SSA-200

ISA Security Compliance Institute –

System Security Assurance –
ISASecure ® SSA chartered laboratory operations and accreditation

Version 2.6
August 2018

Copyright © 2010-2018 ASCI - Automation Standards Compliance Institute, All rights reserved
A. DISCLAIMER
ASCI and all related entities, including the International Society of Automation (collectively, “ASCI”) provide all
materials, work products and, information (‘SPECIFICATION’) AS IS, WITHOUT WARRANTY AND WITH ALL
FAULTS, and hereby disclaim all warranties and conditions, whether express, implied or statutory, including, but not
limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of
reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses,
and of lack of negligence, all with regard to the SPECIFICATION, and the provision of or failure to provide support or
other services, information, software, and related content through the SPECIFICATION or otherwise arising out of the
use of the SPECIFICATION. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT,
QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION, OR NON-INFRINGEMENT WITH REGARD TO
THE SPECIFICATION.

WITHOUT LIMITING THE FOREGOING, ASCI DISCLAIMS ALL LIABILITY FOR HARM TO PERSONS OR
PROPERTY, AND USERS OF THIS SPECIFICATION ASSUME ALL RISKS OF SUCH HARM.

IN ISSUING AND MAKING THE SPECIFICATION AVAILABLE, ASCI IS NOT UNDERTAKING TO RENDER
PROFESSIONAL OR OTHER SERVICES FOR OR ON BEHALF OF ANY PERSON OR ENTITY, NOR IS ASCI
UNDERTAKING TO PERFORM ANY DUTY OWED BY ANY PERSON OR ENTITY TO SOMEONE ELSE. ANYONE
USING THIS SPECIFICATION SHOULD RELY ON HIS OR HER OWN INDEPENDENT JUDGMENT OR, AS
APPROPRIATE, SEEK THE ADVICE OF A COMPETENT PROFESSIONAL IN DETERMINING THE EXERCISE OF
REASONABLE CARE IN ANY GIVEN CIRCUMSTANCES.

B. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ASCI OR ITS SUPPLIERS
BE LIABLE FOR ANY SPECIAL, INCIDENTAL,PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES
WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR
OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY,
FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR
NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN
ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SPECIFICATION, THE PROVISION OF OR
FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATON, SOFTWARE, AND RELATED
CONTENT THROUGH THE SPECIFICATION OR OTHERWISE ARISING OUT OF THE USE OF THE
SPECIFICATION, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS
SPECIFICATION, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE),
MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OF ASCI OR ANY SUPPLIER, AND EVEN IF
ASCI OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SSA-200-2.6 2/44
Revision history
version date changes
1.2 2014.02.09 Initial version published to http://www.ISASecure.org
Change from Guide 65 to 17065, incorporate ASCI 2009
requirements directly, add figure 1, change SDLA to SDLPA when
1.9 2015.02.24 used for assessment, permit GICSP in qualifications, full software
version required on CRT reports SSA.R19, CRT tool calibration not
required SSA.R28
Alignment with approved ANSI/ISA-62443-4-1: update references,
background section, replace section 5.3 with discussion of
transition to SSA 2.1.0; explicitly support scalable systems: add
definitions of layout, reference layout, reference system, scalable
2.5 2018.02.02
system, modify 4.1 scope, add scalability topics to technical
readiness assessment; add CACE and CACS as certifications for
auditors and permit any bachelor-level degree with sufficient
industry experience; incorporate errata from SSA -102 v1.6
Alignment with ISA-62443-4-2: update normative references; in 4.1
2.6 2018.08.10
modify sentence about FSA-E

SSA-200-2.6 3/44
 Contents

1 Scope 8
2 Normative references 8
2.1 General 8
2.2 Accreditation/recognition 8
2.3 ISASecure symbol and certificates 9
2.4 Technical specifications 9
2.5 External references 11
3 Definitions and abbreviations 11
3.1 Definitions 11
3.2 Abbreviations 15
4 Background 16
4.1 Technical ISASecure SSA certification elements 16
4.2 ISASecure SSA certification program implementation 18
5 Summary of operations and accreditation requirements 18
5.1 Overview 18
5.2 Accreditation process 19
5.3 Transition to SSA 2.1.0 19
6 Requirements on operations of chartered laboratories 19
6.1 Overview 19
6.2 General requirements 20
6.3 Structural requirements 22
6.4 Resource requirements 24
6.5 Process requirements 29
6.6 Management system requirements 37
7 Accreditation of chartered laboratories 39
7.1 Overview 39
7.2 Provisional chartered laboratory status 40
7.3 Technical readiness assessment 40

List of requirements
Requirement SSA.R1 – Confidentiality for ASCI and ISCI 21
Requirement SSA.R2 – Confidentiality of CRT laboratory results 22
Requirement SSA.R3 – Internal distribution for assessment reports 22
Requirement SSA.R4 – Public availability of ISCI complaint escalation process 22
Requirement SSA.R5 – Time delay from provision of consultancy 22
Requirement SSA.R6 – Notification of changes to certification re quirements 22
Requirement SSA.R7 – Organizational affiliations 23
Requirement SSA.R8 – Financial affiliations 23

SSA-200-2.6 4/44
Requirement SSA.R9 – Chartered laboratory sales and purchases 24
Requirement SSA.R10 –FSA-S, FSA-E, SDA-S and SDLPA auditor minimum qualifications 25
Requirement SSA.R11 – CRT/NST lead evaluator minimum qualifications 27
Requirement SSA.R12 – VIT lead evaluator minimum qualifications 28
Requirement SSA.R13 – Currency of skills and knowledge 29
Requirement SSA.R14 – Determining application of specifications 32
Requirement SSA.R15 – Determining applicant eligibility 32
Requirement SSA.R16 – Application steps procedure 32
Requirement SSA.R17 – Maintenance of procedure for application 32
Requirement SSA.R18 – Current ISASecure specifications 32
Requirement SSA.R19 – CRT tools 32
Requirement SSA.R20 – Monitoring essential functions as non-standard test methods 33
Requirement SSA.R21 – SRT report 33
Requirement SSA.R22 – Assessment report 33
Requirement SSA.R23 – Application information from CRT laboratory 33
Requirement SSA.R24 – Consideration of evidence from CRT laboratories 33
Requirement SSA.R25 – Verification of content for evidence from CRT laboratory 33
Requirement SSA.R26 – Verification of test outcomes for evidence from CRT laboratory 33
Requirement SSA.R27 – Verification of versions for evidence from CRT laboratory 34
Requirement SSA.R28 – Equipment calibration 34
Requirement SSA.R29 – Content of test or assessment methods or procedures 34
Requirement SSA.R30 – Detail in SRT procedures 34
Requirement SSA.R31 – Content of test or assessment data sheet 35
Requirement SSA.R32 – Content of procedure maintenance procedures 35
Requirement SSA.R33 – Content of procedures for evaluating test or assessment data 35
Requirement SSA.R34 – Content of policy for evaluation of test or assessment data 35
Requirement SSA.R35 – Content of procedures for preparing technical reports 35
Requirement SSA.R36 – Input to scheme directory 35
Requirement SSA.R37 – Accuracy of certification status 35
Requirement SSA.R38 – Withdrawal of certification 36
Requirement SSA.R39 – Notification of withdrawal of certification 36
Requirement SSA.R40 – Complaints related to CRT performed by CRT laboratory 36
Requirement SSA.R41 – Escalation for complaints and appeals 36
Requirement SSA.R42 – Escalation for complaints and appeals related to application of specifications 37
Requirement SSA.R43 – Scope of procedures under management system 38
Requirement SSA.R44 – Responsibility for quality 38
Requirement SSA.R45 – Housekeeping 38
Requirement SSA.R46 – Item inventory 38
Requirement SSA.R47 – Facility security 38

SSA-200-2.6 5/44
Requirement SSA.R48 – Processing for revisions to normative specifications 38
Requirement SSA.R49 – Archival of superseded specifications 38
Requirement SSA.R50 – Maintenance of records 38
Requirement SSA.R51 – Management follow-up review for deficiencies 38
Requirement SSA.R52 – Basis for internal audits 39
Requirement SSA.R53 – Contents included in internal audit reports 39
Requirement SSA.R54 – Internal audits of satellite facilities 39
Requirement SSA.R55 – Implementation for permanent corrective actions 39
Requirement SSA.R56 – Supplier process for disclosure of complaints related to noncompliance 39
Requirement SSA.R57 – Supplier process for disclosure of complaints related to security of
ISASecure certified product 39
Requirement SSA.R58 – Disclosure to ISCI of complaints related to ISASecure certified product 39

List of tables
Table 1 – Scheme references for ISO/IEC clause 4 20
Table 2 – Scheme reference for ISO/IEC 17065 clause 5 23
Table 3 – Scheme references for ISO/IEC 17065 clause 6 24
Table 4 – FSA-S, FSA-E, SDA-S, and SDLPA auditor qualifications 25
Table 5 – CRT or NST lead evaluator qualifications 27
Table 6 - VIT lead evaluator qualifications 28
Table 7 – ISO/IEC 17020 requirements specified 29
Table 8 – Scheme reference for ISO/IEC 17065 clause 7 30
Table 9 - Technical readiness criteria for SSA chartered laboratory 41

SSA-200-2.6 6/44
 FOREWORD
This is one of a series of documents that defines ISASecure ® certification for control systems, which is
developed and managed by the industry consortium ISA Security Compliance Institute (ISCI). Certifications
available include ISASecure Embedded Device Security Assurance (EDSA) for embedded devices,
ISASecure System Security Assurance (SSA) for systems and ISASecure Security Development Lifecycle
Assurance (SDLA) which addresses control system supplier development processes. This specification is
one of the series of documents that describes requirements for ISASecure SSA certification. The current list
of documents related to ISASecure certification programs can be found on the web site
http://www.ISASecure.org.

SSA-200-2.6 7/44
1 Scope

The ISASecure ® certification program has been developed by an industry consortium called the ISA Security
Compliance Institute (ISCI) with a goal to accelerate industry wide improvement of cyber security for
Industrial Automation and Control Systems (IACS). An organization that performs evaluations and grants
certifications under the ISASecure SSA (System Security Assurance) program for control systems is referred
to as an ISASecure SSA chartered laboratory, or (more briefly) a chartered laboratory. This document
specifies the criteria and processes that define:

• Requirements on the operations of a chartered laboratory (Section 6); and

• How a chartered laboratory shall begin and continue ISASecure SSA system certification operations
(Section 7).

ISCI has based its certification program approac h on:

• International standards for conformity assessment programs ; and

• Specifications developed for the ISASecure SSA program.

This document provides a complete reference to these sources, and details ISASecure SSA program-specific
requirements for compliance with applicable general specifications and standards.

