ACSSA Certification (ACSSA) - 1.0.0

Effective 17 February 2026

Scope

ACSSA evaluates a deployed control system and related asset owner policies and procedures. 

ACSSA evaluation requires a partition of the IACS into security zones. An IACS is eligible for ACSSA programs, if the asset owner seeking ACSSA evaluation is fully accountable for managing, operating, and maintaining all hardware and software within these zones, and for all ingress/egress points for external communication and communication between zones. In the case that cyber elements that do not meet these criteria have an interface to an IACS (which may include but are not limited to public cloud applications and infrastructure components), the IACS with scope defined to exclude those elements is eligible for ACSSA. For such an evaluation, the evaluator will verify that the asset owner’s risk assessment has examined threats due to this interface, as specified in ACSSA-300 [ACSSA-300].

The scope of an ACSSA evaluation includes the following:

• An IACS that is in-operation or operations-ready
• A Security Program (SP) that documents the security policies and procedures for the IACS
• The roles, responsibilities and training for the personnel that interact with the IACS
• The service providers that are responsible for IACS maintenance, integration or other services

Standards in Figure 1 is evaluated as follows:

• 62443-2-1 [IEC 62443-2-1]:

  Security for industrial automation and control systems Part 2-1: Security program requirements for IACS asset owners

  
  
  
• 62443-3-2 [IEC 62443-3-2]:  Security for industrial automation and control systems Part 3-2: Security risk assessment for system design 
  
  
• 62443-2-4 [IEC 62443-2-4]:  Security for industrial automation and control systems Part 2-4: Security Program requirements for IACS service providers 
  
  
• 62443-3-3 [IEC 62443-3-3]:  Security for industrial automation and control systems Part 3-3: System security requirements and security levels
  

ACSSA Evaluation
The detailed specifications that describe an ACSSA evaluation are the documents ACSSA-300, ACSSA-304 [ACSSA-304], and ACSSA-311 [ACSSA-311]. The differences between the ACSSA inspection and certification schemes are described in Section 4.2.

The ISASecure conformity assessment programs have been developed by an industry consortium called the ISA Security Compliance Institute (ISCI) with a goal to accelerate industry wide improvement of cyber security for IACS. The ISASecure ACSSA conformity assessment programs achieve this goal by offering a common industry-recognized method for evaluating conformity to 62443 for an IACS. An asset owner that achieves ACSSA certification for an IACS, can display the ISASecure ACSSA symbol in association with that IACS.

ACSSA evaluates a deployed control system and related asset owner policies and procedures. Other 62443 conformity assessment programs offered by ISASecure and others, evaluate off-the-shelf products based on 62443-3-3 and 62443-4-2, and development lifecycle process based on 62443-4-1. Achievement of these certifications for components and systems that are part of an asset’s owner’s IACS is not a prerequisite for meeting ACSSA requirements. However, use of products certified to ANSI/ISA/IEC 62443 will be beneficial for attaining ACSSA certification.

Eligibility for ACSSA

Asset owners responsible for an IACS can apply for ACSSA inspection or certification, if the IACS is either in operation, or near transition to operation. “Near transition to operation” means that the asset owner can supply information submissions and meet other preparedness criteria defined in the ACSSA specifications. Examples of required submissions are a system asset inventory under change control and a risk assessment for the IACS performed in accordance with 62443-3-2. Examples of other required preparedness criteria are completion of commissioning and availability of policies and procedures for conformity with 62443-2-1. Detailed ACSSA eligibility criteria for an IACS are specified in ACSSA-300.

The scope of the IACS itself that is the subject for evaluation, is determined by the asset owner. The required submission of documentation to define this scope is also found in ACSSA-300. Examples are asset inventory for the system under evaluation, list of equipment under control, policies and procedures, and list of service providers.

