CSA 200 Chartered Lab Ops and Accred (v4 - 2) PDF
CSA 200 Chartered Lab Ops and Accred (v4 - 2) PDF
CSA 200 Chartered Lab Ops and Accred (v4 - 2) PDF
Version 4.2
August 2019
Copyright © 2010-2019 ASCI - Automation Standards Compliance Institute, All rights reserved
A. DISCLAIMER
ASCI and all related entities, including the International Society of Automation (collectively, “ASCI”) provide all
materials, work products and, information (‘SPECIFICATION’) AS IS, WITHOUT WARRANTY AND WITH ALL
FAULTS, and hereby disclaim all warranties and conditions, whether express, implied or statutory, including, but not
limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of
reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses,
and of lack of negligence, all with regard to the SPECIFICATION, and the provision of or failure to provide support or
other services, information, software, and related content through the SPECIFICATION or otherwise arising out of the
use of the SPECIFICATION. Also, there is no warranty or condition of title, quiet enjoyment, quiet possession,
correspondence to description, or non-infringement with regard to the SPECIFICATION.
Without limiting the foregoing, ASCI disclaims all liability for harm to persons or property, and users of this
SPECIFICATION assume all risks of such harm.
In issuing and making the SPECIFICATION available, ASCI is not undertaking to render professional or other services
for or on behalf of any person or entity, nor is ASCI undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this SPECIFICATION should rely on his or her own independent judgment or, as
appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances.
CSA-200-4.2 2/37
Revision history
version date changes
CSA-200-4.2 3/37
Contents
1 Scope 8
2 Normative references 8
2.1 General 8
2.2 Accreditation 9
2.3 ISASecure symbol and certificates 9
2.4 Technical specifications 9
2.5 External references 10
3 Definitions and abbreviations 11
3.1 Definitions 11
3.2 Abbreviations 14
4 Background 14
4.1 Technical ISASecure CSA certification elements 14
4.2 ISASecure CSA certification program implementation 15
5 Summary of operations and accreditation requirements 15
5.1 Overview 15
5.2 Accreditation process 16
5.3 Transition to CSA 1.0.0 16
6 Requirements on operations of chartered laboratories 17
6.1 Overview 17
6.2 General requirements 17
6.3 Structural requirements 20
6.4 Resource requirements 21
6.5 Process requirements 26
6.6 Management system requirements 32
7 Accreditation of chartered laboratories 35
7.1 Overview 35
7.2 Provisional chartered laboratory status 35
7.3 Technical readiness assessment 36
CSA-200-4.2 4/37
List of requirements
List of tables
CSA-200-4.2 6/37
FOREWORD
This is one of a series of documents that defines the ISASecure ® CSA (Component Security Assurance)
certification program for software applications, embedded devices, host devices and network devices. These
are the component types defined by the standard IEC 62443-4-2 that are used to build control systems.
ISASecure CSA is developed and managed by the industry consortium ISA Security Compliance Institute
(ISCI). The current list of all ISASecure certification programs and documents related to these programs can
be found on the web site http://www.ISASecure.org.
CSA-200-4.2 7/37
1 Scope
The ISASecure ® certification programs have been developed by an industry consortium called the ISA
Security Compliance Institute (ISCI) with a goal to accelerate industry wide improvement of cyber security for
Industrial Automation and Control Systems (IACS). An organization that performs evaluations and grants
certifications under the ISASecure CSA (Component Security Assurance) program is referred to as a
ISASecure CSA chartered laboratory, or (more briefly) a chartered laboratory. This document specifies the
criteria and processes that define:
• How a chartered laboratory shall begin and continue ISASecure component certification operations
(Section 7).
• IACS security standards IEC 62443-4-1 and IEC 62443-4-2 (also published as ANSI/ISA standards)
This document provides a complete reference to these sources, and details ISASecure CSA program-specific
requirements for compliance with applicable general specifications and standards.
