ACSSA First Stop: Why Risk Assessment Gates the Entire Site Assurance Process
During a webinar with ISASecure®, Patrick O’Brien (exida LLC) — with Q&A support from Carol Muehrcke (ISCI technical committee) — walked through ISASecure’s new Automation and Control System Security Assurance (ACSSA) certification program and clarified a critical point for practitioners: a conformant ISA/IEC 62443-3-2 risk assessment is the first requirement for any ACSSA inspection or certification.
ACSSA is an ISASecure scheme built on four standards in the ISA/IEC 62443 series:
- 62443-2-1 – Asset owner cybersecurity management system (policies, procedures, training, governance)
- 62443-2-4 – Security program requirements for integration and maintenance service providers
- 62443-3-2 – Cybersecurity risk assessment methodology for IACS
- 62443-3-3 – System security requirements and security levels (SL1–SL4)
Together, these standards reflect how OT cybersecurity works: responsibilities are distributed across product suppliers, integrators, service providers and ultimately the asset owner operating the system.
ACSSA Eligibility and Scope: Grounded in Operational Reality
Patrick emphasized two constraints engineers should plan around early. First, ACSSA applies only to IACS that are in operation or near transition to operation (typically during or after commissioning). The reason is practical: ACSSA evaluates implemented controls and evidence, not design intent. Second, ACSSA is site- and scope-specific. Certification or inspection applies to a defined IACS at a specific physical location. Even nearly identical sites require separate evaluations.
ACSSA scope includes the named asset owner organization, the IACS hardware/software inventory and baseline architecture, the equipment under control (and associated safety or environmental hazards), applicable integration and maintenance service providers, personnel interacting with the system and the site’s documented cybersecurity policies and procedures. Large facilities may evaluate a subset of the site, provided the system under consideration is clearly defined.
Why Risk Assessment Is Stop 1
ACSSA itself does not determine site risk. Instead, it evaluates whether your risk assessment conforms to the requirements of 62443-3-2 and whether your program and technical implementation are consistent with its results. If your risk assessment assigns a zone a target security level of SL3 or SL4, but your policies, procedures or technical controls do not meet the applicable 62443-3-3 requirements — and if you cannot justify that gap — ACSSA conformance cannot be achieved.
Patrick described ACSSA as a four-stop journey:
- Risk assessment,
- documentation of policies and procedures,
- evidence they are followed plus verification of technical controls and
- standardized reporting.
Inside the 62443-3-2 Workflow
The webinar outlined the 3-2 process in practical terms. It begins with defining the System Under Consideration (SUC): inventory, architecture, network diagrams and data flows. An initial risk assessment then evaluates worst-case cyber consequences, assuming no credit for countermeasures (i.e., likelihood is not considered). Based on consequence severity, assets are grouped into zones and conduits, and security level targets are set. Then a detailed risk assessment evaluates threat scenarios, countermeasures (including 3-3 requirements) and compensating controls where needed. The process concludes with documented cybersecurity requirements and formal asset owner approval, anchoring accountability.
A key engineering takeaway: two technically identical sites can have different ACSSA outcomes if their risk differs. Risk, and therefore required security capability, is driven by consequence, not by procedures and architecture alone.
Asset owners have several paths available depending on internal capability and desired outcome. If engaging a third party for any ACSSA-related activity, it is strongly recommended to confirm that the organization has completed and passed the ISA IC49 ACSSA training, as this ensures familiarity with the scheme requirements and evaluation approach.
Available ACSSA Paths
1) Internal (Self) Evaluation by the Asset Owner
If the asset owner is an ISASecure member and has qualified internal staff, they may conduct an internal ACSSA evaluation using the program specifications.
- No formal inspection or certification is issued
- No official ACSSA claim of conformity may be made
- Results may be used internally to assess readiness and confidence in conformance
2) Consultant-Assisted Preparation or Evaluation
Asset owners may engage an ISASecure ACSSA Consultant to support ACSSA readiness or perform an evaluation.
- Consultants may guide preparation, answer questions and identify gaps
- Consultants may communicate anticipated pass/fail results to the asset owner
- Consultants cannot issue formal ACSSA inspection or certification documentation
- No official ACSSA claim of conformity may be made
3) Inspection Body (IB) Evaluation
An accredited Inspection Body (IB) listed on the ACSSA web page may be engaged to perform an ACSSA inspection. All IBs are accredited by an external Accreditation Body (AB).
- IBs are accredited to ISO/IEC 17020, with ABs accredited under ISO/IEC 17011
- IBs perform independent conformity assessment and cannot answer questions during their review, identify gaps or assist the asset owner in order to pass
- No consulting or guidance is permitted by individuals involved in the evaluation
- An inspection letter is issued that confirms that a formal ACSSA evaluation was completed (regardless of outcome)
- A formal inspection report is issued detailing evaluation results
- An inspection is a point in time evaluation; no validity period is defined
4) Certification Body (CB) Evaluation
A Certification Body (CB) listed on the ACSSA web page may be engaged to perform an ACSSA certification. All CBs are accredited by an external Accreditation Body (AB).
- CBs are accredited to ISO/IEC 17065, with ABs accredited under ISO/IEC 17011
- CBs perform a formal evaluation toward certification and cannot answer questions during their review, identify gaps or assist the asset owner in order to pass
- If successful, a certificate is issued with validity period of three years
- At specific request of the asset owner, ISCI or the CB will verify the validity of a certificate by a public posting or by communicating privately to third parties
- A formal certification report is issued detailing evaluation results
- Annual surveillance audits are required to maintain certification during the three-year period
- Recertification is offered to further maintain certification after the three-year period
You can access further information on ISASecure’s website, including how to become an ISASecure member, access to online recorded lectures, blog posts, news and more.
Additional Complimentary Resources
-
All Aboard the ACSSA, First Stop - Risk Assessment, Patrick O’Brien, exida LLC, online lecture
-
Seeing ACSSA Come to Life: Reflections from the IC49 Pilot Evaluator Training