ISCI also has developed certification programs for:

• Embedded devices, the ISASecure EDSA program (Embedded Device Security Assurance); and

• Supplier development process for control systems and compo nents, the ISASecure SDLA program
(Security Development Lifecycle Assurance).

The separate documents EDSA-200 ISASecure EDSA chartered laboratory operations and accreditation and
SDLA-200 ISASecure SDLA chartered laboratory operations and accreditation address these same topics as
they relate to chartered laboratories that perform ISASecure EDSA and SDLA certifications, respectively.

It is a goal for the ISASecure programs to support and align with the developing standard s ISA 62443 for
IACS security. [SSA-100] discusses the relationship between ISASecure SSA and the ISA 62443 effort.

2 Normative references
2.1 General
NOTE The following is the highest level document that describes the ISASecure SSA certification program for control systems.

[SSA-100] ISCI System Security Assurance – ISASecure Certification Scheme, as specified at

http://www.ISASecure.org

2.2 Accreditation/recognition

2.2.1 Chartered and CRT laboratory operations and accreditation

[ISASecure-116] ISCI ISASecure Certification Programs - Policy for transition to EDSA 3.0.0 and SSA 3.0.0,
as specified at http://www.ISASecure.org
NOTE The following document can be tailored for chartered laboratories performing EDSA, SSA or S DLA certifications, or any
combination of these.

SSA-200-2.6 8/44
[ISASecure-202] ISCI ISASecure Certification Programs – Application and Contract for Chartered
Laboratories, internal ISCI document

[EDSA-206] ISCI Embedded Device Security Assurance – ISASecure EDSA CRT laboratory operations and
accreditation, as specified at http://www.ISASecure.org

2.2.2 CRT tool recognition program

NOTE The following documents describe how to attain ISASecure recognition for a tool used to carry out communication robustness
testing (CRT) and network stress testing (NST), which are two aspects of the system robustness testing performed for an SSA
evaluation. CRT is also a requirement for ISASecure EDSA certification for an embedded device. The same tool recognition proc ess
applies for all of these applications of the tool.

[EDSA-201] ISCI Embedded Device Security Assurance –Recognition process for communication robustness
testing tools, as specified at http://www.ISASecure.org

[EDSA-203] ISCI Embedded Device Security Assurance - Application and Contract for CRT Tool Reco gnition,
internal ISCI document

2.3 ISASecure symbol and certificates

NOTE The following document describes the ISASecure symbol and certificates and how they are used within the ISASecure SSA
program.

[SSA-204] ISCI System Security Assurance – Instructions and Policies for Use of the ISASecure Symbol and
Certificates, as specified at http://www.ISASecure.org

[SSA-205] ISCI System Security Assurance – Certificate Document Format, as specified at

http://www.ISASecure.org

2.4 Technical specifications

NOTE This section includes the specifications that define technical criteria for evaluating a system for ISASecure SSA certification.

2.4.1 General technical specifications

NOTE The following document is the overarching technical specification for ISASecure SSA certification.

[SSA-300] ISCI System Security Assurance – ISASecure Certification Requirements, as specified at

http://www.ISASecure.org

[SSA-301] ISCI System Security Assurance – Maintenance of ISASecure Certification, as specified at

http://www.ISASecure.org

[EDSA-301] ISCI Embedded Device Security Assurance – Maintenance of ISASecure Certification, as

specified at http://www.ISASecure.org

[SSA-303] ISASecure SSA Sample Report, available on request to ISCI

2.4.2 Specifications for certification elements

NOTE 1 The following document provides the technical evaluation criteria for the System Robustness Testing element of an SSA
evaluation.

[SSA-310] ISCI System Security Assurance – Requirements for system robustness testing, as specified at
http://www.ISASecure.org
NOTE 2 The following document defines how tests are carried out for both ISASecure EDSA and for several aspects of SSA SRT
(System Robustness Testing). It applies for ISASecure SSA to the extent described in [SSA -310].

[EDSA-310] ISCI Embedded Device Security Assurance – Embedded device robustness testing, as specified
at http://www.ISASecure.org
NOTE 3 The following documents provide the technical evaluation criteria for the Functional Security Assessment element of an SSA
evaluation.

SSA-200-2.6 9/44
[SSA-311] ISCI System Security Assurance – Functional security assessment for systems, as specified at
http://www.ISASecure.org

[CSA-311] ISCI Component Security Assurance – Functional security assessment for components, as
specified at http://www.ISASecure.org
NOTE 4 The following document provides the overall technical evaluation criteria for the Security Development Artifacts element of
an SSA product evaluation. [SDLA-312] is referenced by [SSA-312] and also provides the technical evaluation criteria for an
ISASecure assessment of supplier security development lifecycle process.

[SSA-312] ISCI System Security Assurance – Security development artifacts for systems, as specified at
http://www.ISASecure.org

[SDLA-312] ISCI Security Development Lifecycle Assurance – Security development lifecycle assessment, as
specified at http://www.ISASecure.org
NOTE 5 The following is the highest level document that describes the related ISASecure SDLA certification program for supplier
security development lifecycle processes. [SDLA-100] also lists all other documentation for the SDLA program.

[SDLA-100] ISCI Security Development Lifecycle Assurance – ISASecure Certification Scheme, as specified
at http://www.ISASecure.org
NOTE 6 The following document describes evaluation of a modified embedded device under ISASecure EDSA certification criteria,
where a prior version of the device was certified. These requirem ents apply when certification evidence for a prior version of an
embedded device component of a system is available toward an SSA certification.

[EDSA-301] ISCI Embedded Device Security Assurance – Maintenance of ISASecure Certification, as

specified at http://www.ISASecure.org

2.4.3 Vulnerability identification testing specifications

NOTE The following document describes the policy parameter values used to perform Vulnerability Identification Testing (VIT) for a
specific system. VIT is a sub element of System Robustness Testing.

[SSA-420] ISCI System Security Assurance – Vulnerability Identification Testing Policy Specification, as
specified at http://www.ISASecure.org

2.4.4 CRT Specifications

These protocol-specific ISASecure EDSA technical test specifications that follow, refer to [EDSA-310] for requirements that are
common across all protocols.

[EDSA-401] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of two
common “Ethernet” protocols, as specified at http://www.ISASecure.org

[EDSA-402] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of the
IETF ARP protocol over IPv4, as specified at http://www.ISASecure.org

[EDSA-403] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of the
IETF IPv4 network protocol, as specified at http://www.ISASecure.org

[EDSA-404] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of the
IETF ICMPv4 network protocol, as specified at http://www.ISASecure.org

[EDSA-405] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of the
IETF UDP transport protocol over IPv4 or IPv6, as specified at http://www.ISASecure.org
[EDSA-406] ISCI Embedded Device Security Assurance – Testing the robustness of implementations of the
IETF TCP transport protocol over IPv4 or IPv6, as specified at http://www.ISASecure.org

SSA-200-2.6 10/44
2.5 External references

External references are documents that are used by the ISASecure SSA program but maintained outside of
the ISASecure program.

2.5.1 IACS security standards

NOTE [SSA-100] describes the relationship of ISASecure to these approved standards as well as to ISA 62443 series standards
under development.

[ANSI/ISA-62443-1-1] ANSI/ISA-62443-1-1 (99.01.01) – 2007 Security for industrial automation and control
systems Part 1-1: Terminology, concepts and models

[IEC 62443-1-1] IEC TS 62443-1-1:2009 Industrial communication networks - Network and system security -
Part 1-1: Terminology, concepts and models

[ANSI/ISA-62443-3-3] ANSI/ISA-62443-3-3 (99.03.03) - 2013 Security for industrial automation and control
systems Part 3-3: System security requirements and security levels

[IEC 62443-3-3] IEC 62443-3-3:2013 Industrial communication networks - Network and system security - Part
3-3: System security requirements and security levels

[ANSI/ISA-62443-4-1] ANSI/ISA - 62443-4-1-2018 Security for industrial automation and control systems Part 4-1:
Secure product development lifecycle requirements

[IEC 62443-4-1] IEC 62443-4-1:2018 Security for industrial automation and control systems Part 4-1: Secure product
development lifecycle requirements
[ANSI/ISA-62443-4-2] ANSI/ISA-62443-4-2-2018 Security for industrial automation and control systems Part
4-2: Technical security requirements for IACS components
NOTE The following standard is pending final approval and publication as of the publication of the present specification.
[IEC 62443-4-2] IEC 62443-4-2:2018 Security for industrial automation and control systems Part 4 -2:
Technical security requirements for IACS components

2.5.2 International standards for certification programs

NOTE The following international standards apply to the ISASecure certification and testing processes.

[ISO/IEC 17065] ISO/IEC 17065, “Conformity assessment - Requirements for bodies certifying products,
processes, and services”, September 15, 2012

[ISO/IEC 17025] ISO/IEC 17025, “General requirements for the competence of testing and calibration
laboratories”, 15 May 2005

2.5.3 International standards for accreditation programs

NOTE The following international standard applies to the ISASecure chartered laboratory accreditation process.

[ISO/IEC 17011] ISO/IEC 17011, “Conformity assessment – General requirements for accreditation bodies
accrediting conformity assessment bodies”, 01 September 2004

3 Definitions and abbreviations

3.1 Definitions

3.1.1
accreditation
third party attestation related to a conformity assessment body conveying formal demonstr ation of its
competence to carry out specific conformity assessment tasks

SSA-200-2.6 11/44
NOTE For ISASecure certification programs, accreditation is an assessment and recognition process via which an organization is
granted chartered laboratory status or CRT laboratory status.

3.1.2
accreditation body
third party that performs attestation, related to a conformity assessment body, conveying a formal
demonstration of its competence to carry out specific conformity assessment

3.1.3
applicant
organization that has submitted a product or process to a chartered laboratory for evaluation for ISASecure
certification

3.1.4
auditable product
hardware and/or software product such that the product or its associated development process is subject to
audit, in the course of a specific chartered laboratory's planned certification activities

3.1.5
capability security level
security level that a component or system can provide when properly configured and integrated
NOTE This type of security level states that a particular component or system is capable of meeting a target security level natively
without additional compensating countermeasures when properly configured and integrated.

3.1.6
certification body
third-party conformity assessment body operating certification schemes

3.1.7
certification level
number associated with a particular certification granted, where requirements to achieve that certification
increase in rigor for higher levels
NOTE An SSA certification for a particular security zone may be SSA Level 1, 2, 3, or 4. A zone certified to SSA Level n meets
requirements for capability security level n as defined in the standard [ANSI/ISA-62443-3-3].

3.1.8
certification scheme
certification system related to specific products, processes, or services, to which the same specified
requirements, specific rules and procedures apply

3.1.9
chartered laboratory
organization chartered by ASCI to evaluate products and/or processes under one or more ISASecure
certification programs and to grant certifications under one or more of these programs
NOTE A chartered laboratory is the certification body for the ISASecure certification programs.

