Applying ISO/IEC 27001/2 and the ISA/IEC 62443 Standards for Operational Technology Environments (Oc
Many organizations (especially very large ones) have established policies and procedures governing the IT security in their office environment; many of these are based on ISO/IEC 27001/2 [27001] [27002]. Some have attempted to address their operational technology (OT) infrastructure under the same management system, and have leveraged many IT/OT commonalities. Although it would be ideal to always select common controls and implementations for both IT and OT, organizations have been confronted with challenges in doing so, such as OT operator screen locking creating unsafe conditions, antivirus products incompatible with OT equipment, patching practices disrupting production schedules, or network traffic from routine backups blocking safety control messages. The ISA/IEC 62443 series explicitly addresses issues such as these; this helps an organization to maintain conformance with ISO/IEC 27001 through common approaches wherever feasible, while highlighting differences in IT vs. OT approach where needed.
This webinar offers guidance for organizations familiar with ISO/IEC 27001 and interested in protecting the OT infrastructure of their operating facilities based on the ISA/IEC 62443 series. It describes the relationship between the ISA/IEC 62443 series and ISO/IEC 27001/2 and how both standards may be effectively used within one organization to protect both IT and OT.
62443 does not require the use of an underlying Information Security Management System (ISMS), However it requires that, if the organization has an established ISMS, the security program in the OT environment should be coordinated with it. In this document we are considering the use case of an existing ISMS based on ISO/IEC 27001/2.
Other information security standards similar in scope to 27001 might be used effectively together with 62443 under an approach similar to that described here. Evaluation of such approaches is outside the scope of this webinar. However, users of such standards are encouraged to explore that possibility.
This webinar offers guidance for organizations familiar with ISO/IEC 27001 and interested in protecting the OT infrastructure of their operating facilities based on the ISA/IEC 62443 series. It describes the relationship between the ISA/IEC 62443 series and ISO/IEC 27001/2 and how both standards may be effectively used within one organization to protect both IT and OT.
62443 does not require the use of an underlying Information Security Management System (ISMS), However it requires that, if the organization has an established ISMS, the security program in the OT environment should be coordinated with it. In this document we are considering the use case of an existing ISMS based on ISO/IEC 27001/2.
Other information security standards similar in scope to 27001 might be used effectively together with 62443 under an approach similar to that described here. Evaluation of such approaches is outside the scope of this webinar. However, users of such standards are encouraged to explore that possibility.
Contributors
Pierre Kobes
Pierre Kobes has worked for more than 40 years for SIEMENS AG and was responsible for Standards, Regulations, and Certifications. He participated in the development of most of the documents of ISA/IEC 62443, involved in multiple projects to implement the standard ISA/IEC 62443 within Siemens, and is still working on evolution of ISA/IEC 62443.