Comparison of ACSSA inspection and certification schemes

The present document contains information that applies to both the ACSSA inspection and certification schemes. Figure 2 shows the relationship between these schemes. The term “conformity assessment body” (CAB) is used, as in the figure below, when referring to either an inspection body (IB) or certification body (CB) for ACSSA.

Evaluation process and criteria for conformity with individual 62443 requirements are identical for ACSSA inspection and for an initial ACSSA certification. Key differences between the two programs address the following other program aspects:

• Conformity statements: Under the ACSSA inspection and certification programs, requirements in 62443-2-1 are evaluated according to the same specified criteria, and evaluated either as practiced at maturity level 3 (ML 3), at maturity level 2 (ML 2), or as not meeting ML 2. 62443-2-4, 62443-3-2, and 62443-3-3 requirements associated with each 62443-2-1 requirement must also be met based on specified criteria that support the maturity level that the evaluator determines is met for that 62443-2-1 requirement. Conformity to 62443-3-3 requirements must also be aligned with the security level assigned per the asset owner’s risk assessment to each security zone of the system under evaluation.
  
  Based upon such an evaluation, an ACSSA inspection program result attests to conformity of an IACS to individual requirements in the 62443 standards. There is no formal designation for passing an ACSSA inspection overall. An inspection attests to conformity of an IACS with requirements in the standards 62443-2-1, 62443-2-4, 62443-3-2, and 62443-3-3.  
  
  An ACSSA certification attests to overall conformity of an IACS with 62443. In particular, it attests to conformity of an IACS with the standards 62443-2-1, 62443-2-4, 62443-3-2, and 62443-3-3. The certification program defines criteria for granting certification to an IACS based upon the results of the ACSSA evaluation. Specifically, 62443-2-1 and 62443-3-2 requirements must be met at ML 3. 62443-2-4 and 62443-3-3 requirements associated with each 62443-2-1 requirement must also be met, based on criteria that support asset owner ML 3 for the 62443-2-1 requirement. ACSSA does not offer certification for ML 1 or ML 2.
  
  
• Time aspect of statement of conformity: Both inspections and certifications provide a report that documents evaluation results at a point in time. However, a certification is valid over a specified time period, requires periodic review during that time period (known as surveillance), and offers a recertification process to further maintain the certification beyond that time period, as specified in ACSSA-300 [ACSSA-300].
  
  
• Qualifications for IB vs. CB: Impartiality requirements are more rigorous for an ACSSA CB than for an ACSSA IB. An IB may work sequentially on both consulting and inspection for the same subject IACS, as long as the work is done by different individuals and impartiality is maintained. A CB (as a legal entity) cannot offer or perform both related consulting and certifications.

Use cases: inspection and certification

An asset owner organization might use an ACSSA inspection for internal purposes, to gauge the current security posture of an IACS in operation, or the security-readiness of an IACS that is deemed ready for operation. They may schedule future inspections as they see fit, to measure progress. An ACSSA inspection could be used to extend or confirm efforts by internal audit resources of the asset owner organization.

An asset owner organization might use a certification as part of a long-term public commitment to maintain their security program, or because an external entity offers benefits for maintaining a certification, or an external entity requires a certification under some circumstances. Examples of such external entities could be customers, insurance providers, or regulators that work with the asset owner organization.

Overview of process for ACSSA Inspection

To obtain an ACSSA inspection, an asset owner applies to an accredited IB for inspection of a specified IACS. The IB determines eligibility of the IACS in accordance with requirements of ACSSA-300. Once eligibility is established, the asset owner and CAB create an evaluation plan. After execution of the agreed plan and evaluation of the IACS is complete, the asset owner will receive a cover letter from the IB that attests to completion of the evaluation, which references the resulting report. The asset owner will receive a formal ACSSA inspection report conforming to the ACSSA-specified format and content defined in ACSSA-303 [ACSSA-303]. The report provides statements of conformity to individual 62443 requirements as described in Section 4.2, and descriptions of any nonconformities found.

