, sometimes adapted for OT.
How Industrial Cybersecurity Training Providers Deliver ISA/IEC 62443 Courses
ISA/IEC 62443 training is delivered through ISA's structured certificate programme and through alternative provider programmes such as PECB Lead Implementer and exida CSP.
Delivery formats include classroom (IC32, IC33, IC34, IC37), virtual classroom (IC32V, IC33V, etc.), instructor-guided online (IC32E, etc.), and self-paced modular (IC32M, etc.). Training providers run cohorts for control engineers, OT security analysts, system integrators, and asset owner staff at energy, manufacturing, water, and critical infrastructure organisations. The training operation needs identity verification at exam, verifiable certificates aligned to ISA's certificate exam requirements, multi-cohort scheduling across regions and time zones, audit-ready completion records, and branded client portals for in-house corporate cohorts.
Common Questions
What certificates are available under ISA/IEC 62443?
ISA's programme issues four certificates: Cybersecurity Fundamentals Specialist (after IC32), Cybersecurity Risk Assessment Specialist (after IC33), Cybersecurity Design Specialist (after IC34), and Cybersecurity Maintenance Specialist (after IC37). Completing all four awards the Cybersecurity Expert designation. Other certification bodies offer alternative routes.
Do ISA/IEC 62443 certificates expire?
ISA certificates do not expire. Other bodies that issue IEC 62443 certificates, including Kiwa/IBEX, issue with a defined validity period (typically 2 years), so expiry depends on which body administered the exam.
Who needs ISA/IEC 62443 training?
Control engineers, OT security analysts, IT security staff working in industrial environments, system integrators, asset owner staff, network administrators, and product suppliers building IACS components. The fundamentals course (IC32) is the entry point; advanced courses target specific roles.
How does ISA/IEC 62443 differ from ISO 27001 or NIST CSF?
ISA/IEC 62443 is purpose-built for industrial control systems and operational technology. ISO 27001 and NIST CSF target IT environments. The differences include risk models, control sets, and treatment of legacy systems and operational continuity, which are central in OT but secondary in IT.
Train Your Delegates with Blend-ed
Blend-ed is the AI-native LMS for industrial cybersecurity training companies delivering ISA/IEC 62443 cohorts at scale.
- Try: Free IEC 62443 IC32 Practice Quiz (20 questions)
- Read: Best LMS for Compliance Training in Regulated Industries 2026
- Compare: Best LMS for External Training Providers in 2026
