Read how ISO/IEC 27001 and IEC 62443 help manufacturers develop secure products and protect development environments.
Differences between ISO/IEC 27001 and IEC 62443
ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS) that aims to protect information regardless of whether it is processed in IT, OT, or cloud environments. The standard ensures that organizations understand, mitigate, and monitor their information security risks. One important aspect is the requirement for a secure development lifecycle (Secure Development Lifecycle, SDLC) for applications provided by the organization. This covers applications developed and operated in IT and cloud environments, but does not cover products.
IEC 62443, on the other hand, is specifically focused on the security of industrial automation and control systems (OT). It emphasizes protecting OT environments and secure product development. In particular, parts IEC 62443-4-1 and IEC 62443-4-2 deal with the secure development of products sold to customers, such as industrial automation solutions. For manufacturers of industrial products that also use cloud services, IEC 62443-4-1 applies when cloud applications fall within the scope of an IEC 62443 certification.
Commonalities and overlaps between ISO/IEC 27001 and IEC 62443
ISO/IEC 27001 and IEC 62443 overlap in certain areas, especially when it comes to application development.
ISO/IEC 27001 requires a Secure Development Lifecycle (SDLC) for all applications an organization provides (Control 8.25). This necessarily includes cloud applications, since ISO/IEC 27001 covers information security across all domains - whether the application runs in IT, OT, or cloud environments. However, ISO/IEC 27001 does not cover the development of industrial products.
IEC 62443-4-1 also imposes requirements for a Secure Development Lifecycle, but it is focused on the secure development of products that are sold. This is particularly relevant for manufacturers of industrial products that also use cloud services. If a cloud application falls within the scope of an IEC 62443 certification, the development of that application should follow IEC 62443-4-1.
If, however, the item is not an industrial product or the application does not fall under an IEC 62443 certification, using ISO/IEC 27034 or another approach that satisfies the requirements of ISO/IEC 27001 is often sufficient. ISO/IEC 27034 is specifically aimed at secure application development and therefore fits better within the ISO/IEC 27001 framework. The similar numbering of the standards also reflects this alignment.
IEC 62443-4-1 requires a secure development environment for products (SM-7) and mandates the protection of private keys used during product development (SM-8). Both requirements can be met by implementing ISO/IEC 27001, provided the development environment is included in the ISMS scope. In this way the two standards complement each other well, since a secure development environment and the protection of cryptographic keys are central to both ISO/IEC 27001 and IEC 62443-4-1.
These overlaps show that organizations must decide, based on their specific needs and the desired certification framework, which standard to apply for the development of applications and products.
Comparison of requirements of ISO/IEC 27001 and IEC 62443-4-1
The following table shows the relevant controls of ISO/IEC 27001 compared to the requirements of IEC 62443-4-1 for the development of secure applications or products:
| ISO 27001 | IEC 62443-4-1 |
|---|---|
| 8.24 - Use of cryptography | SM-8: Controls for private keys |
| 8.25 - Secure development life cycle | SM-1: Development process |
| 8.26 - Application security requirements | Practice 2 - Specification of security requirements |
| 8.27 - Secure system architecture and engineering principles | Practice 3 - Secure by design |
| 8.28 - Secure coding | Practice 4 - Secure implementation |
| 8.29 - Security testing in development and acceptance | Practice 5 - Security verification and validation testing |
| 8.31 - Separation of development, test, and production environments | SM-7: Development environment security |
Conclusion
ISO/IEC 27001 and IEC 62443 provide manufacturers of industrial products and application developers with a solid foundation for securing IT and OT environments as well as for developing secure products and applications.
ISO/IEC 27001 addresses information security in IT, OT, and cloud environments, while IEC 62443-4-1 specifically addresses product security and the secure development of industrial products. In areas such as the development environment and the protection of private keys, the two standards complement each other very well. Organizations can benefit from implementing ISO/IEC 27001, since it also covers requirements that appear in IEC 62443-4-1.
Organizations that develop both industrial products and cloud applications should be aware of these overlaps and combine the standards strategically to meet both regulatory and security requirements.