To obtain an ACSSA certification, an asset owner applies to an accredited CB for certification of a specified IACS. The CB determines eligibility of the IACS in accordance with requirements of ACSSA-300. Once eligibility is established, typically the CB performs a gap analysis to assist the asset owner in preparing for the formal evaluation. Once the formal evaluation of the IACS is planned and completed, then if the IACS meets the ACSSA certification criteria, it is granted certified status until an expiration date as specified in ACSSA-300. The asset owner receives a certificate and a formal certification report. The certification report includes the contents that comprise a formal inspection report, as described in Section 4.4. A periodic surveillance process specified in ACSSA-300, is required to maintain the certification until its expiration date. A recertification process is required to extend the certification beyond the expiration date. At this time a new certificate and certification report are issued.

Note that an IACS is evaluated to the same criteria whether or not it is in operation. However, for some requirements, evidence available to demonstrate conformity may differ. In these cases, the ACSSA specifications allow for several types of evidence.

ACSSA certified IACS

An asset owner with an IACS that has been certified under the ACSSA certification program may display the ISASecure symbol and a certificate granting certification, in accordance with program procedures found in ACSSA-204 [ACSSA-204]. A certification references a 3-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, the ABC Company IACS at City Y, might be certified to ISASecure ACSSA 1.0.0.

At the request of an asset owner organization, ISCI will post on its web site https://ISASecure.org, the name of the asset owner organization and the information on their certificate(s) that are in valid status. An asset owner that does not elect that ISCI post this information, may request that ISCI provide the information directly to a specified third party.

Relationship to other ISASecure® 62443 Certification Programs

This section discusses the relationship of ACSSA to other 62443 certifications. An asset owner will gain significant leverage for conformity to ACSSA criteria, by employing system products that conform to 62443-3-3, component products that conform to 62443-4-2, and service providers that conform to 62443-2-4. They gain further leverage for demonstrating this conformity in an ACSSA evaluation, if these products and service providers are certified for conformity to these standards. Examples are products certified under ISASecure CSA or ISASecure SSA, and a maintenance service provider that holds a 62443-2-4 certification for their vulnerability scanning services. The use of vendors with these achievements, though not required by ACSSA, may fulfill in part the requirements for the 62443-3-3 and 62443-2-4 elements of an ACSSA evaluation. The following discussion outlines those aspects of the ACSSA requirements that are fulfilled by conformity and certification to these individual parts of the 62443 standard, and the aspects that remain to be met, to pass the 62443-3-3 and 62443-2-4 elements of an ACSSA evaluation.

ACSSA ML 3 criteria  

ACSSA ML 3 criteria for a 62443-3-3 requirement examine the utilization of required technical capabilities in a zone based upon its target security level and upon any additional requirements resulting from the asset owner’s risk assessment. The existence of a required capability in a zone and the verification that it is appropriately utilized are both examined in an ACSSA evaluation. Certification of system products to 62443-3-3 and component products to 62443-4-2 contribute evidence that required technical capabilities exist in a product, and therefore are present in a zone containing the product. Such certifications review a product as it is offered for sale, and therefore do not examine whether or how a specific user utilizes product capabilities.

It is logical for an evaluator to examine first whether a product has a security capability, and then to examine how the capability is configured and utilized in the IACS under evaluation. For the first step, a zone that supports a security capability may be shown to support it either using evidence from prior product certifications, or by direct evaluation by the ACSSA evaluator. The former method is expected to make the ACSSA evaluation process more efficient.