ISASecure CSA is a product certification program for IACS components. An IACS component is an entity that
is used to build control systems and that exhibits the characteristics of one or more of a software application,
embedded device, host device, or network device. These component types are defined in [IEC 62443-4-2]
and in 3.1 of the present document. ISCI also has developed product certification and process certification
programs for:
• Control system products, the ISASecure SSA program (System Security Assurance)
• Supplier's secure product development lifecycle process, the ISASecure SDLA program (Security
Development Lifecycle Assurance).
The separate documents SSA-200 ISASecure SSA chartered laboratory operations and accreditation and
SDLA-200 ISASecure SDLA chartered laboratory operations and accreditation address these same topics as
they relate to chartered laboratories that perform ISASecure SSA and SDLA certifications, respectively.
ISASecure programs support and align with the standards ANSI/ISA/IEC 62443 for IACS security. [CSA-100]
discusses the relationship between ISASecure CSA and the ANSI/ISA/IEC 62443 effort.
2 Normative references
2.1 General
NOTE The following is the highest level document that describes the ISASecure CSA certification program.
CSA-200-4.2 8/37
2.2 Accreditation
[ISASecure-115] ISCI ISASecure Certification Programs - Policy for transition to SDLA 2.0.0, EDSA 2.1.0 and
SSA 2.1.0, as specified at http://www.ISASecure.org
[ISASecure-116] ISCI ISASecure Certification Programs - Policy for transition to EDSA 3.0.0 and SSA 3.0.0,
as specified at http://www.ISASecure.org
[ISASecure-117] ISCI ISASecure Certification Programs - Policy for transition to CSA 1.0.0 and SSA 4.0.0 as
specified at http://www.ISASecure.org
NOTE The following document can be tailored for chartered laboratories performing CSA, SSA or SDLA certifications, or any
combination of these.
[ISASecure-202] ISCI ISASecure Certification Programs – Application and Contract for Chartered
Laboratories, internal ISCI document
2.2.2 Deleted
2.2.3 Deleted
[CSA-204] ISCI Component Security Assurance – Instructions and Policies for Use of the ISASecure Symbol
and Certificates, as specified at http://www.ISASecure.org
[SSA-420] ISCI System Security Assurance – Vulnerability Identification Test Specification, as specified at
http://www.ISASecure.org
NOTE 2 The following document provides the technical evaluation criteria for the Functional Security Assessment element (FSA-C)
of a CSA evaluation.
[CSA-311] ISCI Component Security Assurance – Functional security assessment for components, as
specified at http://www.ISASecure.org
CSA-200-4.2 9/37
NOTE 3 The following documents provide the overall technical evaluation criteria for the Security Development Artifacts element
(SDA-C) of a CSA product evaluation. [SDLA-312] also provides the technical evaluation criteria for an ISASecure assessment of
supplier secure product development lifecycle process performed for an ISASecure SDLA certification.
[CSA-312] ISCI Component Security Assurance – Security development artifacts for components, as
specified at http://www.ISASecure.org
[SDLA-312] ISCI Security Development Lifecycle Assurance – Security development lifecycle assessment, as
specified at http://www.ISASecure.org
NOTE 4 The following is the highest level document that describes the related ISASecure SDLA certification program for supplier
secure product development lifecycle processes.
[SDLA-100] ISCI Security Development Lifecycle Assurance – ISASecure Certification Scheme, as specified
at http://www.ISASecure.org
[SDLA-200] ISCI Security Development Lifecycle Assurance – ISASecure SDLA chartered laboratory
operations and accreditation
External references are documents that are maintained outside of the ISASecure CSA program and are used
by the program.