3.1.10
conformity assessment body
body that performs conformity assessment services and that can be the object of accreditation
NOTE Examples are a laboratory, inspection body, product certification body, management system certification body and personnel
certification body. This is an ISO/IEC term and concept.

3.1.11
control system
hardware and software components of an IACS
NOTE Control systems include systems that perform monitoring functions.

SSA-200-2.6 12/44
3.1.12
CRT evidence submission
set of CRT results for an embedded device submitted by a CRT laboratory to a chartered laboratory on
behalf of the device supplier, toward ISASecure certification

3.1.13
CRT laboratory
organization authorized by ASCI to perform communic ation robustness testing for embedded devices and
submit results to a chartered laboratory toward an ISASecure EDSA or SSA certification

3.1.14
embedded device
special purpose device running embedded software designed to directly monitor, control or actuate an
industrial process
NOTE Attributes of an embedded device are: no rotating media, limited number of exposed services, programmed through an
external interface, embedded OS or firmware equivalent, real -time scheduler, may have an attached control panel, ma y have a
communications interface. Examples are: PLC, field sensor devices, SIS controller, DCS controller .

3.1.15
full software version identifier
lowest level of granularity identifier used by a supplier for change tracking on software
NOTE Will include multiple digits and may include a date in some cases. This typically has more digits than the version number used
by customers.

3.1.16
evidence impact assessment
identification of that portion of the evidence from the certification evaluation of a product, which may be
applied toward the certification of a modified version of the product, and of those aspects of the evaluation
which must be performed on the modified product and new evidence created

3.1.17
industrial automation and control system
collection of personnel, hardware, software and policies involved in the operation of the industrial process
and that can affect or influence its safe, secure, and reliable operation

3.1.18
layout
description of a specific instance of a scalable control system, that defines quantities of z ones and resident
devices, and internal and external interfaces

3.1.19
major owner
owner of more than two percent (2%) of a business entity
NOTE This percentage is intended to exclude individuals who are owners via portfolio vehicles, and identify owners tha t may
influence the activities of the business entity.

3.1.20
major user
organization that has or plans purchase of products whose related costs and/or usage is material to the
overall operations of that organization

3.1.21
reference layout
specific layout for scalable control system, that represents security characteristics found in any layout to be
SSA certified, in a manner suitable to support certification testing that provides assurance for all such layouts
NOTE A reference layout may be neither the minimum nor the maximum layout for a scalable system. Its properties are specified in
requirements found in [SSA-300]. In overview, the reference layout for a contro l system includes all zones, resident devices in these
zones, interfaces and protocols present in an y layout in scope for a certification.

SSA-200-2.6 13/44
3.1.22
reference system
physical instance of a control system, that adheres to a reference layout
NOTE A reference system is used for direct testing performed by the SSA certifier.

3.1.23
scalable control system
control system which supports replication of zones and/or devices to support small and large installations

3.1.24
significant financing
financing that is material to the operations of the recipient

3.1.25
significant financial interest
financial interest where the value of this i nterest is material to the financial position of the entity that has the
interest

3.1.26
significant sales
sales that are material to the operations of the seller

3.1.27
security level
measure of confidence that the IACS is free from vulnerabilities and functions in the intended manner
NOTE Vulnerabilities can either be designed into the IACS, inserted at any time during its lifecycle or result from changing threa ts.
Designed-in vulnerabilities may be discovered long after the initial deployment of the IACS, for e xample an encryption technique has
been broken or an improper policy for account management such as not removing old user accounts. Inserted vulnerabilities may be
the result of a patch or a change in policy that opens up a new vulnerability.

3.1.28
security zone
grouping of logical or physical assets that share common security requirements
NOTE A zone has a clear border. The security policy of a zone is typically enforced by a combination of mechanisms both at the
zone edge and within the zone.

3.1.29
symbol
graphic or text affixed or displayed to designate that ISASecure certification has been achieved
NOTE An earlier term for symbol is “mark.”

3.1.30
system
control system
NOTE In the ISASecure SSA documentation, this shorter term is used for convenience to refer to a control system product that may
fall under the scope of ISASecure SSA certification. Per the definition above, control systems include safety systems.

3.1.31
zone
security zone

SSA-200-2.6 14/44
3.2 Abbreviations

The following abbreviations are used in this document .

ANSI American National Standards Institute
ASCI Automation Standards Compliance Institute
ARP address resolution protocol
BS Bachelor of Science
CACE Certified Automation Cyber Security Expert
CACS Certified Automation Cyber Security Specialist
CSA Component Security Assurance
CE computer engineering
CISA Certified Information Systems Auditor
CISSP Certified Information Systems Security Professional
CRT communication robustness testing
CS computer science
CSSLP Certified Secure Software Lifecycle Professional
DCS distributed control system
EDSA embedded device security assurance
FSA-E functional security assessment for embedded devices
FSA-S functional security assessment for systems
GICSP Global Industrial Cyber Security Professional
IACS industrial automation and control system(s)
IAF International Accreditation Forum
ICMP Internet control message protocol
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronic Engineers
IETF Internet engineering task force
ILAC International Laboratory Accreditation Cooperation
IP Internet protocol
ISA International Society of Automation
ISCI ISA Security Compliance Institute
ISO International Organization for Standardization
NA not applicable
NST network stress testing
OS operating system
PLC programmable logic controller
SDA-S security development artifacts for systems
SDLA security development lifecycle assurance
SDLPA security development lifecycle process assessment
SIS safety instrumented system
SRT system robustness testing
SSA system security assurance

SSA-200-2.6 15/44
SY system
SUT system under test
TCP transmission control protocol
TD test device
UDP user datagram protocol
VIT vulnerability identification testing

4 Background
4.1 Technical ISASecure SSA certification elements

ISASecure SSA is a certification program for control systems, where a control system product is considered
to be within the scope of this program if it satisfies all of the following criteria:

• The control system consists of an integrated set of components and includes more than one device.

• The control system is available from and supported as a whole by a single supplier, although it may
include hardware and software components from several manufacturers.

• The control system may have a fixed device and zone layout, or may be scalable, that is, may permit
replication of devices and of zones in order to scale for small and large installations.

• The system product is under configuration control and version management.

In order to obtain ISASecure SSA certification, a supplier must pass a security development lifecycle
process evaluation equivalent to that defined under the ISASecure SDLA development process certification
described in the reference [SDLA-100]. Specifically, in order for a system product from a supplier to achieve
ISASecure SSA certification, either:

• The supplier must hold an ISASecure SDLA certification; or

• The supplier passes a security development lifecycle process assessment (SDLPA), which is an
equivalent evaluation of security aspects of their development process, as part of the SSA evaluation
itself.

A supplier may apply for ISASecure SSA and SDLA certifications in parallel.

ISASecure SSA certification for systems has four additional elements:

• Security Development Artifacts for systems (SDA-S);

• Functional Security Assessment for systems (FSA-S);

• Functional Security Assessment for embedded devices (FSA -E); and

• System Robustness Testing (SRT).

SDLPA and SDA-S both assess development process, hence are grouped under "Security Development
Assessment" in Figure 1 below. SDA-S examines the artifacts that are the outputs of the supplier’s security
development lifecycle processes as they apply to the system to be certified. FSA-S examines the security
capabilities of the system. FSA-E examines the security capabilities of any embedded devices that are
components of the system, recognizing in accordance with [ANSI/ISA-62443-4-2] that in some cases
requirements for security functionality may be met by integrating the device into a system . SRT has three
major elements - Vulnerability Identification Testing (VIT), Communication Robustness Testing (CRT) and

SSA-200-2.6 16/44
Network Stress Testing (NST). VIT scans all components of a system for the presence of known
vulnerabilities. CRT and NST verify that the system adequately maintains essential functions while being
subjected to normal and erroneous network protocol traffic at normal to extremely high traffic rat es (flood
conditions) at its network interfaces.

A system submitted for certification is comprised of one or more security zones. The supplier identifies a
certification level for each zone, which will be the desired capability security level to be demonstrated for that
zone by the certification. The SDLPA and SDA-S assessments are the same for all certification levels with
the exception of allowable residual risk for known security issues. The FSA-S evaluation is applied to each
security zone; required security capabilities will differ based upon the zone certification level. Pass/fail
criteria for VIT reference FSA-S requirements applicable to the certification level , hence also increase in rigor
for higher levels. CRT and NST criteria are the same regardless of certification level. Figure 1 illustrates this
concept. The ISASecure SSA certificate for a system will name the security zones and their certification
levels.

Figure 1 - Structure of ISASecure SSA Certification Criteria by Certification Level

For scalable systems, tests performed by the certifier as part of FSA or SRT will be performed on a reference
system, whose layout meets criteria specified in [SSA-300]. Analyses performed by the certifier will take into
account all layouts to be evaluated under the certification.

If the system has a component embedded device that is ISASecure EDSA certified, that certification may be
leveraged to meet CRT and FSA requirements for SSA certification of the ov erall system, to the extent
specified in [SSA-300].

In addition to requirements for initial certification, ISASecure SSA specifies requirements for maintaining
certification when a certified system and/or ISASecure criteria are modified, as described in [ SSA-301].

SSA-200-2.6 17/44
4.2 ISASecure SSA certification program implementation

ISCI is organized as an interest area within ASCI (Automation Standards Compliance Institute) , a not-for-
profit 503 (c) (6) corporation owned by ISA. Descriptions of the governance and organizational structure for
ASCI are found on the ISASecure website: http://www.ISASecure.org.

ASCI ISASecure SSA chartered laboratories are organizations that are accredited to evaluate systems under
the ISASecure SSA program. ASCI grants accredited laboratories the right to process ISASecure SSA
certifications for systems on its behalf and issue certificates for systems meeting the SSA certification
requirements. System certification is determined based upon tests, functional audits and process audits,
which measure adherence to the ISASecure SSA requirements.

Evaluations for all SSA certification elements described in 4.1 are conducted directly by the chartered
laboratory or its subcontractors, with the possible exception of the CRT element of SRT for embedded
devices. The chartered laboratory shall directly conduct CRT for all types of system components with the
possible exception for embedded device components of the system presented for certification. CRT test for
such embedded device components may be conducted by a separate accredited organization called a CRT
laboratory, which submits test evidence to the chartered laboratory for evaluation. However, a chartered
laboratory must be qualified and prepared to conduct CRT for all types of components, including embedded
devices.

The lists of ASCI ISASecure SSA chartered laboratories and CRT laboratories are posted on the ISCI
website at http://www.ISASecure.org. At the request of system suppliers, systems that are issued
certifications are registered on this same ISCI website.

