ISA-99

ISA-99 commonly refers to a series of standards developed by the International Society of Automation (ISA) that define cybersecurity concepts and requirements for industrial automation and control systems (IACS). The work originally published under the ISA-99 designation has been jointly developed and harmonized with the International Electrotechnical Commission (IEC) and is now largely known internationally as the IEC 62443 series.

In manufacturing and other industrial environments, ISA-99 concepts are used to structure how plants identify, categorize, and protect operational technology (OT) systems, including DCS, PLCs, SCADA, MES interfaces, and associated networks. The standards describe models, terminology, and requirements for securing these systems over their lifecycle, from design and integration through operation and maintenance.

Scope and key concepts

Within industrial operations, ISA-99 / IEC 62443 commonly covers:

• Foundational terminology and reference models for IACS cybersecurity
• Segmentation concepts such as zones and conduits to structure networks and access control
• Security levels and capability requirements for systems and components
• Policies and procedures related to patching, remote access, account management, and monitoring
• Lifecycle considerations such as secure design, integration, and maintenance of control systems

In regulated manufacturing plants, ISA-99 aligned practices are often mapped against existing OT and IT controls, vendor capabilities, and site change-control and validation processes. The intent is to integrate cybersecurity into existing engineering, quality, and maintenance workflows rather than treat it as a standalone activity.

Use in practice

Operationally, ISA-99 may appear in:

• Internal standards or policies that adopt ISA-99 / IEC 62443 terminology for zones, conduits, and security levels
• System design specifications that call for certain security capabilities for controllers, HMIs, gateways, and MES interfaces
• Vendor and integrator requirements for configuring, documenting, and maintaining OT assets
• Risk assessments and mitigation plans focused on IACS and their supporting networks

Organizations may still use the term “ISA-99” informally, even when the applicable documents are labeled IEC 62443, particularly in North America or where legacy documentation predates the harmonized numbering.

Common confusion

• ISA-99 vs IEC 62443: ISA-99 work products have been jointly developed with IEC and are published in the IEC 62443 series. In many contexts, references to “ISA-99” today effectively mean “the ISA/IEC 62443 series.” The specific numbering and publication format can differ between ISA and IEC.
• ISA-99 vs IT security standards (for example, ISO/IEC 27001): ISA-99 focuses on industrial automation and control systems and their specific needs, while general IT security standards cover broader information security management. Plants often map requirements between these to avoid conflicting expectations on shared infrastructure.

Relation to IEC and other standards

ISA-99 originated within ISA and was later aligned with IEC through joint development, resulting in corresponding IEC 62443 parts. In practice, industrial sites may need to reconcile ISA-99 / IEC 62443 guidance with other standards and regulatory expectations, including those that govern quality systems, functional safety, or data integrity in regulated manufacturing.