[IEC 62443-1-1] IEC TS 62443-1-1:2009 Industrial communication networks – Network and system security -
Part 1-1: Terminology, concepts and models
[ANSI/ISA-62443-4-1] ANSI/ISA-62443-4-1-2018 Security for industrial automation and control systems Part 4-1:
Secure product development lifecycle requirements
[IEC 62443-4-1] IEC 62443-4-1:2018 Security for industrial automation and control systems Part 4-1: Secure product
development lifecycle requirements
[ANSI/ISA-62443-4-2] ANSI/ISA-62443-4-2-2018 Security for industrial automation and control systems Part
4-2: Technical security requirements for IACS components
[IEC 62443-4-2] IEC 62443-4-2:2019 Security for industrial automation and control systems Part 4 -2:
Technical security requirements for IACS components
[ISO/IEC 17065] ISO/IEC 17065, “Conformity assessment - Requirements for bodies certifying products,
processes, and services”, September 15, 2012
NOTE 2 The transition timeline to the later 2017 version of ISO/IEC 17025 below is defined by ISO/ILAC policy.
[ISO/IEC 17025 2005] ISO/IEC 17025, “General requirements for the competence of testing and calibration
laboratories”, 15 May 2005
CSA-200-4.2 10/37
[ISO/IEC 17025] ISO/IEC 17025, “General requirements for the competence of testing and calibration
laboratories”, November 2017
[ISO/IEC 17011 2004] ISO/IEC 17011, “Conformity assessment – General requirements for accreditation
bodies accrediting conformity assessment bodies ”, 01 September 2004
[ISO/IEC 17011] ISO/IEC 17011, “Conformity assessment – General requirements for accreditation bodies
accrediting conformity assessment bodies”, November 2017
3.1.1
accreditation
third party attestation related to a conformity assessment body conveying formal demonstration of its
competence to carry out specific conformity assessment tasks
NOTE For the ISASecure CSA certification programs, accreditation is an assessment and recognition process via which an
organization is granted chartered CSA laboratory status.
3.1.2
accreditation body
third party that performs attestation, related to a conformity assessment body, conveying a formal
demonstration of its competence to carry out specific conformity assessment
3.1.3
applicant
organization that has submitted a product or process to a chartered laboratory for evaluation for ISASecure
certification
3.1.4
auditable product
hardware and/or software product such that the product or its associated development process is subject to
audit, in the course of a specific chartered laboratory's planned certification activities
3.1.5
capability security level
level that indicates capability of meeting a security level natively without additional compensating
countermeasures when properly configured and integrated
3.1.6
certification level
capability security level for which conformance is demonstrated by a cert ification
NOTE It is intended that a product that achieves certification to CSA capability security level n will meet requirements for capability
security level n as defined in [IEC 62443-4-2].
3.1.7
component
entity belonging to an IACS that exhibits the characteristics of one or more of a host device, network device,
software application, or embedded device
CSA-200-4.2 11/37
3.1.8
conformity assessment body
body that performs conformity assessment services and that can be the object of accreditation
NOTE Examples are a laboratory, inspection body, product certification body, management system certification body and personnel
certification body. This is an ISO/IEC term and concept.
3.1.9
chartered laboratory
organization chartered by ASCI to evaluate products and/or processes under one or more ISASecure
certification programs and to grant certifications under one or more of these programs
NOTE A chartered laboratory is the conformity assessment body for the ISASecure certification programs.
3.1.10
embedded device
special purpose device running embedded software designed to directly monitor, control or actuate an
industrial process
NOTE Attributes of an embedded device are: no rotating media, limited number of exposed services, programmed through an
external interface, embedded OS or firmware equivalent, real -time scheduler, may have an attached control panel, may have a
communications interface. Examples are: PLC, field sensor devices, SIS controller, DCS controller .
3.1.11
host device
general purpose device running an operating system (for example Microsoft Windows OS or Linux) capable
of hosting one or more software applications, data stores or functions from one or more suppliers
NOTE Typical attributes include filesystem(s), programmable services, no real time scheduler and full HMI (keyboard, mouse, etc.) .