The ISASecure EDSA and SSA certification programs require the use of a test tool for CRT and NST. A tool
is used by chartered laboratories to perform CRT and NST, by CRT laboratories to perform CRT and by
device and system suppliers in preparation for certification. CRT/NST test tools must be evaluated for
consistency and fairness to ensure that they are appropriate for use by ISASecure test laboratories. ISCI
operates a test tool recognition program to support these objectives. The program is described in document
[EDSA-201].

In addition, the ISASecure SSA program requires the use of the Nessus ® tool
(http://www.tenable.com/products/nessus) for performing the VIT element of SRT. Nessus may also be used
by suppliers in preparation for certification.

5 Summary of operations and accreditation requirements

5.1 Overview

ISASecure SSA will operate as an internationally recognized certification program. To meet this standard, the
chartered laboratory operations and accreditation requirements are designed to comply with accepted
international standards applicable to product certification and t esting.

The operations of ISASecure SSA chartered laboratories shall be in compliance with the applicable
requirements in:

• [ISO/IEC 17065], the international standard that applies to bodies that certify products, processes or
services, and

• [ISO/IEC 17025], the international standard that applies to test organizations.

The present document is organized using the outline of [ISO/IEC 17065]. Where required, it interprets
requirements in that document for ISASecure SSA and adds additional requirements. Of particular note are
requirements for:

• Organizational and financial affiliations of chartered laboratories ( 6.3.3);

SSA-200-2.6 18/44
 • Qualifications for chartered laboratory personnel ( 6.4.3.1);

• Content of chartered laboratory application and evaluation procedures ( 6.5.3.1.2 and 6.5.3.2.3)

• Directory listing of certified organizations ( 6.5.3.3);

• Appeals for client complaints (6.5.3.7); and

• Managing complaints to suppliers of certified products ( 6.6.3.6).

5.2 Accreditation process

Accreditation of a chartered laboratory consists of an assessment of the organization against the general
requirements in ISO/IEC 17025, 17065 and the specific requirements in Section 6 of this document, together
with an assessment of technical readiness for performing ISASecure SSA evaluations, described in Section
7.3. Technical readiness assessment is based upon review of laboratory processes and procedures as well
as review of artifacts from evaluation activities. To be recognized as a chartered laboratory for the ISASecure
SSA program, a laboratory shall attain the following accreditations, performed by an IAF/ILAC accreditation
body:

• Accredited to ISO/IEC 17065, with technology scope of accr editation covering ISASecure SSA
certification; and

• Accredited to ISO/IEC 17025, with technology scope of accreditation covering testing to ISASecure SSA
SRT specifications.

The laboratory accreditation process consists of two steps. In the first step, an IEC assessor who is qualified
with respect to the above two accreditations will complete an evaluation of all accreditation requirements.
Provisional chartered status is granted if ISCI's analysis of the assessor’s report following this evaluation,
shows that the laboratory meets the requirements for formal accreditation and technical readiness
assessment listed in 7.2 of the present document that may be verified based upon process and procedure
documentation evidence. At this point the accreditation body has not yet formally granted accreditation,
which requires a review and approval process internal to the accreditation body.

Once a laboratory has attained provisional chartered status, ASCI grants that laboratory the right to p erform
system evaluations and grant ISASecure SSA certifications. These rights continue as long as the laboratory
receives formal accreditation from an SSA accreditation body in a timely manner (the second step) and
maintains this status.

5.3 Transition to SSA 2.1.0

With the approval of the standard [ANSI/ISA-62443-4-1] for security development lifecycle requirements, the
SSA 2.0.0 program has been updated to SSA 2.1.0 to align with this standard. Accordingly, ISCI has defined
a policy for chartered labs to follow in transitioning certification activities from SSA 2.0.0 to SSA 2.1.0. This
policy is defined in the document [ISASecure-115].

6 Requirements on operations of chartered laboratories

6.1 Overview

Section 6 of the present document specifies all requirements on the operation of SSA chartered laboratories.
It provides specific interpretations for ISO/IEC 17065 requirements, and defines further requirements that are
specific to the ISASecure SSA program.

Section 6 is organized as follows:

• The sub sections at numbering level 2 (6.2, 6.3, 6.4, 6.5, 6.6) each correspond to a clause in
[ISO/IEC 17065], covering in turn clauses 4-8 in that document.

SSA-200-2.6 19/44
 • Each of these sub sections in the present document has three further sub sections as follo ws:

o Overview - provides a list of the topics covered in the corresponding clause of [ISO/IEC
17065]

o Scheme references for standard requirements - A number of ISO/IEC 17065 requirements

refer in turn to compliance with requirements specified by a certificat ion scheme. This sub
section in the present document provides a table that lists each such ISO/IEC 17065
requirement and provides a reference to the documentation in the ISASecure SSA scheme
where the relevant scheme requirements are found. These reference s may refer to ISASecure
SSA scheme documents that are listed in section 2 of the present document, or may refer to
the present document itself, in particular to requirements in the sub sections in the present
document described next.

o ISASecure SSA specific requirements - This sub section lists additional scheme specific
requirements, beyond those derived directly from [ISO/IEC 17065] together with the other
documents of the ISASecure SSA certification scheme.

6.2 General requirements

6.2.1 Overview

Clause 4 General requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:

• Legal and contractual matters (4.1)

• Management of impartiality (4.2)

• Liability and financing (4.3)

• Non-discriminatory conditions (4.4)

• Confidentiality (4.5)

• Publicly available information (4.6).

6.2.2 Scheme references for standard requirements

The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 4 of that
document that refer to certification scheme requirements.

Table 1 – Scheme references for ISO/IEC clause 4

ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA

clause requirement reference referenced reference

4.1.2 Certification 4.1.2.2 h Certification scheme [SSA-300] 5.2

agreement requirements regarding requirement SY.R2, and
client references to their [SSA-204]
certification

4.1.2 Certification 4.1.2.2 f, g Certification scheme No unique requirements

SSA-200-2.6 20/44
 ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA
clause requirement reference referenced reference
agreement requirements on actions specified by scheme
taken by a client upon
loss of certification, and
on reproduction of
certification documents

4.1.2 Certification 4.1.2.2 j Certification scheme [SSA-200] 6.6.3.6

agreement requirements on
certification body to
verify tracking of
complaints received by
client

4.1.3 Use of license, 4.1.3.1 Control by the Requirements on

certificates and marks of certification body, as mechanisms are in [SSA-
conformity specified by the 204]
certification scheme, of
mechanisms for
indicating a product is
certified

4.2 Management of 4.2.10 Period of time between [SSA-200] Requirement

impartiality performing consultancy SSA.R5
and certification services

4.6 Publicly available 4.6c) Certification scheme [SSA-300] 5.2

information requirements regarding requirement SY.R2, and
client references to their [SSA-204]
certification

4.6 Publicly available 4.6a) Certification scheme [SSA-300]

information requirements related to
granting certification

6.2.3 ISASecure SSA specific requirements

This sub section lists additional scheme specific requirements related to Clause 4 General requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure SSA certification scheme.

Requirement SSA.R1 – Confidentiality for ASCI and ISCI

The general confidentiality requirement in [ISO/IEC 17065] 4.5.1 SHALL be interpreted to include the
requirement that neither ASCI nor ISCI shall have access to information generated during ISASecure
evaluations, except by permission of the applicant, or as required to fulfill ISCI's oversight role as scheme
owner.

SSA-200-2.6 21/44
Requirement SSA.R2 – Confidentiality of CRT laboratory results

A chartered laboratory SHALL NOT have access to CRT informat ion generated by a CRT laboratory except
by permission of an applicant.

Requirement SSA.R3 – Internal distribution for assessment reports

Procedures for report distribution internal to the chartered laboratory SHALL limit copies of test and
assessment reports only to those that the chartered laboratory determines need the information to fulfill their
work responsibilities.

Requirement SSA.R4 – Public availability of ISCI complaint escalation proce ss

The [ISO/IEC 17065] requirement 4.6d) in the sub clause 4.6 Publicly available information refers to
procedures for handling complaints and appeals. This information SHALL include the information about
complaints to ASCI/ISCI in 6.5.3.7 of this document.

Requirement SSA.R5 – Time delay from provision of consultancy

The [ISO/IEC 17065] requirement 4.2.10 refers to the period of time between personnel having provided
consultancy for a product and reviewing or making a certification decision. The minimum time period SHALL
be two years.

Requirement SSA.R6 – Notification of changes to certification requirements

The chartered laboratory SHALL have processes to keep interested parties informed of changes to
certification requirements (such as changes to legal agreements associated with the certification process).
This SHALL include keeping the chartered laboratory’s ISASecure SSA certification clients informed of
changes to CRT requirements, whether or not the chartered laboratory directly performed CRT for the client
or whether it was performed by a CRT laboratory.
NOTE When technical changes in certification criteria occur, existing certifications t o the previous criteria remain in place, since the
certification applies to a particular product version. Hence no products can lose certification due to lack of communication of new
technical requirements. However, suppliers can do more effective planning related to future products based upon timely information
about upcoming changes (of all types) to the certification program requirements .

6.3 Structural requirements

6.3.1 Overview

Clause 5 Structural requirements in [ISO/IEC 17065] covers the following topics in a ssociated sub clauses of
that document:

• Organizational structure and top management (5.1)

• Mechanism for safeguarding impartiality (5.2).

6.3.2 Scheme references for standard requirements

The following table provides scheme references, for [ISO/IEC 17065] requir ements in clause 5 of that
document that refer to certification scheme requirements.

SSA-200-2.6 22/44
 Table 2 – Scheme reference for ISO/IEC 17065 clause 5

ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA

clause requirement reference referenced reference

5.2 Mechanism for 5.2.1 (Notes 2 and 3) Certification scheme No unique requirements
safeguarding impartiality owner participation in specified by scheme
mechanism for
impartiality

5.2 Mechanism for 5.2.4 (Note 2) Certification scheme No unique requirements

safeguarding impartiality requirements on interests specified by scheme
represented by
mechanism for
safeguarding impartiality

6.3.3 ISASecure SSA specific requirements

This sub section lists additional scheme specific requirements rel ated to clause 5 Structural requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure SSA certification scheme.

Additional requirements on financial and other organizational affiliations o f chartered laboratories are defined
as follows, to further safeguard impartiality.

Requirement SSA.R7 – Organizational affiliations

When the separate legal entity as in [ISO/IEC 17065] 4.2.7 is a major user of certified products, the
personnel of the separate legal entity shall not be involved in the management of the certification body, the
review, or the certification decision.

Requirement SSA.R8 – Financial affiliations

The following requirements apply to a chartered laboratory regarding its financial affiliations with suppliers
and users of auditable products. The term "auditable product" is defined in 3.1.4. A supplier of auditable
products is typically a certification client of the chartered laboratory. However, other organizations could also
sell these products, and these cases are covered in this requirement as well.

