contact us

IEC 62443: ISO27001 adapted... for industry

In this article

The idea in a sentence

IEC 62443, the industrial equivalent of ISO 27001 The same risk management and control logic... with added constraints related to production (availability, personal safety, long equipment life, limited maintenance windows, maintenance providers, etc.).

What is IEC 62443 used for?

It provides a framework specific to industrial systems (OT/ICS/SCADA) to reduce unplanned stoppages, avoid safety incidents and prove to your customers that the plant is under control. It applies to three roles life cycle : suppliers/builders, integrators and operators.

ISO 27001 structures global governance (ISMS).
IEC 62443 translates this intention to the production line level architecture, workstations, networks, field procedures.

5 concepts that make all the difference

1) Zones & Conduits

We segment the workshop in zones (robot cell, supervision, DMZ, OT server room...) and we control the ducts (flows) between them. Objective: limit propagation and make visible the passage points to be filtered.

2) Safety levels (SL)

We set targets SL by use and risk (e.g. SL2 for supervision, SL3 for machine safety). This guides hardening without over-specifying.

3) "Terrain-compatible" hardening

Shared HMI stations, maintenance accounts, Obsolete OS imposed by an automaton, equipment without corrective action... compensatory measures : machine insulation, virtual patching gateway, network hardening by allow-list, one-way flow (data diode) when necessary.

4) Admin paths and maintenance accesses

We separate the administration paths the rest, we demand nominative accountsand temporary elevations(badges, short sessions), logging of interventions service providers and we keep the proof.

5) Complete life cycle

Design → integration → operation/maintenance. The requirements don't stop with the project: they cover updates, backup/restore of PLC recipes, change management and end-of-life.

Examples of "ISO into atelier" adaptations

  • Regular updateswhen it's impossible : strict insulationsupervision, integrity control.

  • Securing workstations ⟶ Shared HMI : nominative accounts, time-limited sessionsautomatic locking.

  • Network segmentation ⟶ interconnected lines : DMZ OTfiltered gateways, white-listed flows, central logging.

How to get started without blocking production

  • Simple mapping : cells, PLCs, HMI, servers, gateways, IT-OT links.

  • Cut into zones and draw existing conduits; mark unfiltered "bridges".

  • Setting SL by zone (depending on risk and production constraints).

  • Treating 10% which makes 80% of risk These include isolating what cannot be patched, shutting down unnecessary flows, and securing maintenance access.

  • Prove : tested backups, intervention traces, up-to-date list of authorized flows.

Conclusion

IEC 62443 puts ISO 27001 at the machine level. It respects production constraints while imposing a discipline of architecture, access and proof. By addressing isolation, flow and maintenance access first, you greatly reduce risk without shutting down the plant - and you speak the same language as your industrial partners.

A first concrete step towards IEC 62443?

contact us

In this article

All you need to know about ISO 27001

NIS2 & DORA: EU obligations, key differences, concrete roadmap

PART-IS: civil aviation's cyber course

Security Policy Development

en_US
fr_FR de_DE it_IT en_US

Our services

RM EBIOS risk analysis

Preparing for certification & compliance

Safety awareness campaigns

SSI policies & charters

ISO 42001 & IA ACT support

Time-sharing CISO

Supplier evaluation

Organizational audits

Technical audits

Phishia CTI

Phishia SOC

PRA / PCA

Crisis management exercise

Responses to incidents

Who we are

Join us

Our blog

Contact us