Automation Control System Security Assurance (ACSSA) Certification - 1.0.0

Effective 17 February 2026

Scope

Automation Control System Security Assurance (ACSSA) evaluates a deployed control system and related asset owner policies and procedures.

Industrial Automation and Control Systems (IACS) are eligible for ACSSA programs, if the asset owner seeking an ACSSA evaluation is fully accountable for managing, operating and maintaining all hardware and software within that IACS, and for all ingress/egress points for external communication with that IACS.

The scope of an ACSSA evaluation includes the following:

• An IACS that is in-operation or operations-ready
• A Security Program (SP) that documents the security policies and procedures for the IACS
• The roles, responsibilities and training for the personnel who interact with the IACS
• Service providers responsible for IACS maintenance, integration or other services

ACSSA Evaluation

The ACSSA evaluation (Figure 1) is performed against the following ISA/IEC 62443 standards:  

• ISA/IEC 62443-2-1: Security program requirements for IACS asset owners.
• ISA/IEC 62443-3-2: Security risk assessment for system design
• ISA/IEC 62443-2-4: Security program requirements for IACS service providers
• ISA/IEC 62443-3-3: System security requirements and security levels

Two schemes are offered: inspection and certification.

The evaluation process and criteria for conformity with individual ISA/IEC 62443 requirements are identical for ACSSA inspection and initial ACSSA certification. While both attest to the conformity of an IACS to individual requirements in the ISA/IEC 62443 standards, the key difference between the two programs is that an ACSSA inspection results in a pass/fail letter. An ACSSA certification attests to the overall conformity of an IACS with the same requirements and defines the criteria for granting a three-year-certification to an IACS based on the results of the ACSSA evaluation. An asset owner that achieves ACSSA certification for an IACS can display the ISASecure ACSSA symbol in association with that IACS.

Both inspections and certifications provide documented evaluation results at a point in time. However, a certification is valid for a specified period, requires periodic review (known as surveillance) and offers a recertification process to maintain the certification beyond that period.

An asset owner organization might use an ACSSA inspection for internal purposes to gauge the current security posture of an IACS in operation or the security readiness of an IACS deemed ready for operation. They may schedule future inspections as they see fit to measure progress. An ACSSA inspection could be used to extend or confirm efforts by internal audit resources of the asset owner organization.

An asset owner organization might use a certification as part of a long-term public commitment to maintain its security program, because an external entity provides incentives for maintaining certification or because an external entity requires certification under certain circumstances. Examples of such external entities may include customers, insurance providers or regulators that work with the asset owner organization.

Eligibility for ACSSA

Asset owners responsible for an IACS can apply for ACSSA inspection or certification if the IACS is either in operation or near transition to operation. “Near transition to operation” means that the asset owner can provide information submissions and meet other preparedness criteria defined in the ACSSA specifications. Examples of required submissions are a system asset inventory under change control and a risk assessment for the IACS performed in accordance with ISA/IEC 62443-3-2. Detailed ACSSA eligibility criteria for an IACS are detailed in the ACSSA program specification ACSSA-300.

The asset owner determines the scope of the IACS for evaluation. The required documentation to define this scope is described in ACSSA-300. Examples include the asset inventory for the system under evaluation, a list of equipment under control, applicable policies and procedures and a list of service providers.

Overview of the Process for ACSSA Inspection and Certification

To obtain an ACSSA inspection, an asset owner applies to an accredited Inspection Body (IB) for inspection of a specified IACS. The IB determines the eligibility of the IACS in accordance with the requirements of ACSSA-300. Once eligibility is established, the asset owner and IB create an evaluation plan. Upon execution of the agreed plan and the completion of the evaluation, the asset owner receives a cover letter from the IB that attests to completion of the evaluation, which references the resulting report. The asset owner will receive a formal ACSSA inspection report conforming to the ACSSA-specified format and content defined in ACSSA-303. The report provides statements of conformity to individual ISA/IEC 62443 requirements as described in Section 4.2, and descriptions of any nonconformities identified.

To obtain an ACSSA certification, an asset owner applies to an accredited Certification Body (CB) for certification of a specified IACS. The CB determines the eligibility of the IACS in accordance with the requirements of ACSSA-300. Once eligibility is established, the CB typically performs a gap analysis to assist the asset owner in preparing for the formal evaluation.  If the IACS meets the certification criteria, it is granted certified status upon completion of the formal evaluation and remains certified until the expiration date, as specified in ACSSA-300. The asset owner receives a certificate and a formal certification report. The certification report includes the content required for a formal inspection report, as described in Section 4.4. A periodic surveillance process specified in ACSSA-300, is required to maintain the certification until its expiration date. A recertification process is required to extend the certification beyond the expiration date. At that time, a new certificate and certification report are issued.

An IACS is evaluated to the same criteria whether or not it is in operation. However, for some requirements, evidence available to demonstrate conformity may differ. In these cases, the ACSSA specifications allow for several types of evidence.

ACSSA Certified IACS

An asset owner with an IACS certified under the ACSSA certification program may display the ISASecure symbol and the certificate granting certification in accordance with the program procedures described in ACSSA-204. A certification references a three-digit certification version that identifies the set of ISASecure specifications used for the certification. For example, the ABC Company IACS in City Y, might be certified to ISASecure ACSSA 1.0.0.