3.1.12
industrial automation and control system
collection of personnel, hardware, software and policies involved in the operation of the industrial process
and that can affect or influence its safe, secure and reliable operation
3.1.13
major owner
owner of more than two percent (2%) of a business entity
NOTE This percentage is intended to exclude individuals who are owners via portfolio vehicles, and identify owners that may
influence the activities of the business entity.
3.1.14
major user
organization that has or plans purchase of products whose related costs and/or usage is material to the
overall operations of that organization
3.1.15
network device
device that facilitates data flow between devices, or restricts the flow of data, but may not directly interact
with a control process
NOTE Typical attributes include embedded OS or firmware, no HMI, no real -time scheduler and configured through an exter nal
interface.
CSA-200-4.2 12/37
3.1.17
significant financing
financing that is material to the operations of the recipient
3.1.18
significant financial interest
financial interest where the value of this interest is material to the financial position of the entity that has the
interest
3.1.19
significant sales
sales that are material to the operations of the seller
3.1.20
software application
one or more software programs and their dependencies that are used to interface with the process or the
control system itself (for example, configuration software and historian)
NOTE 1 Software applications typically execute on host devices or embedded devices.
NOTE 2 Dependencies are any software programs that are necessary for the software application to function such as database
packages, reporting tools, or any third party or open source software.
3.1.21
symbol
graphic or text affixed or displayed to designate that ISASecure certification has been achieved
NOTE An earlier term for symbol is “mark.”
3.1.22
termination
withdrawal of certification, initiated by the entity that holds the certification
3.1.23
update
incremental hardware or software change in order to address security vulnerabilit ies, bugs, reliability, or
operability issues
3.1.24
upgrade
incremental hardware or software change in order to add new feature s
3.1.25
withdrawal
cancellation of the statement of conformity
CSA-200-4.2 13/37
3.2 Abbreviations
4 Background
4.1 Technical ISASecure CSA certification elements
ISASecure CSA is a certification program for IACS components. An IACS component is an entity that is used
to build control systems and that exhibits the characteristics of one or more of a software application,
embedded device, host device, or network device. These component types are defined in the standard [IEC
62443-4-2] and in 3.1 of the present document. CSA certification has the following elements:
CSA-200-4.2 14/37
SDLPA-C and SDA-C both assess development process. SDLPA-C is an evaluation of the component
supplier's secure product development lifecycle process. SDA-C examines the artifacts that are the outputs
of the supplier’s secure product development lifecycle process for the component to be certified.
FSA-C examines the security capabilities of the component, while recognizing in accordance with [IEC
62443-4-2] that requirements for security functionality differ by component type. The certifier determines all
component types applicable to a product; FSA-C then incorporates requirements for all component types
applicable to the product. VIT-C scans the component for the presence of known vulnerabilities.
The CSA program defines four certification levels for a component, offering increasing levels of security
assurance. Levels offered are capability security levels 1, 2, 3, and 4. The corresponding certifications are
called ISASecure CSA Capability Security Level 1, ISASecure CSA Capability Security Level 2, ISASecure
CSA Capability Security Level 3, and ISASecure CSA Capability Security Level 4.
All levels of certification include the certification elements defined in Section 1. SDLPA-C does not have an
associated level. SDA-C and VIT-C assessments are the same for all certification levels with the exception of
allowable residual risk for known security issues. FSA-C incorporates more requirements at higher levels,
aligned with the requirements assigned to each capability security level in [IEC 62443 -4-2].
NOTE In SDLA-312 v5.5, the treatment of residual risk related to known security issues is found in SDLA requirement SDLA -DM-4.
ISCI is organized as an interest area within ASCI (Automation Standards Compliance Institute) , a not-for-
profit 503 (c) (6) corporation owned by ISA. Descriptions of the governance and organizational structure for
ASCI are found on the ISASecure website: http://www.ISASecure.org.
