ISO/IEC 27001 and IEC 62443 for CRA readiness
The two international standards manufacturers most often already hold. Both produce organisational and product-security evidence that maps directly onto the CRA essential requirements.
Reuse what you already have
ISO/IEC 27001 evidences the management system around secure development and incident handling. IEC 62443 evidences product and component security for industrial and operational-technology products. Neither is a CRA harmonised standard, so neither confers presumption of conformity. Both are recognised references that cover much of the CRA process and product surface, so a manufacturer holding either starts a CRA assessment well ahead.
ISO/IEC 27001
ISO/IEC 27001:2022, Information security management systems
The international standard for an information security management system (ISMS), covering the governance, risk, and control framework around an organisation's security practices.
Not a CRA harmonised standard
International management-system standard. It is not a CRA harmonised standard and does not confer presumption of conformity, but a certified ISMS is strong organisational evidence for the CRA's process obligations.
| Provision | Requirement & how the platform helps | CRA reference |
|---|---|---|
| A.5.7 | Threat intelligence Information on security threats is collected and analysed to inform action. Vulnerability monitoring sources and EUVD threat-intelligence integration. | Annex I Part II (2) |
| A.5.24 | Information security incident management Incident response is planned, with roles, reporting, and escalation defined. Article 14 three-stage reporting workflow with 24h/72h/final timers. | Article 14 |
| A.8.8 | Management of technical vulnerabilities Technical vulnerabilities are identified, evaluated, and remediated. Submission triage, CVSS scoring, remediation decisions, and SBOM impact assessment. | Annex I Part II (1),(3) |
| A.8.25 | Secure development lifecycle Rules for the secure development of software and systems are established. STRIDE threat modelling and secure-by-design evidence attached to each product. | Annex I Part I (1) |
| A.8.28 | Secure coding Secure coding principles are applied across development. Documented in the technical file alongside security-testing records. | Annex I Part I (1) |
IEC 62443
IEC 62443, Security for industrial automation and control systems
A series covering security for industrial automation and control systems, including secure product development (62443-4-1) and technical security requirements for components (62443-4-2).
Not a CRA harmonised standard
International IACS security series. It is not a CRA harmonised standard and does not confer presumption of conformity, but 62443-4-1 and 62443-4-2 evidence maps closely onto the CRA Annex I requirements for industrial products.
| Provision | Requirement & how the platform helps | CRA reference |
|---|---|---|
| 62443-4-1 | Secure product development lifecycle Defines a secure-by-design development process for control-system products. STRIDE threat modelling, risk scoring, and secure-development evidence per product. | Annex I Part I (1) |
| 62443-4-2 CR 1 | Identification and authentication control Component requirements for identifying and authenticating users and devices. Spoofing and unauthorised-access threats mapped to Annex I access controls. | Annex I Part I (2)(d) |
| 62443-4-2 CR 3 | System integrity Component requirements protecting integrity of data and control logic. Tampering threats and integrity controls in the threat model. | Annex I Part I (2)(f) |
| 62443-4-2 CR 4 | Data confidentiality Component requirements protecting confidentiality of information at rest and in transit. Information-disclosure threats mapped to Annex I confidentiality controls. | Annex I Part I (2)(e) |
| 62443-4-2 CR 7 | Resource availability Component requirements for resilience against denial-of-service conditions. Availability-degradation threats and resilience controls recorded in the assessment. | Annex I Part I (2)(h) |
Map your ISMS and product security to the CRA
Bring your existing controls into a CRA assessment and export an audit-ready Annex VII technical file.
Get Started for Free