If an IACS zone is comprised of products that do not have a capability required by 62443-3-3 for the target security level of that zone, then in order to pass the ACSSA evaluation, the asset owner will need to either provide a risk-based rationale, or identify, deploy, and provide rationale for compensating security measures to compensate for the risk which that capability would have mitigated if present. An asset owner will not need to perform these actions if they deploy products that support security capabilities required under 62443-3-3 or 62443-4-2 for the security level of the zone. This does not necessarily mean that all products in the zone need these capabilities or need a related certification. In some cases, a subset of products in a zone may support a capability for the entire zone. For example, several devices in the zone may not have sufficient audit storage but forward their logs to another storage device in the zone when their storage space is exceeded. Likewise, only one device in a zone may have the capability to identify and report unauthorized wireless devices, but it is configured to have visibility to all zone communication.

In summary, in order to evaluate a zone for a specific 62443-3-3 requirement, the ACSSA evaluator would first verify that either (1) the capability described by that requirement is present and supports the entire zone (2) compensating security measures are present, or (3) a risk-based rationale has been provided that the capability is not required in the zone. Assurance of the support of the security capability for the zone for (1) can most easily be based upon certifications for products in the zone. The evaluator may then commence verification that the capability is configured and utilized in accordance with asset owner policies and procedures, which will complete the ACSSA evaluation of the 62443-3-3 requirement for the zone.

Conversely, an IACS passing an ACSSA evaluation does not imply that systems or components used by that asset owner should receive a 62443-4-2 or 62443-3-3 certification, although they will be well positioned to apply. All security capabilities required under these standards may not be necessary for a particular IACS, so their presence may not be examined under ACSSA. Further, product certifications such as ISASecure CSA or ISASecure SSA examine not only the presence of security capabilities, but additional details of their implementation and artifacts from the application of a secure product development process for that product. These certification programs also incorporate independent tests by the evaluator for selected product security capabilities and perform an aggressive form of vulnerability scanning. ACSSA evaluation for deployed systems does not incorporate such independent tests by the evaluator.

Service provider certifications 

An asset owner can pass ACSSA ML 2 criteria for a 62443-2-4 requirement, if they employ a service provider for a task to which that requirement applies, that is certified to 62443-2-4 at ML 3 for that 62443-2-4 requirement.

If a service provider does not have an ML 3 certification for a 62443-2-4 requirement, but has a documented process intended to fulfill the requirement, this process may be presented as evidence to the ACSSA evaluator. However, ACSSA does not accept an ML 2 62443-2-4 certification to meet ML 2 ACSSA requirements.

In order to pass ACSSA ML 3 criteria, in addition to ML 2 evidence as just described, there must be evidence that the task to which a 62443-2-4 requirement applies was carried out by the service provider, specifically for the IACS under evaluation. Although the service provider’s ML 3 certification would have required evidence of service provider execution of their process, that evidence may have been for other IACS and not for the IACS under ACSSA evaluation.

Conversely, documented processes of the service provider and evidence of their execution for the asset owner that have been presented under an ACSSA evaluation, may be submitted as evidence to support a 62443-2-4 certification for a service provider. However, an IACS passing an ACSSA evaluation does not imply that a service provider for that asset owner should receive a 62443-2-4 certification. The service provider’s process used for an IACS asset owner and evidence of execution of that process would need to be evaluated by a 62443-2-4 certification body for sufficiency in a broader context than the specific IACS undergoing an ACSSA evaluation.

Organizational Roles

The following organizations participate in the ISASecure ACSSA program. 

• • Asset owners are accountable for an IACS. They may define the boundaries of an IACS and apply for an ACSSA inspection or certification for the IACS. They may use passing an ACSSA certification as an internal goal, or to demonstrate the IACS security posture to external stakeholders. They may use information from a formal ACSSA inspection, or information derived from their internal use of the ACSSA specifications, to inform their security program.
    
    
  • Integration service providers may be asked by an asset owner to serve as sources for existing or new system documentation, based upon work they performed previously during the integration phase for an IACS under evaluation.
    