• A chartered laboratory or a major owner of the chartered laboratory SHALL NOT:

o provide significant financing to a supplier or to a major user of auditable products;

o be a major owner of a supplier or of a major user of auditable products;

• A chartered laboratory SHALL NOT:

o receive significant financing from a supplier or from a major user of auditable products, or
their major owners;

o have as a major owner, a organization that is a supplier or a major user of auditable products,
or a major owner of such an organization;

SSA-200-2.6 23/44
 • A person involved in the management of the certification body, the review, or the cer tification decision
for the chartered laboratory SHALL NOT have a significant financial interest in a supplier or major
user of auditable products.

Requirement SSA.R9 – Chartered laboratory sales and purchases

The following requirements apply to a chartered laboratory regarding its sales and purchase activities:

• A chartered laboratory SHALL NOT have significant sales of any products or services to suppliers of
auditable products, other than certification services;

• A chartered laboratory SHALL NOT sell auditable products;

• Prices and agreements related to any products or services that a chartered laboratory purchases from
a supplier of auditable products SHALL NOT have dependencies on related certification activity.

6.4 Resource requirements

6.4.1 Overview

Clause 6 Resource requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:

• Certification body personnel (6.1)

• Resources for evaluation (6.2).

6.4.2 Scheme references for standard requirements

The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 6 of that
document that refer to certification scheme requirements.

Table 3 – Scheme references for ISO/IEC 17065 clause 6

ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA

clause requirement reference referenced reference

6.1 Personnel 6.1.1.3 Certification scheme [SSA-200] Requirement

requirements to release SSA.R1
information created
during an evaluation
6.1.2
Management of 6.1.2.1 a Certification scheme [SSA-200] 6.4.3.1
competence for requirements for
personnel involved in the competency of personnel
certification process involved in certification

SSA-200-2.6 24/44
 ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA
clause requirement reference referenced reference
6.1.2
Management of 6.1.2.1 b Certification scheme [SSA-200] 6.4.3.1
competence for requirements for training
personnel involved in the of personnel involved in
certification process certification

6.2.1 Internal resources

6.2.2 External resources 6.2.1, 6.2.2.1 Applicable requirements [SSA-200] 6.4.3.2
from other standards

6.4.3 ISASecure SSA specific requirements

This sub section lists additional scheme specific requirements related to clause 6 Resource requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure SSA certification scheme.

6.4.3.1 Personnel qualifications

Requirement SSA.R10 –FSA-S, FSA-E, SDA-S and SDLPA auditor minimum qualifications
The [ISO/IEC 17065] requirement 6.1.2.1a) in the sub clause 6.1.1 Management of competence for personnel
involved in the certification process refers to competencies of personnel involved in the certification process.
The minimum qualifications for personnel that are res ponsible for evaluation to FSA-S, FSA-E and SDA-S
and SDLPA requirements SHALL include those specified in Table 4.

Then qualifications in Table 4 apply when SDLPA is carried out as part of an SSA evaluation.
The level of knowledge required for ISA 62443 as indicated in the last row of Tables 4-6, SHALL at a
minimum be sufficient for the individual to prepare and present a on e hour overview on the scope of
application and contents of the standard, and be capable of quickly finding the answers to questions about
what the standard requires on a particular topic, if given access to the text of the standard. For the other
security standards and practices listed in the table, the level of knowledge required SHALL at a minimum be
equivalent to 8 hours of training on the standard or practice.

Table 4 – FSA-S, FSA-E, SDA-S, and SDLPA auditor qualifications

Category of FSA –S auditor or FSA-E auditor SDA –S auditor

qualification / SDLPA auditor
experience
Formal education • BS Electrical Engineering OR • BS Electrical Engineering
• BS Computer Engineering (CE) OR OR
• BS Computer Science (CS) OR • BS Computer Engineering
• BS Chemical Engineering with CE or CS minor OR
OR • BS Computer Science OR
• Equivalent science or engineering degree OR • BS Chemical Engineering
• Bachelors or equivalent level degree in other with CE or CS minor OR
subject, if individual has sufficient experience • Equivalent science or
in computer technology field as specified engineering degree OR
below • Bachelors or equivalent
level degree in other
subject, if individual has

SSA-200-2.6 25/44
 Category of FSA –S auditor or FSA-E auditor SDA –S auditor
qualification / SDLPA auditor
experience
sufficient experience in
computer technology field
as specified below

Professional • CISA, CISSP, GICSP, CACE, CACS, or • CISA, CISSP, GICSP,

certification* equivalent CSSLP, CACE, CACS, or
equivalent
Work experience in • Minimum four years of post-degree experience • Minimum four years of post-
field in computer technology field, if individual has degree experience in
degree in one of the specific subjects identified computer technology field, if
above, or has an equivalent science or individual has degree in one
engineering degree of the specific subjects
• Minimum eight years of post-degree identified above, or has an
experience in computer technology field, if equivalent science or
individual has a bachelors or equivalent level engineering degree
degree in other subject • Minimum eight years of
post-degree experience in
computer technology field, if
individual has a bachelors
or equivalent level degree in
other subject
Relevant • Min 4 year detailed system level product • Min 4 year software
development work development involvement for IACS OR integration experience for
experience • Min 4 years of systems integration experience IACS AND
for IACS OR • Min 2 year involvement with
• Min 6 years system level product Test of IACS software process
• Experience includes 2 years with software improvement activities
security-related responsibilities • Experience includes 2 years
with software security-
related responsibilities
• Experience includes 2 years
with technical management
responsibilities at the
system level

Relevant auditing • Min 1 year experience performing technical • Min 1 year experience
work experience product audit OR 2 years in position in which performing software process
has been audited on 3 or more products audit OR 2 years in position
in which software process
has been audited on 3 or
more products
Relevant industry • General knowledge of at least two different • General knowledge of end-
specific knowledge IACS AND end software development
• General knowledge of application of IACS and life cycle AND
roles and duties of employees at sites using • General knowledge of IACS
IACS AND architectures
• Moderate level knowledge of networking and
communication protocols AND
• Able to independently read and interpret
requirement specifications for IACS products
AND
• Able to independently read and understand

SSA-200-2.6 26/44
 Category of FSA –S auditor or FSA-E auditor SDA –S auditor
qualification / SDLPA auditor
experience
user installation and configuration documents
for IACS products AND
• Knowledge of methods used to protect
communications and detect / prevent
communication attacks
Knowledge of ISA 62443 Standard plus at least one of: ISA 62443 Standard plus at least
security standards • Common Criteria one of:
• ISO/IEC 27001 • Common Criteria
• IEC 61508 • ISO/IEC 27001
• IEC 61508

Requirement SSA.R11 – CRT/NST lead evaluator minimum qualifications

The [ISO/IEC 17065] requirement 6.1.2.1a) in the sub clause 6.1.1 Management of competence for personnel
involved in the certification process refers to competencies of personnel involved in the certification process.
The minimum qualifications for personnel that oversee the technical aspects of CRT or NST testing and
interpretation of results (including interpretation of CRT evidence submissions) shall include those specified
in Table 5:

Table 5 – CRT or NST lead evaluator qualifications

Category of CRT or NST lead evaluator

qualification /
experience
Formal education • BS Electrical Engineering OR
• BS Computer Engineering OR
• BS Computer Science OR
• BS Chemical Engineering with CE or CS minor OR
• Equivalent science or engineering degree OR
• 4 years work experience in testing of IACS may be substituted for degree
Work experience • Min 5 years experience
post BS degree
Relevant • Min 4 year detailed system level product development involvement for IACS OR
development work • Min 4 years of Systems Integration experience for IACS OR
experience • Min 3 years System Level Product Test for IACS AND
• Experience includes 1 year with software security-related responsibilities
• Experience includes 2 years involvement with networking technologies
Relevant test work • Min 1 year experience performing testing on IACS
experience
Relevant industry • Successful completion of training class or 1 year experience in job demonstrating
specific knowledge proficiency with CRT/NST tool to be used AND
• General knowledge of at least two different IACS OR detailed knowledge of one
IACS AND
• Moderate level knowledge of networking and communication protocols AND
• Able to independently read and understand user installation and configuration
documents for IACS Products AND
• Knowledge of methods used to protect communications and detect / prevent

SSA-200-2.6 27/44
 Category of CRT or NST lead evaluator
qualification /
experience
communication attacks
Knowledge of ISA 62443 Standard plus at least one of:
security standards • Common Criteria
• ISO/IEC 27001
• IEC 61508

Requirement SSA.R12 – VIT lead evaluator minimum qualifications

The [ISO/IEC 17065] requirement 6.1.2.1a) in the sub clause 6.1.1 Management of competence for personnel
involved in the certification process refers to competencies of personnel involved in the certification process.
The minimum qualifications for personnel that that are responsible for the technica l aspects of VIT testing
and interpretation of results shall include those specified in Table 6:
Table 6 - VIT lead evaluator qualifications

Category of VIT lead evaluator

qualification /
experience
Formal education • BS Electrical Engineering OR
• BS Computer Engineering OR
• BS Computer Science OR
• BS Chemical Engineering with CE or CS minor OR
• Equivalent science or engineering degree OR
• 4 years work experience in testing of IACS may be substituted for degree
Professional • CISA, CISSP, GICSP, CACE, CACS, or equivalent
certification
Work experience • Min 5 years experience
post BS degree
Relevant • Min 4 year detailed system level product development involvement for IACS OR
development work • Min 4 years of Systems Integration experience for IACS OR
experience • Min 3 years System Level Product Test for IACS
• Experience includes 1 year with software security-related responsibilities
• Experience includes 2 years involvement with networking technologies
Relevant test work • Min 1 year experience performing testing on IACS
experience

Relevant industry • Successful completion of training class or 1 year experience in job demonstrating
specific knowledge proficiency with VIT tool to be used AND
• General knowledge of at least two different IACS OR detailed knowledge of one
IACS AND
• Moderate level knowledge of networking and communication protocols AND
• Able to independently read and understand user installation and configuration
documents for IACS Products
Knowledge of ISA 62443 Standard plus at least one of:
security standards • Common Criteria
• ISO/IEC 27001
• IEC 61508

SSA-200-2.6 28/44
Requirement SSA.R13 – Currency of skills and knowledge

Staff training SHALL BE kept up-to-date and staff SHALL keep up-to-date of current normative specification
issues (includes participation in technical groups or committees).

