IEC 62443

Do you want to obtain IEC 62443 certification or are you curious why other organisations choose it? The IEC 62443 standard is the well-known standard focused on industrial cybersecurity. This standard demonstrates that your organisation meets the right form of protection for vital processes and infrastructure within industry.

With certification from DigiTrust, you can easily and independently demonstrate that the security programme within your organisation is indeed in order.

More than 500 organisations have already gone before you.

The standards explained

Why IEC 62443?

Organisations face increasing demands from legislators and others to have their digital resilience in order. The organisation may fall under the Network and Information Systems Security Act and may even be designated as an AED (Provider of Essential Services) or AAVA (Other Designated Vital Provider). The upcoming implementation of the European CER Directive, in the form of the Critical Entity Resilience Act (Wwke) and the NIS2 Directive in the form of the Cybersecurity Act (Cbw), will extend this obligation to more companies.

This obligation also concerns the Operational Technology (OT) environment. The world of OT is a different one from the standard IT environment that most organisations are familiar with. Due to different requirements and expectations, the more IT-oriented processes from ISO 27001 do not work optimally in the OT environment. IEC62443 has been developed especially for this environment. This standard speaks the language of OT engineers and takes into account the conditions prevailing in this world.

Certification of IEC 62443-2-1 and IEC 62443-2-4

DigiTrust offers certification services specifically focused on the IEC 62443-2-1 and IEC 62443-2-4 standards. These standards provide requirements for security programmes to manage and maintain the OT environment. This allows you as an organisation to demonstrate that your security programme meets current standards and has been assessed by an objective and impartial party.

DigiTrust audits and certifies against two standard parts within IEC62443. The choice of certification against IEC 62443-2-1 and/or IEC 62443-2-4 depends on the role that organisation plays in the OT landscape. Please note that from DigiTrust we do not certify against other parts such as 62443-4-1 and 62443-4-2.

Asset Owner (IEC 62443-2-1)

The Asset Owner is the owner of (production) sites and/or assets. Some examples are:

Manufacturing companies;
Network operators;
Water boards;
Power plants;
Hospitals;
Etc.

The most important aspect here is the that Asset Owner is responsible for the processes and possible consequences of incidents. As a result, this role is often invested on the operational side of the organisation, think plant managers, process owners, etc. IEC 62443-2-1 contains the requirements for setting up a security programme to control the Industrial Automation and Control System (IACS). The Asset Owner may outsource the maintenance of the assets to a Maintenance Service Provider. The design, realisation, commissioning and validation of the automation systems can be outsourced to Integration Service Provider.

Maintenance Service Provider (IEC 62443-2-4)

The Maintenance Service Provider (MSP) is the organisation responsible for maintaining (production) sites and/or assets and decommissioning (decommissioning). The MSP may be an independent organisation hired by the Asset Owner to perform maintenance or it may be an internal entity within the Asset Owner's organisation. IEC 62443-2-4 specifies the requirements to be met by the maintenance service provider's security programme.

Integration Service Provider (IEC 62443-2-4)

The Integration Service Provider (ISP) is the organisation responsible for designing, realising, commissioning and validating the automation systems. The ISP may be an independent organisation hired by the Asset Owner to perform these tasks, or it may be an internal entity within the Asset Owner's organisation. IEC 62443-2-4 specifies the requirements that the integration service provider's security programme must meet.

Proudly certified by DigiTrust

Click on the logos to view all DigiTrust-certified companies.

or call one of our specialists

The steps explained

How do I get the IEC 62443 standard?

You can use the IEC 62443 standard Order free of charge through the NEN.

How can you obtain IEC 62443 certification?

You must first make sure yourself that you have a working security programme and what meets the standard requirements. You can do this all by yourself or let a consulting firm guide you.

If you believe you meet the standard, you can have it assessed by DigiTrust. Our certification process has a number of logical steps.

Establishing scope of certification

- Determine which activities and locations will be certified.

- Determine which standard will be certified.

- Determine required audit time.

Drawing up audit plan

The auditor draws up the audit plan in consultation with the client.

Conducting audit

- For Asset Owners, the security programme will be assessed (remotely) from the office location.

- For Maintenance and Integration Service, the security programme will be assessed (remotely) from the office location.

Preparation of audit report

The auditor prepares the audit report.

Perform certification reporting

The auditor's file is reviewed by an objective and impartial Certification Manager.

Issuing certificate

If successful, the certificate will be issued.

Questions on IEC 62443 or curious about the possibilities?

Our specialists will be happy to tell you more about it. Call us at 088-224 56 00, please email us at sales@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.

More than 300 organisations have already gone before you.