At the request of an asset owner organization, ISCI will post on its website https://ISASecure.org, the name of the asset owner and the information on their certificate(s) that are of valid status. An asset owner that chooses not to have ISCI post this information may request that ISCI provide it directly to a specified third party.

Relationship to Other ISASecure® ISA/IEC 62443 Certification Programs

An asset owner may improve its ability to demonstrate conformity to ACSSA criteria by employing system products that conform to ISA/IEC 62443-3-3, component products that conform to ISA/IEC 62443-4-2, product vendors that conform to ISA/IEC 62443-4-1 and service providers that conform to ISA/IEC 62443-2-4. Each can further strengthen that demonstration during an ACSSA evaluation if these products, systems and service providers are certified for conformity to these standards. Examples include products certified under ISASecure Component Security Assurance (CSA) or ISASecure System Security Assurance (SSA), or a maintenance service provider that holds an ISA/IEC 62443-2-4 certification for their vulnerability scanning services. The use of vendors with these achievements, may partially fulfill the requirements for the ISA/IEC 62443-3-3 and ISA/IEC 62443-2-4 elements of an ACSSA evaluation. The following discussion outlines which aspects of the ACSSA requirements are fulfilled by conformity and certification to these individual parts of the ISA/IEC 62443 standard, and which aspects remain to be met to pass the ISA/IEC 62443-3-3 and ISA/IEC 62443-2-4 elements of an ACSSA evaluation.

Organizational Roles

The following organizations participate in the ISASecure ACSSA program. 

• • Asset owners are accountable for an IACS. They may define the boundaries of an IACS and apply for an ACSSA evaluation for the IACS. They may use passing an ACSSA certification as an internal goal or to demonstrate the IACS security posture to external stakeholders. They may use information from a formal ACSSA inspection or information derived from their internal use of the ACSSA specifications to inform their security program. 
    
    
  • Integration service providers may be asked by an asset owner to serve as sources for existing or new system documentation, based upon work they previously performed during the integration phase for an IACS under evaluation.  
    
    
  • Maintenance service providers may be asked by an asset owner to serve as sources for maintenance process documentation and evidence of process execution for an ACSSA evaluation. If a maintenance service provider holds a suitable ISA/IEC 62443-2-4 certification at ML 3, for requirements in that standard applicable to the tasks they will carry out for the IACS under evaluation, that certification contributes evidence for conformity with those requirements under ACSSA. Additional evidence may be required to demonstrate conformity for the IACS under evaluation. 
    
    
  • Product suppliers may be asked by an asset owner to serve as sources for specific information about the capabilities of products used in the IACS, as required evidence for an ACSSA evaluation. An ACSSA evaluation examines the asset owner’s use of technical capabilities to meet the target security level of a zone. If a supplier of products for that zone holds a suitable ISA/IEC 62443-4-2 or ISA/IEC 62443-3-3 certification for such a product, that certification provides evidence that the required capabilities for the zone are present for that product. The evaluator may then efficiently begin examining the use of these capabilities by the asset owner. (See also 4.7.)
    
    
  • Conformity assessment bodies, inspection bodies (IBs) and certification bodies (CBs) may accept an application from an asset owner for ACSSA evaluation of an IACS and evaluate the IACS. IBs are authorized to issue formal ACSSA inspection reports. CBs are authorized to grant ACSSA certifications and issue ACSSA certification reports and certificates when certification criteria are met. 
    
    
  • ISCI defines, maintains and manages the overall ISASecure ACSSA inspection and certification programs, interprets the ISASecure specifications and maintains a website to make program documentation available. The ISCI website also provides a list of conformity assessment bodies. When requested by an asset owner, an ACSSA certificate achieved by the asset owner will be posted on the site or provided directly to specified third parties. 
    
    
  • ASCI the Automation Standards Compliance Institute, as the legal entity representing ISCI, grants ACSSA IB and/or CB status to applicant organizations based on successful accreditation to criteria defined by ISCI. 
    
    
  • ACSSA accreditation bodies (ABs) evaluate candidate organizations for ACSSA IB or CB status and determine whether they meet program accreditation criteria. 
    
    
  • External stakeholders for IACS security, such as insurance companies or closely connected business partners for an asset owner, may use the results of a formal ACSSA inspection or the achievement of certification for a specific IACS to assess the risk they may encounter, as influenced by the IACS's security posture.

ISCI is organized as an interest area within Automation Standards Compliance Institute (ASCI), a not-for-profit 501(c)(6) corporation owned by International Society of Automation (ISA). Descriptions of ASCI's governance and organizational structure are available on the ISASecure website at http://www.ISASecure.org.

ISASecure IBs and CBs conduct assessments in accordance with ISO/IEC 17020 for IBs and ISO/IEC 17065 for CBs and maintain the confidentiality of suppliers’ assessment information at all times. No proprietary company information is ever publicly disclosed. As the owner of the ISASecure conformance scheme, ISCI may examine random work products related to a supplier evaluation at infrequent intervals to ensure the quality of the ISASecure ACSSA program or to process a complaint submitted to ISCI. 

Certification Program Documentation

ISASecure® ACSSA Conformance Scheme Fees

ACSSA Certification Specification

Evaluation Planning for the Asset Owner

Certification Specifications

Technical Specifications

Specifications are available for FREE to ISASecure members. Please email mritterskamp@isa.org if you need assistance. Be sure to include your company name and membership information.