ASCI CSA chartered laboratories are organizations that are accredited to evaluate components under the
ISASecure CSA programs. ASCI grants accredited laboratories the right to process ISASecure CSA
certifications for components on its behalf. A chartered laboratory will issue an ISASecure CSA certificate for
a component that meets the CSA certification requirements for its applicable component type(s), as
determined by the chartered laboratory. Compliance with component certification requirements is determined
based upon process audits, functional audits, and tests, which measure adherence to the ISASecure CSA
requirements for SDLPA-C, SDA-C, FSA-C, and VIT-C.
A supplier meets the SDLPA-C criteria by holding the ISASecure SDLA process certification described in
[SDLA-100]. This prerequisite for a CSA product certification is further detailed in [CSA-300].
All evaluations defined by the CSA specifications are conducted directly by a chartered laboratory or its
subcontractors.
The list of ASCI CSA chartered laboratories is posted on the ISCI website at http://www.ISASecure.org. At
the request of a component supplier, components that are issued certifications are registered on this same
ISCI website.
ISASecure CSA will operate as an internationally recognized certification program. To meet this standard, the
chartered laboratory operations and accreditation requirements are designed to comply with accepted
international standards applicable to product certification and testing.
The operations of ISASecure CSA chartered laboratories shall be in compliance with the applicable
requirements in:
CSA-200-4.2 15/37
• [ISO/IEC 17065], the international standard that applies to bodies that certify products, processes or
services, and
• [ISO/IEC 17025 2005], the international standard that applies to test organizations, and which is
updated to [ISO/IEC 17025] in a timeframe determined by ILAC/ISO policy.
The present document is organized using the outline of [ISO/IEC 17065]. Where required, it interprets
requirements in that document for ISASecure CSA and adds additional requirements. Of particular note are
requirements for:
• Content of chartered laboratory application and evaluation procedures ( 6.5.3.1.2 and 6.5.3.2.3)
Accreditation of a chartered laboratory consists of an assessment of the organization against the general
requirements in ISO/IEC 17025, 17065 and the specific requirements in Section 6 of this document, together
with an assessment of technical readiness for performing ISASecure CSA evaluations. Technical readiness
assessment is based upon review of laboratory processes and procedures as well as review of artifacts from
SDA-C, FSA-C and VIT-C evaluations carried out by the laboratory on a component. To be recognized as a
chartered laboratory for the ISASecure CSA program, a laboratory shall attain the following accreditations,
performed by an IAF/ILAC accreditation body:
• Accredited to ISO/IEC 17065, with technology scope of accreditation covering ISASecure CSA
certification; and
• Accredited to ISO/IEC 17025, with technology scope of accreditation covering testing to ISASecure FSA-C
and VIT-C specifications.
The laboratory accreditation process consists of two steps. In the first step, an IEC assessor who is qualified
with respect to the above two accreditations will complete an evaluation of all accreditation requirements .
Provisional chartered status is granted if ISCI's analysis of the assessor’s report following this evaluation,
shows that the laboratory meets the requirements for formal accreditation and technical readiness
assessment defined in 7.2 of the present document. At this point the accreditation body has not yet formally
granted accreditation, which requires a review and approval process internal to the accreditation body.
Once a laboratory has attained provisional chartered status, ASCI grants that laboratory the right to perform
component evaluations and grant ISASecure CSA certifications. These rights continue as long as the
laboratory receives formal accreditation from a CSA accreditation body in a timely manner (the second step)
and maintains this status.
The approved standard [IEC 62443-4-2] defines technical security requirements for the four IACS component
types: software applications, embedded devices, host devices, and network devices. Previously, the
ISASecure EDSA 3.0.0 certification program certified one of these component types, embedded devices, to
that standard. The release of ISASecure CSA 1.0.0 subsumes the former EDSA program, and defines
certification criteria for the remaining three component types in [IEC 62443-4-2]. Accordingly, ISCI has
defined a policy for chartered laboratories to follow in transitioning certification activities from EDSA 3.0.0 to
CSA-200-4.2 16/37
CSA 1.0.0. This policy is defined in the document [ISASecure-117]. [ISASecure-117] also defines the
transition policy for related changes to the separate ISASecure SSA certification program for control
systems.
