Analysis of ISO 27001 and IEC 62443-2-1 security management system commonalities and tool to support implementations
Reilimo, Samu (2023)
Reilimo, Samu
2023
Automaatiotekniikan DI-ohjelma - Master's Programme in Automation Engineering
Tekniikan ja luonnontieteiden tiedekunta - Faculty of Engineering and Natural Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2023-05-02
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202303223098
https://urn.fi/URN:NBN:fi:tuni-202303223098
Tiivistelmä
The objective of this master’s thesis is to identify similarities in the requirements of IEC 62443-2-1 and ISO 27001 standards. These similarities can potentially be used when developing a cyber security management system for industrial automation and control systems if an organization has already ISO 27001 based information security management system in place. Benefits of utilizing standards with similar requirements include cost-effectiveness and market value increase for the organization. Compliance to IEC 62443-2-1 requirements also help the organization to respond to industrial automation and controls system related information security risks, compared to situ ation where only ISO 27001 compliance is in place.
This thesis analyses the similarities of IEC 62443-2-1 and ISO 27001 standards and presents results in a table format. The result also includes information of how widely the ISO 27001 re quirements and controls can be used to cover the requirements of IEC 62443-2-1. The thesis also covers presentation on how the mapping table can be used to implement IEC 62443-2-1 compli ant cyber security management system when utilizing already existing ISO 27001 controls.
The results implicate that the requirements of both IEC 62443-2-1 and ISO 27001 are highly similar and certain controls can be used to cover the requirements of both standards. Validation results also indicate that the importance of how the lifecycle management of security management systems is emphasized, because two management systems are used simultaneously.
This thesis analyses the similarities of IEC 62443-2-1 and ISO 27001 standards and presents results in a table format. The result also includes information of how widely the ISO 27001 re quirements and controls can be used to cover the requirements of IEC 62443-2-1. The thesis also covers presentation on how the mapping table can be used to implement IEC 62443-2-1 compli ant cyber security management system when utilizing already existing ISO 27001 controls.
The results implicate that the requirements of both IEC 62443-2-1 and ISO 27001 are highly similar and certain controls can be used to cover the requirements of both standards. Validation results also indicate that the importance of how the lifecycle management of security management systems is emphasized, because two management systems are used simultaneously.