The ISA Global Cybersecurity Alliance (ISAGCA) recently published two documents seeking to facilitate better understanding of areas of common concern among the ISA/IEC 62443 series of standards — the world’s leading standards for operational technology (OT) cybersecurity — and the ISO/IEC 27001 and ISO/IEC 27002 standards, which govern many organizational and regulatory policies for information technology (IT) cybersecurity.
Newly updated for 2025, the paper entitled “Applying ISO/IEC 27001, ISO/IEC 27002 and the ISA/IEC 62443 Series for Operational Technology Environments” describes the relationship between ISA/IEC 62443 and ISO/IEC 27001/2, exploring how these standards can be used within a single organization to protect both IT and OT.
New this year is a companion paper, titled “Securing Operational Technology: Understanding the ISA/IEC 62443 Series of Standards from an ISO/IEC 27001 and ISO/IEC 27002 Perspective,” that suggests in-depth strategies for how ISA/IEC 62443 can help bridge OT cybersecurity gaps in organizations that have already implemented guidance related to ISO/IEC 27001/2.
The following sections briefly summarize each document.
This new white paper provides guidance for organizations with an existing Information Security Management System (ISMS) based on ISO/IEC 27001 and ISO/IEC 27002. It explains how to extend these practices to cover OT using the ISA/IEC 62443 series.
While ISO/IEC 27001/2 are effective for IT environments, they lack coverage for OT-specific needs such as health, safety, environmental concerns and continuity of physical processes. ISA/IEC 62443 proves an effective partner by defining requirements for rigorous system integrity, security zones, network design and unique OT security levels (SL1-SL4) tailored for OT environments. This document discusses how organizations should coordinate OT security management with IT ISMS, noting that some ISA/IEC 62443 requirements explicitly refine or supplement ISO/IEC 27001/2 guidelines. The paper also includes detailed examples and mappings that show how best practices from the IT domain can be prioritized, adapted and reinforced for OT environments, supporting a comprehensive, enterprise-wide approach to cybersecurity for mixed IT/OT operations.
This document, originally published in 2021 and updated in 2025, offers a practical approach for integrating ISO/IEC 27001 (ISMS), ISO/IEC 27002 (security controls) and the ISA/IEC 62443 standards to protect both IT and OT environments. It asserts that the ISO/IEC 27001/2 standards provide a strong foundation for managing IT security while ISA/IEC 62443 is purpose-built to address OT-specific challenges, such as maintaining operational continuity and managing the risks unique to industrial control systems.
For maximum effectiveness, organizations should align OT security programs with their ISMS, ensuring the programs are coordinated but tailored to OT’s unique requirements. ISA/IEC 62443 expands on ISO/IEC 27001/2 controls, introducing detailed requirements for asset owners, service providers and product suppliers that enable a defense-in-depth strategy across all involved actors. By combining elements from both families of standards, this paper asserts that organizations can achieve a holistic, risk-based cybersecurity strategy that effectively covers both their IT and OT infrastructures, adapting controls and measures as appropriate to each domain.
The documents described in this blog post are available for download at the links below.