6.4.3.2 Other standards

The [ISO/IEC 17065] requirements 6.2.1 Internal resources and 6.2.1 External resources in the sub clause
6.2 Resources for evaluation refer to compliance with applicable requirements in ISO/IEC 17025, 17020, and
17021. Accreditation to ISO/IEC 17025 is required for an SSA chartered laboratory. Requirements from
ISO/IEC 17020 which apply to inspection activities, have been adapted and incorpora ted in this document as
follows and hence are noted but not repeated here:

Table 7 – ISO/IEC 17020 requirements specified

ISO/IEC 17020 Topic SSA-200 requirement

requirement

6.1 6c Continuing training SSA.R13

7.4.2 Test and assessment SSA.R31

records

("Inspection records" in
17020)

6.5 Process requirements

6.5.1 Overview

Clause 7 Process requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:

• General (7.1)

• Application (7.2)

• Application review (7.3)

• Evaluation (7.4)

• Review (7.5)

• Certification decision (7.6)

• Certification documentation (7.7)

• Directory of certified products (7.8)

SSA-200-2.6 29/44
 • Surveillance (7.9)

• Changes affecting certification (7.10)

• Termination, reduction, suspension or withdrawal of a certification (7.11)

• Records (7.12)

• Complaints and appeals (7.13)

6.5.2 Scheme reference for standard requirements

The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 7 of that
document that refer to certification scheme r equirements.

Table 8 – Scheme reference for ISO/IEC 17065 clause 7

ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA

clause requirement reference referenced reference

7.1 General 7.1.1 Certification scheme Defined in [SSA-100]

used by an SSA
chartered laboratory

7.1 General 7.1.2 Refers to normative For initial certifications,

documents against which documents are [SSA-
a system is evaluated 300] and its normative
references; for products
with a version previously
certified, documents are
[SSA-301] and its
normative references;
[SSA-200] SSA.R18
specifies current versions
of these documents

7.1 General 7.1.3 Person or committee to ISCI Technical Steering

provide explanations per Committee, as stated in
application of normative [SSA-200] requirement
documents SSA.R14

7.2 Application 7.2 Information that scheme [SSA-300] 5.2 and 5.3
requires for client requirements SY.R1 and
application R3 for initial certification;
requirements for
products with a version
previously certified are in
[SSA-301]

SSA-200-2.6 30/44
 ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure SSA
clause requirement reference referenced reference

7.4 Evaluation 7.4.4 Evaluation of system to Certification

scope of certification and requirements for initial
requirements specified in certification are listed in
scheme [SSA-300] requirement
SY.R4; certification
requirements for
products with a version
previously certified are in
[SSA-301]

7.4.9 Note 2 Whether certification Yes, per [SSA-300] 5.3

scheme requires
7.4 Evaluation certification body to
perform evaluation under
its responsibility after
application

7.7 Certification 7.7.1 f Information scheme Certificate format and

documentation requires on the document content specified in
signifying certification [SSA-204] and [SSA-205]

7.8 Directory of certified 7.8 last paragraph Information about [SSA-200] 6.5.3.3
products certified systems made
available to a directory

7.9 Surveillance Not applicable, see

[SSA-200] 6.5.3.4

7.10 Changes affecting 7.10.1 Actions required by [SSA-200] 6.5.3.5

certification scheme for changes to
certification criteria

7.11 Termination, 7.11.3 Actions required when a For withdrawal, see

reduction, suspension or certification is [SSA-200] 6.5.3.6. Other
withdrawal of certification terminated, suspended or actions are not defined
withdrawn for SSA certification

7.11 Termination, 7.11.4, 7.11.5 Scheme requirements Not applicable.

reduction, suspension or related to suspension Suspension is not
withdrawal of certification defined for SSA
certification

7.12.3 Whether scheme No, as explained in

7.12 Records requires complete re- [SSA-200] 6.5.3.4
evaluation of process on
a predetermined cycle

SSA-200-2.6 31/44
6.5.3 ISASecure SSA specific requirements

This sub section lists additional scheme specific requirements related to clause 7 Process requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents o f the
ISASecure SSA certification scheme.

6.5.3.1 Application

6.5.3.1.1 Process requirements

Requirement SSA.R14 – Determining application of specifications

The [ISO/IEC 17065] requirement 7.1.3 in clause 7 Process requirements refers to persons or committees
who provide the chartered laboratory with explanations as to the application of the ISASecure specifications.
This role SHALL be fulfilled by the ISCI Technical Steering Committee.

Requirement SSA.R15 – Determining applicant eligibility

The chartered laboratory SHALL be responsible for determining whether a potential client meets the scope
for SSA certification. The chartered laboratory MAY request guidance from ISCI in this matter. If the client
does not concur with the decision of the chartered laboratory, they MAY use the compliant escalation process
described in Requirements SSA.R41 and SSA.R42.

6.5.3.1.2 Content of procedures

Requirement SSA.R16 – Application steps procedure

Procedures for processing a certification application SHALL identify the steps for the application,
administrative/technical processing of the investigation in chronological order, personnel responsible for each
stage of the process, and records maintained at vario us steps of the process.

Requirement SSA.R17 – Maintenance of procedure for application

Procedures for developing and maintaining certification application processing procedures SHALL identify
personnel responsible for developing, reviewing and maintaining the procedures, the frequency for review,
and personnel responsible for verifying that the procedures are being followed.

6.5.3.2 Evaluation

6.5.3.2.1 General Process requirements

Requirement SSA.R18 – Current ISASecure specifications

ISO/IEC 17025 5.4.2 on selection of test methods, specifies using the latest version of the standards upon
which tests are based. The latest versions of ISASecure specifications SHALL be identified on the ISASecure
web site at http://www.ISASecure.org.

Requirement SSA.R19 – CRT tools

The CRT testing process SHALL use an ISCI recognized test tool for CRT. The chartered laboratory SHALL
verify that the software version and hash of the tool software is as specified for the recognized tool on the
ISASecure web site at http://www.ISASecure.org. The chartered laboratory SHALL also verify that the full
software version identifier on the ISASecure website is printed on the reports generated by the tool.

NOTE The process for recognition of CRT tools is defined in [EDSA-201].

SSA-200-2.6 32/44
Requirement SSA.R20 – Monitoring essential functions as non-standard test methods

ISO/IEC 17025 5.4.4 and 5.4.5 discuss the definition of procedures for and validation of non -standard test
methods. The test methods and criteria for monitoring upward essential functions for SRT are non-standard
test methods that are agreed with each c ertification applicant before the start of SRT ([SSA-310],
Requirement SRT.R21). They SHALL be subject to the requirements in these ISO/IEC 17025 sub clauses. An
unambiguous description of any non-standard test method used SHALL be documented or referenced in the
test report.

Requirement SSA.R21 – SRT report

Detailed reporting on SRT results for a system SHALL be carried out in accordance with the requirements on
SRT reporting in all technical specifications for SRT, which are in the normative references for [SSA-300]. If
a CRT laboratory has carried out CRT, some of this information will come from the CRT evidence
submission. The chartered laboratory’s report SHALL note this source for the information.

Requirement SSA.R22 – Assessment report

The [ISO/IEC 17065] requirement 7.4.9 in sub clause 7.4 Evaluation, refers to documentation of evaluation
results prior to review. This documentation SHALL at a minimum include an assessment report following the
content and format of [SSA-303], the SSA assessment report sample. A report following this template SHALL
also be provided to the client.

6.5.3.2.2 Interface with CRT laboratory

Requirement SSA.R23 – Application information from CRT laboratory

If a CRT laboratory performs CRT for a client of a chartered laboratory, then documentation items required
for certification application that apply for CRT would have been submitted to the CRT laboratory. They
SHALL be included in the CRT evidence submission from the CRT laboratory to the chartered laboratory .

Requirement SSA.R24 – Consideration of evidence from CRT laboratories

A chartered laboratory SHALL accept evidence for CRT tests on an embedded device, from a recognized
CRT laboratory, toward certification of a system which includes that device. The chartered laboratory SHALL
define processes for appropriate due diligence on the compliance of this evidence with ISASecure SSA
requirements. Before accepting a CRT evidence submission from a CRT laboratory, the chartered laboratory
SHALL verify that this organization is currently recognized as such by ISCI. Such submissions SHALL be
accepted from a recognized CRT laboratory only and not from a device supplier. Such submissions MAY
apply only for embedded device CRT.

Requirement SSA.R25 – Verification of content for evidence from CRT laboratory

The chartered laboratory SHALL verify that a CRT evidence submission from a CRT laboratory meet s the
requirements laid out in [EDSA-206]. In particular There are some tests in Clause 7 of the CRT test
specifications for individual protocols, where the “Result” is NOT designated as simply pass/fail. Some of
these tests require supplier documentation of risks depending upon the result of the test. The chartered
laboratory SHALL verify that this documentation is present if required. The same requirements SHALL apply
whether the testing supports an initial or subsequent CRT evaluation of the device.

Requirement SSA.R26 – Verification of test outcomes for evidence from CRT laboratory

The chartered laboratory SHALL verify that a CRT evidence submission from a CRT laboratory is consistent
with passing CRT. If not, it may request clarification from the CRT laboratory. The chartered laboratory
SHALL have the responsibility to determine whether the test evidence submitted supports a decision to

SSA-200-2.6 33/44
certify the system of which the device is a component . If a submission or some aspects of a submission are
not accepted, the chartered laboratory SHALL provide a written rationale to the CRT laboratory.

Requirement SSA.R27 – Verification of versions for evidence from CRT laboratory

When CRT evidence is submitted by a CRT laboratory to a chartered laboratory toward certification of a
system that includes the device, the chartered laboratory SHALL verify that:

• The CRT tool version reported by the CRT laboratory is recognized for CRT by ISCI

• The CRT specification versions reported by the CRT laboratory match the latest versions on the
ISASecure web site

• The device version in the CRT evidence submission is the same version of the device that has been
submitted by the supplier as a component of the system for performanc e of the other elements of the SSA
evaluation.

If the device version in the CRT report differs from the version submitted to the chartered laboratory under
the SSA certification, the chartered laboratory MAY perform an evidence impact analysis to determine
whether the evidence submitted is applicable for the revised device, per the requirements in [EDSA -301]. The
chartered laboratory SHALL have the option to require the revised device to undergo CRT tests if indicated
per [EDSA-301] requirements.

6.5.3.2.3 Content of procedures

Requirement SSA.R28 – Equipment calibration

Persons responsible for the calibration of equipment (where applicable) and authorized to perform each type
of calibration SHALL be identified. Records for each calibration SHALL contain sufficient information to
permit their repetition. Calibration SHALL NOT be required for the CRT testing tool.
NOTE The rationale for the last statement is that due to the design of the CRT test procedures and pass/fail criteria, an ou t of
calibration condition for the CRT test tool does not create invalid certification results.

Requirement SSA.R29 – Content of test or assessment methods or procedures

Each test or assessment method or procedure SHALL have sufficient detail instructions that assure
reasonable repeatability of the test or assessment and include or address the: title, effective date,
assessment or test data to be obtained and recorded, objective acceptance criteria for results, test or
assessment techniques, where additional information to that required by the SSA technical specifications is
required to meet these goals. In addition, test procedures SHALL include or address: specific test equipment
to use and instructions for handling the equipment.

