At the ongoing ISA OT Cybersecurity Summit in Brussels, the International Society of Automation (ISA) announced the upcoming rollout of the ISASecure Industrial Automation Control System Security Assurance (ACSSA) inspection and certification scheme. The plan will offer a common industry-vetted method for evaluating conformity of an industrial automation and control system (IACS) to the ISA/IEC 62443 series of standards, which includes policies and procedures, service providers and technical security controls.
ACSSA was formulated to help bridge lingering gaps in operational site assurance. Despite the comprehensive nature of ISASecure and cybersecurity expert programs, asset owners have relied on a patchwork of internal policies and third-party audits that vary across sites, leading to inconsistent security postures, compliance gaps, increased risk exposure, increased liability and regulatory non-compliance. ACSSA aligns all stakeholders around a consistent, standards-based program, contributing to a more secure and resilient environment for asset owners.
ISASecure’s ACSSA evaluates conformity to the ISA/IEC 62443 requirements by verifying processes, procedures, support from service providers and the configuration and utilization of control systems capabilities. As the ISA/IEC 62443 framework offers a risk-based approach, ACSSA evaluation begins with reviewing the asset owner’s risk assessment process and the results of that process.
The first three-day training course for ACSSA will be launched in early fall 2025 at ISA headquarters in Durham, North Carolina. An online version of the course will be offered in late 2025. ISA is accredited by the International Accreditors for Continuing Education and Training (IACET).
“ISASecure is proud to announce our newest program, the ACSSA inspection and certification scheme,” Mark DeAngelo, ISASecure program manager, said in a Wednesday media statement. “ACSSA’s consistent approach benefits everyone — including asset owners, insurance providers, product suppliers, service providers, conformity assessment bodies and government bodies — allowing all to share a common understanding of facility risk.”
The ISA said in a separate flyer that the ISA Standards Compliance Institute (ISCI) is establishing ISASecure ACSSA, an ISA/IEC 62443 based cybersecurity assessment scheme that will become the global specification used by operating sites, certification bodies, internal auditors and public policy makers. ACSSA evaluates deployed control systems along with the related asset owner policies and procedures. When fully adopted by all stakeholders, the scheme will be similar to GAAP rules (Generally Accepted Accounting Procedures) published by the FASB, used by any organization, financial auditors and regulatory authorities.
The professional society for automation anticipates the demand for this program to be even higher than the market for existing OT (operational technology) certifications.
The ACSSA program is designed to offer the world’s first ISA/IEC 62443-based OT site assessment framework. Built on trusted international standards, the scheme aims to provide a consistent, objective method for evaluating and benchmarking the cybersecurity posture of OT environments. Asset owners will gain visibility into the security posture of their IACS across operating sites. This visibility provides a standardized benchmark, enabling them to understand how their security readiness compares with industry peers and sector expectations.
When it comes to insurance underwriters, they will benefit from objective, standards-based cybersecurity metrics rooted in the ISA/IEC 62443 framework. These assessments can be integrated into underwriting risk evaluations and actuarial models, improving risk profiling for industrial environments.
Product suppliers and service providers will gain greater clarity and transparency regarding their cybersecurity responsibilities. This includes their roles in delivering automation technologies, integration and maintenance services, and operational support. The framework also introduces structure to service-level agreements, helping to align expectations around cybersecurity commitments. Also, conformity assessment bodies are expected to see increased demand for services, driven by the appeal of a globally recognized, standards-based OT assessment scheme. The ACSSA program creates a clear pathway for independent validation of site-level cybersecurity conformance.
Lastly, governments, legislators, and regulatory authorities will be able to reference a widely accepted, industry-backed cybersecurity metric grounded in ISA/IEC 62443. This reference can support the development of policy language for critical infrastructure protection, including incentives and mandates to raise the baseline of OT cybersecurity across sectors.
The scheme offers an on-site control system inspection program and site certification program. Both the ISASecure ACSSA inspection and certification will operate as internationally recognized programs. The result of an ACSSA inspection will be a standardized inspection report, compiled by any entity licensed to use the specification including asset owners internally, consultants or accredited inspection bodies. The report identifies the requirements to which the designated system in the scope of evaluation is conformant and lists the requirements to which the system is non-conformant.
The ISA noted that the result of an ACSSA certification will be a third-party certificate of conformance which independently confirms that a designated system in the scope of the evaluation is conformant to all requirements referenced in the five ISA/ IEC 62443 standards listed in the certification scheme. The full set of ISA/IEC 62443 requirements would have to be met in order to receive a certification, including requirements from ISA/IEC 62443 parts 2-1, 2-3, 2-4, 3-2, and 3-3.
In April, the ISA in a significant development for industrial automation and digital manufacturing environments, released the 2025 edition of the ANSI/ISA-95.00.01 (IEC 62264-1 Mod) standard. The latest revision marks a pivotal enhancement to the ISA-95 series, reinforcing a common language and set of models essential for bridging the historically siloed domains of IT and OT, vastly reflecting emerging industry needs, evolving best practices, and the increasingly complex interplay between enterprise-level operations and shop floor execution.