    
  • Maintenance service providers may be asked by an asset owner to serve as sources for maintenance process documentation and evidence of process execution for an ACSSA evaluation. If a maintenance service provider holds a suitable 62443-2-4 certification at ML 3, for requirements in that standard applicable to the tasks they will carry out for the IACS under evaluation, this certification contributes evidence for conformity to those requirements under ACSSA. Evidence in addition to this certification may be required to demonstrate conformity specifically for the IACS under evaluation. (See also 4.7 for further discussion of the relationship of ACSSA to other 62443 certifications.)
    
    
  • Product suppliers may be asked by an asset owner to serve as sources for specific information about the capabilities of products used in the IACS, that is required as evidence for an ACSSA evaluation. ACSSA evaluation examines the asset owner’s utilization of technical capabilities to meet the target security level of a zone. If a supplier of products for that zone holds a suitable 62443-4-2 or 62443-3-3 certification for such a product, that certification provides evidence that required capabilities for the zone are present for that product. The evaluator may then efficiently commence examination of the utilization of these capabilities by the asset owner. (See also 4.7.)
    
    
  • Conformity assessment bodies (IBs and CBs) may accept an application from an asset owner for ACSSA evaluation of an IACS and evaluate the IACS. IBs are authorized to issue formal ACSSA inspection reports. CBs are authorized to grant ACSSA certifications and issue ACSSA certification reports and certificates when certification criteria are met.
    
    
  • ISCI defines, maintains and manages the overall ISASecure ACSSA inspection and certification programs, interprets the ISASecure specifications and maintains a web site to make program documentation available. The ISCI website also provides a list of conformity assessment bodies. When requested by an asset owner, an ACSSA certificate achieved by the asset owner is posted on the site or provided directly to specified third parties.
    
    
  • ASCI (Automation Standards Compliance Institute), as the legal entity representing ISCI, grants ACSSA IB and/or CB status to applicant organizations based on successful accreditation to criteria defined by ISCI.
    
    
  • ACSSA accreditation bodies evaluate candidate organizations for ACSSA IB or CB status and determine if they meet program accreditation criteria.
    
    
  • External stakeholders for IACS security such as insurance companies or closely connected business partners for an asset owner, may use results of a formal ACSSA inspection or achievement of a certification for a specific IACS, to assess the risk they themselves may encounter, that is influenced by the security posture of the IACS.
    
    

ISCI is organized as an interest area within ASCI, a not-for-profit 501 (c) (6) corporation owned by ISA (International Society of Automation). Descriptions of the governance and organizational structure for ASCI are found on the ISASecure website: http://www.ISASecure.org.

ISASecure IB's and CB’s conduct assessments in accordance with ISO/IEC 17020 (IB) and ISO/IEC 17065 (CB) and maintain confidentiality of supplier’s assessment information at all times.  No proprietary company information is ever publicly disclosed.  As the owner of the ISASecure conformance scheme, random work products related to a supplier evaluation may be examined by ISCI staff at infrequent intervals to ensure the quality of the ISASecure ACSSA program or to process a complaint to ISCI.

Certification Program Documentation

There are five major categories of ISASecure ACSSA program documents:

• Technical specifications, shown with no pattern in light blue, that describe the technical criteria applied to determine conformity to 62443
• Conformity assessment bodies, shown in gold diagonal stripe, that describe how an organization can become a recognized ACSSA inspection body or certification body and carry out this role
• Symbols and certificates, shown in blue horizontal stripe, covers the topic of proper usage of the ISASecure symbols and certificates
• Structure, shown in an orange brick pattern, used to describe the overall ACSSA inspection and certification schemes. The present document falls in this category.
• External references, shown with no pattern in dark grey, are documents that apply to the ISASecure program but are maintained outside of the program.

ISASecure® ACSSA Conformance Scheme Fees

ACSSA Certification Specification

Evaluation Planning for the Asset Owner

Certification Specifications

Technical Specifications

Specifications are available for FREE to ISASecure members. Please email mritterskamp@isa.org if you need assistance. Be sure to include your company name and membership information.