Spørsmål:
If you want to CE mark a product or a machine that consists of integrated components, that you have manufactured and that can be connected to internet, and you want to make a declaration of confomation with EU rules and requremenst for cyber security for the product, which of the standards in the IEC 62443 series can or should be used to make documentation for Cyber security. Conformation will be like this: We comfirm that this produckt fullfills the requiremenst in IEC 62443 ..
Svar:
To make a declaration of conformity with EU rules and requirements for cybersecurity, you may want to consider using the following standards from the IEC 62443 series to document compliance:
- IEC 62443-2-1: This standard provides guidance on the establishment of an Industrial Automation and Control Systems (IACS) security management system. It outlines the requirements for security governance, risk management, and security program development. By using this standard to document your security management system, you can demonstrate that you have a comprehensive approach to cybersecurity that meets EU requirements.
- IEC 62443-3-3: This standard provides guidance on the implementation of system security for IACS. It outlines the requirements for network segmentation, access control, incident response, and other security measures. By using this standard to document the implementation of cybersecurity measures in your product, you can demonstrate that your product is designed to meet EU requirements for cybersecurity.
- IEC 62443-4-1: This standard provides guidance on the secure development of software for IACS. It outlines the requirements for secure software development, including security testing and vulnerability management. If your product includes any software components, you may want to use this standard to document compliance with EU requirements for software security.
By using these standards to document your compliance with EU rules and requirements for cybersecurity, you can provide a comprehensive declaration of conformity that covers all aspects of cybersecurity relevant to your product.
Oppfølgingsspørsmål:
For item 1 in your last answer do you refere to properties for the oranisation that manufactured the product or properties with the product itself?
Svar på oppfølgingsspørsmål:
IEC 62443-2-1 provides guidance on the establishment of an Industrial Automation and Control Systems (IACS) security management system. It outlines the requirements for security governance, risk management, and security program development. The focus of this standard is on the security management system of the organization that manufactures the product.
However, demonstrating compliance with IEC 62443-2-1 can provide assurance to customers that the manufacturer has a comprehensive approach to cybersecurity, which can contribute to the overall cybersecurity of the product itself. Therefore, while IEC 62443-2-1 is focused on the organization, it can indirectly impact the cybersecurity of the product.
To demonstrate compliance with EU rules and requirements for cybersecurity for the product itself, you may want to focus on other standards within the IEC 62443 series, such as IEC 62443-3-3 for system security or IEC 62443-4-1 for software security.