The requirement in 4.2.1 of ISO/IEC 17025 for adequate documentation of procedures , instructions, etc. is
interpreted as follows for CRT.

Requirement SSA.R30 – Detail in SRT procedures

Laboratory documentation that provides guidance for SRT SHALL provide sufficient detail to ensure
compliance with the requirements of [SSA-310], when used in conjunction with a recognized CRT tool and
the Nessus tool, which are used for the CRT/NST and VIT sub elements of SRT, respectively .

SSA-200-2.6 34/44
Requirement SSA.R31 – Content of test or assessment data sheet
Each test or assessment data sheet or similar document SHALL include the test or assessment procedure
and specification used, date of the test or assessment, test or assessment report number, signature of the
personnel performing the test or assessment, and test or assessment results. In addition, test data sheets
shall include the product or component tested and test equipment used.

Requirement SSA.R32 – Content of procedure maintenance procedures

Procedures for developing and maintaining test or assessment methods and procedures SHALL identify the
personnel responsible for developing, reviewing and maintaining the procedures, specif y frequency of review
by management, ensure consistency with recognized specifications, ensure that deviations still assure the
product, component or process conforms with the specification, and ensure modifications are reviewed by
personnel who are familiar with the specification.

Requirement SSA.R33 – Content of procedures for evaluating test or assessment data

Procedures for evaluating test or assessment data SHALL require the investigator to: verify and use the
latest specification edition, provide written justification of how a product, component or process complies with
each section of the specification (including a reference to a test or assessment procedure), and address
components not listed by the supplier .

Requirement SSA.R34 – Content of policy for evaluation of test or assessment data

Policies on evaluation of test or assessment data SHALL identify personnel responsible for technical
decisions on the specification, how to decide which s ection of a specification applies, how to handle newly
developed technologies when the specification does not apply; require that interpretations of the
specifications are documented and made readily available for the appropriate investigators; and require the
resolution of product, component or process discrepancies without the laboratory engaging in the redesign,
except to explain the failures in regard to th e ISASecure specification.

Requirement SSA.R35 – Content of procedures for preparing technical reports

Procedures for preparing technical reports SHALL BE written and SHALL:

• Identify personnel responsible for preparation, review of technical content, and initial or revision
approval;

• Require the appropriate test and evaluation procedures; and

• Ensure that technical corrections involve qualified personnel.

6.5.3.3 Directory of certified products

The [ISO/IEC 17065] requirement 7.8 refers to certification information to be published in a directory of
certifications granted by the certification body.

Requirement SSA.R36 – Input to scheme directory

With permission of the certification client, the chartered laboratory SHALL inform ISCI of each certification
granted and provide a copy of the certificate, to s upport ISCI's central directory of ISASecure certifications.

Requirement SSA.R37 – Accuracy of certification status

Proper controls SHALL be in place to assure accuracy of information on the certificate and in chartered
laboratory records of certified entities.

6.5.3.4 Surveillance

The ISASecure SSA certification scheme does not require surveillance. A certification of a specific product
version to a specific ISASecure certification version remains in place indefinitely. ISCI does not require a
chartered laboratory to verify periodically that systems shipped by the supplier that are labeled with the

SSA-200-2.6 35/44
version number that has been certified, are in fact that version. However, ISO/IEC 17065 requires that the
chartered laboratory monitor the use of the ISASecure symbol. This includes proper symbol use as it relates
to product version. Certification of updated product versions and certification to updated ISASecure versions
are covered in [SSA-301].

6.5.3.5 Changes affecting certification

The [ISO/IEC 17065] requirement 7.10.2 in sub clause 7.10 Changes affecting certification, refers to
certification body actions required by the scheme when certification criteria change. Under the requirements
in [SSA-301], no action is required. This is due to the fa ct that certification of a specific product version to a
specific ISASecure certification version remains in place indefinitely, and the product supplier is not required
to obtain a certification to a later ISASecure version.

6.5.3.6 Termination, reduction, suspension or withdrawal of certification

The [ISO/IEC 17065] sub clause 7.11 refers to termination, reduction, suspension , or withdrawal of
certification. Termination, reduction and suspension are not defined for SSA certification. The following
requirements apply to withdrawal.

Requirement SSA.R38 – Withdrawal of certification

An ISASecure product certification achieved in which the supplier participated in good faith SHALL NOT be
withdrawn. Failure to meet ongoing requirements to maintain ISASecure SDLA certification SHALL NOT
result in revocation of an ISASecure SSA certification for a system product that has previously been awarded
on the basis of that SDLA certification.

The following requirement defines actions as referenced in [ISO/IEC 17065] sub clause 7.11.3, that are
required by the scheme upon termination, reduction, suspension or withdrawal.

Requirement SSA.R39 – Notification of withdrawal of certification

The chartered laboratory SHALL inform ISCI of any withdrawal of an ISASecure product certification at the
time it occurs.

6.5.3.7 Complaints and appeals

The [ISO/IEC 17065] requirement 7.13.1 under 7.13 Complaints and appeals, refers to the certification body
process related to complaints and appeals.

Requirement SSA.R40 – Complaints related to CRT performed by CRT laboratory

A chartered laboratory SHALL be responsible for managing the resolution of complaints related to any aspect
of compliance for a product it evaluated or certified, including complaints related to compliance with CRT
where these tests were performed by a CRT lab oratory and results submitted to the chartered laboratory. If
the chartered laboratory receives a complaint related to CRT where these tests were performed by a CRT
laboratory, the chartered laboratory SHALL inform the CRT laboratory and engage their assistance toward
resolution where appropriate.

Requirement SSA.R41 – Escalation for complaints and appeals

The published chartered laboratory process for handling complaints SHALL include the provision that
complaints may be appealed to ISCI by the party bringing the complaint, if the internal chartered laboratory
resolution procedure does not offer a resolution satis factory to them. Appealed complaints SHALL first go to
the ISCI Technical Steering Committee. They MAY be further appealed to the ISCI governing board, then to
the ASCI board of directors.

SSA-200-2.6 36/44
Requirement SSA.R42 – Escalation for complaints and appeals related to application of specifications
An appealed complaint MAY request a ruling on whether the ISASecure specifications were correctly applied
in a specific instance. Such a complaint SHALL NOT be escalated to the ASCI board of directors, but is
resolved within ISCI. This ruling could impact:

• Whether the certification process is applicable to a particular product that has applied for certification;

• Whether or not a certification was granted; or

• Adequacy of the product evaluation process by the chartered laboratory or CRT laboratory.
NOTE ISCI or ASCI does not accept certification applications, nor process, grant, or revoke certifications. This is the role of a
chartered laboratory. ISCI can assist in interpretation of the ISASecu re specifications.

6.6 Management system requirements

6.6.1 Overview

Clause 8 Management system requirements in [ISO/IEC 17065] covers the following topics in associated sub
clauses. Sub clause 8.1 describes two options open to certification bodies to meet the ISO/ IEC 17065
management system requirements. Option A is the option for a certification body to comply with the
management system requirements listed in sub clauses 8.2 -8.8 of [ISO/IEC 17065]. Option B is the option for
a certification body to comply with ISO 9001 requirements. Option B does not require that the certification
body be certified to ISO 9001.

• Options (8.1)

• General management system documentation (Option A) (8.2)

• Control of documents (Option A) (8.3)

• Control of records (Option A) (8.4)

• Management review (Option A) (8.5)

• Internal audits (Option A) (8.6)

• Corrective actions (Option A) (8.7)

• Preventative actions (Option A) (8.8)

6.6.2 Scheme references for standard requirements

No requirements in [ISO/IEC 17065] Section 8 refer to scheme specific requiremen ts.

6.6.3 ISASecure SSA specific requirements

This sub section lists additional scheme specific requirements related to clause 8 Management system
requirements in [ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other
documents of the ISASecure SSA certification scheme. They apply whether the chartered laboratory elects
Option A or Option B to fulfill the management system requirements.

SSA-200-2.6 37/44
6.6.3.1 General management system documentation

Requirement SSA.R43 – Scope of procedures under management system

Chartered laboratory procedures SHALL cover the entire "quality loop" from application for services to final
assessment or listing of certification status, including follow -up services.

Requirement SSA.R44 – Responsibility for quality

The chartered laboratory SHALL:

• Identify the personnel responsible for quality, other general and the specific responsibilities for
quality, and the authority delegated to each activity;

• Specify the coordination necessary between different activities ; and

• Identify the control over activities that affect quality.

Requirement SSA.R45 – Housekeeping

Adequate measures SHALL be taken to ensure good housekeeping at the chartered laboratory facilities
where evaluation activities are performed.

Requirement SSA.R46 – Item inventory

Laboratory procedures for handling of artifacts, or customer or laboratory equipment to be tested or used in
tests, SHALL address item inventory.

Requirement SSA.R47 – Facility security

Chartered laboratory measures and procedures related to security SHALL include provisions for: controlling
access, off hours security, and fire protection for the facility; i nforming all personnel security policies; limiting
distribution of confidential information; limiting access to and safe storage of records (including certificates
and reports); back-up or off-site storage; and designate personnel responsible for monitorin g security.

6.6.3.2 Control of documents

Requirement SSA.R48 – Processing for revisions to normative specifications

Policies and procedures for distribution & control of normative specifications SHALL identify the personnel
responsible for maintaining and distributing revised specifications, and a method to notify all relevant
locations, including clients and agents, about modifications or amendments.

Requirement SSA.R49 – Archival of superseded specifications

Superseded normative specifications SHALL be archived.

6.6.3.3 Control of records

Requirement SSA.R50 – Maintenance of records

Records maintained for evaluation and certification SHALL identify the personnel responsible for main taining
records and how to correct or modify information on a record.

6.6.3.4 Management review

Requirement SSA.R51 – Management follow-up review for deficiencies

Internal quality audit policies and procedures SHALL specify the mana gement review of reasons for
deficiencies, conclusions, recommendations on corrective actions, and the effectiveness of corrective
actions.

SSA-200-2.6 38/44
6.6.3.5 Internal audits

Requirement SSA.R52 – Basis for internal audits

Internal quality audit policies and procedures SHALL specify the bas is for conducting audits.

Requirement SSA.R53 – Contents included in internal audit reports

Audit reports SHALL include the name(s) of the auditor(s), the areas audited, the dates of the audit and the
signature of the auditor(s), the discrepancies encountered, corrective action plan (including time for
completion and evidence of implementation), and review by upper management.

Requirement SSA.R54 – Internal audits of satellite facilities

QA oversight of company owned satellite facilities SHALL include routine and documented internal audits of
satellite facility personnel, regular headquarters review and audit of the quality assurance program and audits
conducted by satellite personnel, and consistency of technical records and interpretations among all
facilities.

Requirement SSA.R55 – Implementation for permanent corrective actions

Internal quality audit policies and procedures SHALL specify how permanent changes resulting from
corrective actions are recorded in standard operating procedures, instructions, manuals and specifications.

