The ISA Global Cybersecurity Alliance (ISAGCA) and ISASecure® held a webinar on 28 May 2026 that explored a growing challenge in OT cybersecurity: many organizations ask whether a product is “ISA/IEC 62443 certified,” but few understand that not all certifications provide the same level of assurance.
The webinar panel examined how ISASecure, IEC (International Electrotechnical Commission), the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) and private certification schemes differ in governance, testing rigor and assurance scope. The panelists provided perspectives from multiple points of view: the asset owner, the product supplier and the certification body.
The panelists included:
- Kenny Lee, head of the Cybersecurity Laboratory for SGS Taiwan
- George Hsiao, product manager, Moxa’s Industrial Computer Department
- Dennis Hackney, Ph.D., vice chair of ISAGCA
- SZ Lin as moderator, an industrial cybersecurity expert with over 15 years of experience spanning energy systems, oil & gas, semiconductor manufacturing and transportation
The Certificate Alone Does Not Tell the Full Story
An important takeaway from the discussion was that organizations should avoid assuming all 62443 certifications are equivalent.
The panel emphasized that stakeholders should ask:
- Who will provide my certification?
- What requirements will be evaluated?
- What will be excluded from the scope?
- How and where will the testing be performed?
- What evidence supports the certification?
According to the panelists, understanding the scope and verification process is just as important as seeing the certificate itself. In fact, the asset owner shared, they want to see the supporting documentation and not just a certificate when looking at a supplier’s certified product.
Another factor discussed: certification cost should not be the deciding factor when determining which certification method to pursue. Stakeholders instead must focus on the rigor of the program. In fact, in some cases, it was shared that suppliers paid larger fees for certification that did not fully meet the certification needs of the asset owner.
ISASecure vs. IECEE vs. Private Certification Schemes
The panel discussed key differences between ISASecure and the IECEE cybersecurity scheme. They also touched lightly on private certification schemes. All panelists agreed there is a large misconception across the supply chain that IECEE provides the same level of assurance as the ISASecure certification, but that is not necessarily the case.
ISASecure is built around an industrial cybersecurity scheme structure. IECEE operates within the IEC conformity assessment and CB Scheme framework. Private certificates rely more directly on the issuing certification body’s own methodology, interpretation and market reputation.
One panelist who has previously conducted both ISASecure and IECEE 62443 certifications shared that:
- ISASecure uses a predefined assurance structure where all applicable requirements for a target security level must be evaluated.
- IECEE allows more flexible scoping, meaning some requirements may be excluded from evaluation, if chosen to be excluded by the customer.
- Private certifiers use their own methodology based on their internal experts’ interpretation and methodology.
Another panelist noted that ISASecure provided more consistent evaluation expectations across laboratories, while IECEE evaluations could vary greatly depending on the testing lab.
Private certification schemes are even more flexible with the technical requirements varying from one certification body to another. As with IECEE, it is imperative to know up-front how they are certifying the product and what specifications will be followed.
Certification Is Not a One-Time Activity
Another major theme was that certification represents a point-in-time evaluation, not permanent assurance.
The panel explained that suppliers must continue:
- Patch management
- Vulnerability response
- Security updates
- Lifecycle maintenance
As industrial technologies evolve, certified products must evolve as well.
Market Awareness Is Improving
The panel agreed that awareness of ISA/IEC 62443 certification is growing, especially due to regulations such as the EU Cyber Resilience Act and further adoption of ISA/IEC 62443 throughout the world, such as in the Middle East, Australia and parts of South America.
However, many procurement teams still broadly request “62443 certification” without defining:
- Which certification scheme is required?
- What scope should be evaluated?
- What level of assurance is expected?
The webinar concluded that organizations must move beyond simply asking whether a product is certified and instead understand how it was certified and what was evaluated. It is important to ask the right questions.
Suppliers should strive to ensure that asset owners have confidence in their certification process. To save frustration and ensure security, they can ask specifically for ISA/IEC 62443 certification.
To learn more about this topic, please view the online lecture and white paper on this topic: Comparing ISASecure, IECEE and Proprietary ISA/IEC 62443 Certification Schemes.
Resources that provide additional context to this subject: