Overview of cybersecurity standards: ISO 27001, IEC 62443, EN 18031 and more. Learn which standards are relevant for your company.
Standards and norms are indispensable when it comes to quality, safety and efficiency in almost all industries. They facilitate trade, improve product quality and provide companies with a reliable framework for governance and compliance. Below we explain the difference between norms and standards, their importance for corporate management, the main standardization organizations and the role of harmonization within the European Union.
Difference between norms and standards
The term "standard" denotes technical specifications developed by recognized organizations whose application is usually voluntary. Standards often describe specific methods, procedures or attributes for products and services.
By contrast, "norms" are more formal and are published by official standardization bodies. Norms often enjoy broad acceptance and are increasingly considered in regulatory frameworks (see for example the New Legislative Framework in the EU). While standards frequently cover industry-specific requirements, norms tend to be more comprehensive and carry significant weight in legislation.
Role of norms in corporate management
Norms are an essential component of governance, risk and compliance management (GRC). They help organizations comply with legal requirements, identify and control potential risks, and generally create transparent and efficient corporate structures.
Norms such as ISO 31000 (risk management) or ISO/IEC 27001 (information security management) provide proven frameworks that support organizations in systematically managing operational risks.
Standardization organizations
At the international level, the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU) play a leading role in developing globally applicable norms.
In Europe, the European Committee for Standardization (CEN) together with the European Committee for Electrotechnical Standardization (CENELEC) and the European Telecommunications Standards Institute (ETSI) carry out key tasks in European standardization work.
In Germany, the German Institute for Standardization (DIN) and the German Commission for Electrical, Electronic & Information Technologies in DIN and VDE (DKE) are particularly responsible for creating and maintaining national norms.
Harmonization of norms in the EU
Harmonization of norms within the European Union is achieved through the publication of so-called harmonized standards in the Official Journal of the European Union (OJEU) (see Official Journal of the European Union (OJEU)). These standards help companies develop products and services that are recognized across all EU member states and comply with the applicable regulations.
Publication of a standard in the OJEU signals that it is acknowledged by EU institutions. Products that conform to these standards are therefore regarded as compliant with relevant EU requirements.
Selecting relevant norms in the field of cybersecurity
In the field of cybersecurity, norms such as ISO/IEC 27001 are of great importance. This standard provides a framework for managing information security and helps organizations protect themselves against security threats.
Important cross-industry norms for operators include:
- ISO/IEC 27001: "Information security, cybersecurity and privacy - Information security management systems - Requirements"
This standard defines requirements for an information security management system (ISMS). It offers a systematic approach to managing sensitive company information and applies across industries. - ISO/IEC 27701: "Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines"
As an extension of ISO 27001, this standard focuses on privacy. It provides guidance for implementing, maintaining and continually improving a privacy information management system (PIMS). - ISO 22301: "Security and resilience - Business continuity management systems - Requirements"
This standard specifies requirements for a business continuity management system (BCMS). It helps organizations prepare for, respond to and recover from incidents.
Important standards for product manufacturers include:
- ISO/IEC 15408: "Information security, cybersecurity and privacy - Evaluation criteria for IT security"
This family of standards, also known as the Common Criteria, provides a framework for specifying, implementing and evaluating security functions in IT products. It is often used for certification of security products. - ISO/IEC 30111: "Information technology - IT security techniques - Vulnerability handling processes"
This standard provides guidance for organizations on handling vulnerabilities in their products and services. It describes processes for internal management of security flaws. - ISO/IEC 29147: "Information technology - Security techniques - Vulnerability disclosure"
This standard contains guidelines for the disclosure of security vulnerabilities. It helps organizations establish effective processes for receiving and processing vulnerability reports. - EN 18031: "Common security requirements for radio equipment"
This standard deals with information security and the protection of personal data for internet-connected radio equipment.
There are also numerous additional industry-specific norms.
Industry in general
- IEC 62443: "IT security for industrial automation and control systems"
This series of standards addresses IT security for industrial automation and control systems (IACS). It provides guidance for manufacturers, integrators and operators of industrial facilities.
Automotive and agricultural machinery industry
- ISO/SAE 21434: "Road vehicles - Cybersecurity engineering"
This standard focuses on cybersecurity in the automotive industry. It defines requirements for cybersecurity risk management in vehicle development and throughout the product lifecycle. - ISO 24089: "Road vehicles - Development and execution of software updates"
This standard deals with the processes and requirements for software updates in vehicles. It is particularly relevant in the context of increasing digitization and connectivity of vehicles. - ISO 24882: "Agricultural and forestry machinery and tractors - Cybersecurity engineering"
This standard, still under development, aims to define cybersecurity requirements for agricultural machinery to minimize security risks across the product lifecycle.
Rail industry
- CLC/TS 50701: "Rail applications - Cybersecurity"
This technical specification addresses cybersecurity in the rail sector. It offers guidance for implementing cybersecurity measures in rail systems. - IEC 63452: "Rail applications - Cybersecurity"
This standard, currently under development, describes a unified approach to managing cybersecurity for rail systems by adapting the requirements of the IEC 62443 series to the specific applications and operating environments of railways and synchronizing them with the RAMS lifecycles of the IEC 62278 series.
Mechanical engineering
- EN 50742: "Protection against corruption"
This standard, currently under development, describes how machines can be secured against intentional and unintentional corruption in accordance with the Machinery Directive.
Medical devices
- IEC 80001-5-1: "Application of risk management for IT networks incorporating medical devices - Security, safety and data and system security during the implementation and use of connected medical devices or connected health software - Part 5-1: Product lifecycle activities"
This standard provides guidance for the cybersecurity of networked medical devices. It supports healthcare organizations in risk assessment and mitigation. - IEC TR 60601-4-5: "Medical electrical equipment - Part 4-5: Guidance and evaluation - Safety-related technical requirements for security"
This technical report deals with the cybersecurity of medical electrical equipment and systems. It gives manufacturers guidance on considering cybersecurity aspects.
Lifts, escalators and moving walkways
- ISO 8102-20: "Electrical requirements for lifts, escalators and moving walkways - Part 20: Cybersecurity"
This standard addresses cybersecurity requirements specifically for lifts, escalators and moving walkways. It defines measures to protect against cyber threats throughout the entire lifecycle - from development through operation to decommissioning. The standard is oriented to existing principles of IEC 62443 but adapts them to the particularities of vertical transportation technology.
Internet of things
- ETSI EN 303 645: "CYBER - Cybersecurity for consumer Internet of Things: Baseline requirements"
This European standard defines cybersecurity requirements for consumer IoT devices. It aims to ensure a basic level of security for these devices.
Norms and standards in the field of cybersecurity not only serve technical quality assurance but are also key pillars of effective corporate governance. They help meet regulatory requirements, minimize risks and strengthen trust in digital products and services. International cooperation in standard-setting and harmonization at EU level ensure that companies can compete in the global market without losing sight of security.
Support for implementation
Standards and norms play a central role in making cybersecurity traceable and verifiable. At the same time, the variety of requirements - from industry-specific norms to general security standards - is difficult for many organizations to oversee.
Secuvi supports you in identifying the norms relevant to your organization, interpreting them in a practical manner and integrating them into existing processes. Whether IEC 62443, EN 18031 or other requirements - our goal is to implement security and compliance so that they meet both regulatory demands and real operational conditions.
If you would like to check which norms apply to your products or systems and how they can be implemented efficiently, you can find more information and contact options at: secuvi.com