6.6.3.6 Complaints to suppliers of SSA certified products

Requirement SSA.R56 – Supplier process for disclosure of complaints related to noncompliance

A chartered laboratory SHALL include the following in its signed agreement with the client organization: that
the client organization has a documented process for meeting the r equirements regarding complaints they
receive related to compliance with ISASecure product certification requirements, that are found per [ ISO/IEC
17065] 4.1.2.2j. These requirements address handling and disclosure to the chartered laboratory of such
complaints known to the certified organization, to the chartered laboratory.

The intent of the following broader provision is to improve the ISASecure product certification programs.

Requirement SSA.R57 – Supplier process for disclosure of complaints related to security of

ISASecure certified product
The signed agreement between the chartered laboratory and the client SHALL include the following
provision. Any complaint regarding its certified product that is known to the supplier organization and that is
determined to affect product security shall be brought to the attention of the chartered laboratory that granted
the product certification. The laboratory shall evaluate the impact on the product conformance to the
ISASecure requirements.

Requirement SSA.R58 – Disclosure to ISCI of complaints related to ISASecure certified product

The chartered laboratory process for handling a report under Requirement SSA.R57 SHALL include a
process to advise ISCI if a modification to the ISASecure specifications should be considered based upon
this event. This process SHALL be contingent upon approval from the client making the report, to disclose to
ISCI any information concerning their product, whether or not it is attributed to their product.

7 Accreditation of chartered laboratories

7.1 Overview

Accreditation of a chartered laboratory involves an assessment of the organization against the requirements
in the following documents:

• ISO/IEC 17065 [ISO/IEC 17065]

• ISO/IEC 17025 [ISO/IEC 17025]

SSA-200-2.6 39/44
 • Section 6 of this document, all ISASecure specific requirements subsections

• Section 7 of this document, which describes technical readiness assessment.

Technical readiness assessment is based upon review of documented laboratory processes and procedures
as well as review of artifacts produced by the chartered laboratory from sample SDA-S, FSA-S, FSA-E, and
SRT audits carried out by the laboratory on a system, as described in Section 7.3. The review of artifacts
may take place during the pilot phase of the ISASecure SSA program and be related to an early certification
performed by the laboratory.

To be recognized as a chartered laboratory for the ISASecure SSA program, a laboratory shall attain the
following accreditations, performed by an IAF/ILAC recognized accreditation body:

• accredited to ISO/IEC 17065, with technology scope of accreditation covering ISASecure SSA
certification; and

• accredited to ISO/IEC 17025, with technology scope of accreditation covering testing to ISASecure
SSA SRT specifications.

These internationally recognized accreditations shall be obtained by a laboratory within 18 months of

obtaining a provisional chartered laboratory status , as described in Section 5. The following section
discusses requirements for attaining provisional chartered laboratory status.

7.2 Provisional chartered laboratory status

Provisional chartered laboratory status allows an organization to begin certification activities before
accreditation has been formally granted by the accreditation body. Formal granting of the accreditation can
occur several months after the evaluation of the laboratory has taken place and results submitted by the
evaluators to the board within the SSA accreditation body that makes the final accreditation decision.

ASCI will grant a laboratory provisional chartered status based on the results of an evaluation of the
laboratory by a qualified assessor for the ISO/IEC 17025 and ISO/IEC17065 accreditations listed in Section
7.1. Provisional chartered status is granted if the evaluation shows that the laboratory complies with all of
the requirements in the documents listed in Section 7.1, as well as those technical readiness criteria in Table
9 that may be verified based upon process and procedure documentation evidence . These criteria are in
rows 1-8 and 11 of Table 9. All ISASecure specific requirements in Section 6 of this document are also
mandatory to receive provisional chartered status.

The evaluation for a candidate chartered laboratory is performed by an assessor that has been qualified by
an IAF/ILAC recognized accreditation body. A candidate organization shall apply for accreditation as required
by the accreditation body. [ISASecure-202] provides the ASCI application process and forms for provisional
chartered laboratory status based on the evaluation by the accreditation body. “Provisional” chartered
laboratory status is a term applied by ASCI/ISCI within the ISASecure SSA program and is not recognized or
managed by the accreditation body.

During the period when a chartered laboratory is operating in provisional status, ASC I shall be made aware
of the laboratory’s expectations for receipt of formal internationally recognized accreditation by an IAF/ILAC
organization. ASCI shall have the option to perform an interim review and update its evaluation for
provisional status of the chartered laboratory 6 months after it is received. Once a chartered laboratory has
achieved accreditation by an IEC 17011 accreditation body, that accreditation body determines the
requirements and frequency for maintenance audits to maintain accredited status.

7.3 Technical readiness assessment

The technical readiness assessment reviews technical criteria required for competent performance of the
various ISASecure SSA certification elements . The evaluation consists of assessment of evidence supplied
by the candidate laboratory per the evaluation criteria in Table 9. The requirements numbered UDP.Rnn in

SSA-200-2.6 40/44
this table are from [EDSA-405]. The requirements numbered ERT.Rnn are from [EDSA-310]. The
requirements numbered SRT.Rnn are from [SSA-310].

Table 9 - Technical readiness criteria for SSA chartered laboratory

ID Evidence supplied by Evaluation criteria

candidate laboratory

1 Vendor statement of test tools • Appropriate tool is in place for asset discovery testing
and versions in use for SRT
• Tool and version for CRT/NST robustness tests is recognized
by ISCI

• ISCI-specified tool is in place for VIT per SRT.R42 with tool

version specified in [SSA-420]

2 Asset discovery testing and • Comply with requirement for certifying scalable systems, that all
CRT processes/procedures certification testing is performed on a reference system that
meets requirements of ISASecure_SY.R3 in [SSA-300]

• Comply with set up procedure for asset discovery testing per

SRT.R30-32; and for individual protocol tests

• Comply with SRT.R38 regarding requirement for monitoring

coverage for various device outputs

• Comply with asset discovery testing procedure requirements

SRT.R33-37

• Comply with SRT.R40 for how pass of asset discovery testing is

defined

• Comply with coverage of various phases of CRT testing per

SRT.R48 (ERT.36)

• Comply with SRT.R49 on how protocols and components for

CRT are selected; SRT.R29 on test order; and SRT.R23 on use
of a single SUT;

• Comply with SRT.R67 on documentation and reporting of

discussions with customers on anomalies; SRT.R68 on
reporting conditional branches of test execution;

• Comply with SRT.R48 (ERT.R43) for traffic rate for CRT load
testing and NST

• Comply with SRT.R51 for how pass of CRT is defined

• Comply with SRT.R52 regarding repeating failures before giving

failed status

• Comply with SRT.R48 (ERT.R48) for setting pseudo random

SSA-200-2.6 41/44
ID Evidence supplied by Evaluation criteria
candidate laboratory
seed value if used

• Instructions for evaluation report creation comply with SRT.R71-

75 for asset discovery and SRT.R79-83 for CRT

3 NST processes/procedures • Comply with SRT.R54 (ERT.R43) for traffic rate for NST

• Comply with SRT.R55 on scope of NST

• Comply with SRT.R56 regarding configuration for NST

• Comply with SRT.R57 for how pass of NST is defined

• Comply with SRT.R58 regarding repeating failures before giving

failed status

• Instructions for evaluation report creation comply with SRT.R84-

88

4 VIT processes/procedures • Comply with SRT.R43 and SRT.R44 on VIT testing

configuration including use of the VIT tool, tool version with
appropriate scanning policy and a method for jitter monitoring

• Comply with [SSA-420] regarding selection of the set of known

vulnerabilities used for test and archiving of this selection

• Comply with SRT.R45 on interfaces to test under VIT

• Comply with SRT.R46 on criteria for VIT pass

• Comply with SRT.R47 regarding repeating failures before giving

failed status

• Instructions for VIT evaluation report creation comply with

SRT.R76-78

5 Mapping that maps each asset • Mapping is complete and accurate

discovery testing requirement
in [SSA-310] Sections 10.2-
10.3 to a portion of a test
procedure

6 Mapping that maps each table • Mapping is complete and accurate

in Section 7 of each CRT
protocol-specific specification
to a portion of the SRT CRT
test procedure

7 Mapping that maps each table • Mapping is complete and accurate

that represents a load stress
test in Section 7 of each CRT

SSA-200-2.6 42/44
ID Evidence supplied by Evaluation criteria
candidate laboratory
protocol specific specification
to a portion of the SRT NST
test procedure

8 Application form and • Application requests all items required per [SSA-300] Section
instructions to be given to 5.2 and [SSA-310] Sections 6.2 and 8
supplier submitting the system

9 Intermediate artifacts, • Test plan complies with SRT.R16-17 in specifying types of tests
paperwork and final evaluation and test points and test order
report for a sample system
covering SDA-S, FSA-S, FSA- • Scope and results of FSA-S evaluation are consistent with
E, and SRT. Artifacts from security zone certification levels and cover system layouts to be
candidate laboratory include certified
procedure for non-standard
tests created for the sample • Scope, artifacts and results from SDA-S are consistent with
system to monitor upward security zone certification levels and validation activities in
essential functions per [SDLA-312], where these differ by level
ISO/IEC 17025 5.4.4 and
validation of these tests per • Scope, artifacts and results from SDA-S take into account all
5.4.5. system layouts in scope for the certification

• Results of asset discovery testing are as expected and indicate

compliance with procedures

• Report from VIT evaluation indicates use of tool version and set
of known vulnerabilities specified by [SSA-420]

• Report from VIT evaluation indicates compliance with pass/fail

criteria in SRT.R46

• Results of CRT and NST test are as expected and indicate

compliance with procedures including required scope

• Report of test configurations for tests meet requirements

SRT.R30-31 and ERT.R34-35 in appropriate protocol tests

• Records of control signal generated for testing meet

requirements of SRT.R38

• Check for reporting of pseudo random seed value per SRT.48

(ERT.R48)

• Artifacts that describe test method to monitor upward essential

services comply with SRT.R39

• Evaluation report and detailed SRT report meet requirements

SSA.R20-SSA.R22 in this document

• Evaluation report complies with UDP.R12 and similar

requirements for other protocols.

SSA-200-2.6 43/44
ID Evidence supplied by Evaluation criteria
candidate laboratory

• Evidence meets SSA.R31 in this document

10 Evidence demonstrating that • Verify that steps for creation of reproduced result s required only
asset discovery testing result, information in the evaluation report; and that results are same
CRT result, NST result and VIT as initial results
result for sample system can
be reproduced based on
information in evaluation
report; document steps used to
reproduce these

11 CRT lab interface • Verify that the requirements in 6.5.3.2.2 are reflected in the
chartered laboratory processes and procedures.

——————

SSA-200-2.6 44/44