← All standards
ISO/IECIEC

ISO/IEC 27001 and IEC 62443 for CRA readiness

The two international standards manufacturers most often already hold. Both produce organisational and product-security evidence that maps directly onto the CRA essential requirements.

Reuse what you already have

ISO/IEC 27001 evidences the management system around secure development and incident handling. IEC 62443 evidences product and component security for industrial and operational-technology products. Neither is a CRA harmonised standard, so neither confers presumption of conformity. Both are recognised references that cover much of the CRA process and product surface, so a manufacturer holding either starts a CRA assessment well ahead.

ISO/IECSupporting standard

ISO/IEC 27001

ISO/IEC 27001:2022, Information security management systems

The international standard for an information security management system (ISMS), covering the governance, risk, and control framework around an organisation's security practices.

Not a CRA harmonised standard

International management-system standard. It is not a CRA harmonised standard and does not confer presumption of conformity, but a certified ISMS is strong organisational evidence for the CRA's process obligations.

ProvisionRequirement & how the platform helpsCRA reference
A.5.7
Threat intelligence
Information on security threats is collected and analysed to inform action.
Vulnerability monitoring sources and EUVD threat-intelligence integration.
Annex I Part II (2)
A.5.24
Information security incident management
Incident response is planned, with roles, reporting, and escalation defined.
Article 14 three-stage reporting workflow with 24h/72h/final timers.
Article 14
A.8.8
Management of technical vulnerabilities
Technical vulnerabilities are identified, evaluated, and remediated.
Submission triage, CVSS scoring, remediation decisions, and SBOM impact assessment.
Annex I Part II (1),(3)
A.8.25
Secure development lifecycle
Rules for the secure development of software and systems are established.
STRIDE threat modelling and secure-by-design evidence attached to each product.
Annex I Part I (1)
A.8.28
Secure coding
Secure coding principles are applied across development.
Documented in the technical file alongside security-testing records.
Annex I Part I (1)
IECSupporting standard

IEC 62443

IEC 62443, Security for industrial automation and control systems

A series covering security for industrial automation and control systems, including secure product development (62443-4-1) and technical security requirements for components (62443-4-2).

Not a CRA harmonised standard

International IACS security series. It is not a CRA harmonised standard and does not confer presumption of conformity, but 62443-4-1 and 62443-4-2 evidence maps closely onto the CRA Annex I requirements for industrial products.

ProvisionRequirement & how the platform helpsCRA reference
62443-4-1
Secure product development lifecycle
Defines a secure-by-design development process for control-system products.
STRIDE threat modelling, risk scoring, and secure-development evidence per product.
Annex I Part I (1)
62443-4-2 CR 1
Identification and authentication control
Component requirements for identifying and authenticating users and devices.
Spoofing and unauthorised-access threats mapped to Annex I access controls.
Annex I Part I (2)(d)
62443-4-2 CR 3
System integrity
Component requirements protecting integrity of data and control logic.
Tampering threats and integrity controls in the threat model.
Annex I Part I (2)(f)
62443-4-2 CR 4
Data confidentiality
Component requirements protecting confidentiality of information at rest and in transit.
Information-disclosure threats mapped to Annex I confidentiality controls.
Annex I Part I (2)(e)
62443-4-2 CR 7
Resource availability
Component requirements for resilience against denial-of-service conditions.
Availability-degradation threats and resilience controls recorded in the assessment.
Annex I Part I (2)(h)

Map your ISMS and product security to the CRA

Bring your existing controls into a CRA assessment and export an audit-ready Annex VII technical file.

Get Started for Free