ISASecure Certification
Automation & Control System Security Assurance (ACSSA)
The asset-owner, site-level ISASecure certification for a deployed automation system. ACSSA draws on IEC 62443-3-2, 2-1, 2-4 and 3-3 — evaluating the risk assessment, the asset owner's security program, its service providers' practices, and the system's technical controls.
A World First
Perseus is the first accredited certification body in the world for ISASecure ACSSA
Pioneering asset-owner, site-level security assessment under IEC 62443-3-2, 2-1, 2-4 and 3-3.
Operational Security for Automation Systems
Overview
ISASecure ACSSA (Automation and Control System Security Assurance) is an asset-owner certification that bridges the gap between system design and operational reality. While product and system certifications validate security in controlled environments, ACSSA evaluates security as it exists in the field — at the actual site where the asset owner operates the automation system.
ACSSA draws on four IEC 62443 standards. IEC 62443-3-2 frames the risk assessment (zones, conduits, and the Cybersecurity Requirements Specification); IEC 62443-2-1 covers the asset owner's security program; IEC 62443-2-4 evaluates each service provider's integration and maintenance practices (supplier evaluation); and IEC 62443-3-3 provides the system-level technical security requirements. Each is assessed at Maturity Level 2 (documented procedures) and Maturity Level 3 (demonstrated and observed on site).
The site inspection component of ACSSA is particularly valuable. Our assessors physically visit the facility to verify that network architecture matches design documentation, that physical security controls protect critical systems, that configurations are properly hardened, and that operational practices such as change management, patching, and incident response are effectively implemented in the real operational context.
Risk Assessment
Zone & conduit risk assessment and the Cybersecurity Requirements Specification, per IEC 62443-3-2
Asset-Owner Program
The asset owner's security program at Maturity Levels 2 and 3, per IEC 62443-2-1
Service-Provider Evaluation
Each service provider's integration and maintenance practices, per IEC 62443-2-4
System Technical Controls
Per-zone technical security validation against IEC 62443-3-3, verified on site
ACSSA Control Categories
IEC 62443-2-1, 2-4, 3-2 & 3-3
ACSSA organizes its requirements into eleven control categories drawn from across IEC 62443-2-1, 2-4, 3-2 and 3-3. Each is evaluated for both the asset owner's security program and its service providers' practices, and verified on site.
Security Governance
Organizational governance of the security program — policies, roles and responsibilities, and the management commitment that underpins it.
Risk Management
The risk-assessment process — zone & conduit analysis, threat and vulnerability identification, and the resulting cybersecurity requirements specification.
Asset Management
Inventory and lifecycle tracking of in-scope IACS hardware, software, and network assets, and the accuracy and upkeep of the asset register.
Identification & Authentication Control
How users, devices, and software processes are uniquely identified and authenticated before access to the control system is granted, including multi-factor controls.
Use Control
Enforcement of least-privilege authorization — what authenticated identities may do, session control, and management of privileged and shared accounts.
System Integrity
Protection of system and information integrity — malware defenses, patching, change control, and verification that deployed configurations match approved baselines.
Information Confidentiality
Protection of sensitive information at rest and in transit against unauthorized disclosure, covering classification, encryption, and handling of OT data.
Restricted Data Flow
Network segmentation into zones and conduits, boundary enforcement, and control of data flows between the OT environment and external networks.
Incident Management
The ability to detect, log, escalate, respond to, and learn from cybersecurity events affecting the operational environment.
Resource Availability
Measures that preserve the availability of essential control-system functions under stress — backup, redundancy, and denial-of-service resilience.
Security Development & Integration
Secure engineering and integration practices applied by the asset owner and its service providers when deploying and configuring the system.
ACSSA Assessment Workflow
Our Approach
Driving standards
- IEC 62443-3-2 — risk assessment, zones & conduits
- IEC 62443-2-1 — asset-owner security program
- IEC 62443-2-4 — service-provider requirements
- IEC 62443-3-3 — system security requirements
- ISO/IEC 17065 — impartial certification decision
Planning
Pre-evaluation phase. We define the IACS scope — systems under consideration, zones, conduits, equipment, service providers and personnel — and agree an evaluation plan. The asset owner signs off the scope before evidence submission opens.
- Build the system / zone / conduit inventory
- Identify and onboard service providers
- Agree the evaluation plan and any approved compensating measures
- Asset owner signs off the scope
Frequently Asked Questions
FAQ
ISASecure ACSSA (Automation and Control System Security Assurance) is an asset-owner, site-level certification for a deployed automation system. It draws on four IEC 62443 standards — 62443-3-2 (risk assessment), 62443-2-1 (asset-owner security program), 62443-2-4 (service-provider integration & maintenance practices), and 62443-3-3 (system technical requirements) — assessed at Maturity Level 2 (documented) and Maturity Level 3 (demonstrated on site). The certificate is issued to the asset owner, providing holistic assurance that the system is securely configured, properly maintained, and operated with appropriate controls.
Assess Your Operational Automation Security
Perseus provides ISASecure ACSSA certification to validate the security of your deployed automation systems through comprehensive site-level assessment.