By Deniz Kaya
For those of us who have spent years working within the ISA/IEC 62443 ecosystem, it’s easy to assume that familiarity with the standards translates directly into the ability to evaluate against them. My experience preparing for and participating in IC49 showed me that this is not the case.
IC49 is the three-day training for evaluators of the ISASecure® Automation Control System Security Assurance (ACSSA) program. IC49 asks more of its students than textbook knowledge of ISA/IEC 62443 — it requires a complete shift in mindset.
Preparing for IC49: A Change in Perspective
Being an active and voting member in the ISASecure Technical Steering Committee for some time and working in an organization that conducts conformity audits across multiple sectors, I approached the IC49 three-day training class as someone who needed to transition from understanding the standards to applying them as an evaluator.
My preparation focused on revisiting the ACSSA specifications and re-reading ISA/IEC 62443 2-1, 2-4, 3-2 and 3-3, but with a different objective. Beyond a simple refresher, I wanted to sharpen my understanding of the relationships between these standards and understand how they function together within the ACSSA evaluation model.
Experience in audit practice is important, but ACSSA introduces its own methodology, terminology and evaluation logic. Taking the time to engage with the structure in advance gave me a great head start.
What I Recommend to Others Preparing for IC49
If I had to give one piece of advice, it would be this: focus on understanding the logic that connects the standards, not just the standards themselves.
The ACSSA framework is built on dependencies, and those dependencies drive everything.
It starts with ISA/IEC 62443-3-2. The risk assessment defines zone partitioning and assigns target security levels (SL-T) to each zone. Those SL-T values then determine which 62443-3-3 technical requirements apply, and which evaluation methods must be used.
If that first phase is incorrect — if zones are poorly defined or if SL-T values are misassigned — then every subsequent phase is affected.
Equally important is understanding how findings propagate through the evaluation:
- A nonconformity in a 62443-2-4 service provider requirement can affect the composite ML 2 outcome tied to 62443-2-1.
- A nonconformity in a 62443-3-3 technical requirement can impact the ML 3 composite result of the associated 2-1 requirement.
- A single gap identified in a sampled zone can cascade into a “not passed” status at the industrial automation and control system (IACS) level.
This is not a checklist-driven exercise. It is a structured evaluation system where decisions and findings are interconnected.
Coming into IC49 with that architecture already in mind makes a significant difference. The course exercises become much more intuitive, and the methodology starts to resolve itself.
The IC49 Course Experience
The ACSSA scheme is inherently complex. It spans multiple standards, maturity levels and security levels, and introduces a layered terminology — SL-Ts, SL-Cs, MLs, ZCRs, PPS requirements, ZUEs and composite evaluation outcomes — that must all be applied consistently.
While the content of the IC49 course itself is valuable, the people behind it are the ones who made the experience truly worthwhile for me.
The instructors and developers bring their own deep experience to the classroom. During the course, they explained why the requirements exist and how they should be interpreted in practice, which is difficult to extract from the specifications alone.
Finally, the practical exercises were where everything came together. They included building an evaluation plan for a representative IACS environment, applying ACSSA evaluation methods to real policy and procedural artifacts and working through nonconformity scenarios and understanding their broader impact.
These exercises help turn theoretical knowledge into something you can actually execute. I left the course confident in my ability to apply ACSSA.
Why ACSSA Matters
From my perspective, ACSSA fills a long-standing gap in the industry.
For organizations that have spent years designing and maturing their IACS environments in alignment with ISA/IEC 62443, ACSSA provides a way to move beyond self-assessment and toward independently verified conformity. Asset owners now have a credible and standardized way to evaluate their cybersecurity posture, and IC49 teaches them how to do so. This is a meaningful shift for the operational technology (OT) cybersecurity community.
Final Thoughts
For experienced practitioners, IC49 is about refining how you apply what you already know within a structured and rigorous evaluation framework.
My recommendation is simple when preparing for the ISASecure’s IC49 ACSSA for Evaluators training:
- Focus on how the standards connect.
- Understand how early decisions influence final outcomes.
- Approach the methodology as an integrated system, not a checklist.
Do that, and the transition from understanding ISA/IEC 62443 to executing against it becomes both achievable and repeatable.
Deniz Kaya, CEO of Perseus Information Security Consulting, has a strong background in cybersecurity, having worked in various roles. Deniz holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University.
Deniz has a deep commitment to advancing cybersecurity across critical sectors. His skills include being a TISAX Lead Auditor, an ISA/IEC 62443 Cybersecurity Expert, ISO 27701 Lead Auditor and SWIFT CSP Accessor. Deniz has also completed the ISA IC49 ACSSA for Evaluators certification class and been heavily involved in the technical review and development of ACSSA as an ISASecure member.