CSA 1.0.0 also incorporates by reference an update to the ISASecure [SDLA-312] specification, however that
update does not change the SDLA certification version. SDLA v2.0.0 remains the most current version of that
certification, so no transition policy for that program is needed or described in [ISASecure-117]. This is
because the update to [SDLA-312] required for the CSA program, modifies material in [SDLA-312] that
defines certifier validations for the element Security Development Artifacts for components (S DA-C) of CSA
1.0.0, but does not modify the material that defines certifier validations toward SDLA certification.
Section 6 of the present document specifies all requirements on the operation of CSA chartered laboratories.
It provides specific interpretations for ISO/IEC 17065 requirements, and defines further requirements that are
specific to the ISASecure CSA program.
• The sub sections at numbering level 2 (6.2, 6.3, 6.4, 6.5, 6.6) each correspond to a clause in
[ISO/IEC 17065], covering in turn clauses 4-8 in that document.
• Each of these sub sections in the present document has three further sub sections as follows:
o Overview - provides a list of the topics covered in the corresponding clause of [ISO/IEC
17065]
o ISASecure CSA specific requirements - This sub section lists additional scheme specific
requirements, beyond those derived directly from [ISO/IEC 17065] together with the other
documents of the ISASecure CSA certification scheme.
6.2.1 Overview
Clause 4 General requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:
• Confidentiality (4.5)
CSA-200-4.2 17/37
• Publicly available information (4.6).
The following table provides scheme references, for [ISO/IEC 17065] requirements in cl ause 4 of that
document that refer to certification scheme requirements.
CSA-200-4.2 18/37
ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure CSA
clause requirement reference referenced reference
This sub section lists additional scheme specific requirements related to Clause 4 General requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure CSA certification scheme.
The chartered laboratory SHALL have processes to keep interested parties informed of changes to
certification requirements (such as changes to legal agreements associated with the certification process).
Since the supplier must maintain an SDLA certification in order to maintain an existing CSA certification over
time, the certification body SHALL inform the holder of a CSA certification regarding changes to the SDLA
certification criteria, as also required by the SDLA scheme in [SDLA-200]. The certification body SHALL also
inform the supplier of changes to other CSA certification criteria, as these changes will af fect certification of
upgrades (as defined in 3.1.24) of a certified component in accordance with [CSA-301], so will be required by
the supplier for planning purposes.
CSA-200-4.2 19/37
6.3 Structural requirements
6.3.1 Overview
Clause 5 Structural requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:
The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 5 of that
document that refer to certification scheme requirements.
Table 2 – Scheme reference for ISO/IEC 17065 clause 5
5.2 Mechanism for 5.2.1 (Notes 2 and 3) Certification scheme No unique requirements
safeguarding impartiality owner participation in specified by scheme
mechanism for
impartiality
This sub section lists additional scheme specific requirements related to clause 5 Structural requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure CSA certification scheme.
Additional requirements on financial and other organizational affiliations of chartered laboratories are defined
as follows, to further safeguard impartiality.
When the separate legal entity as in [ISO/IEC 17065] 4.2.7 is a major user of certified products, the
personnel of the separate legal entity shall not be involved in the management of the certification body, the
review, or the certification decision.
The following requirements apply to a chartered laboratory regarding its financial affiliations with suppliers
and users of auditable products. The term "auditable product" is defined in 3.1.4. A supplier of auditable
CSA-200-4.2 20/37
products is typically a certification client of the chartered laboratory. However, other organizations could also
sell these products, and these cases are covered in this requirement as well.
o receive significant financing from a supplier or from a major user of auditable products, or
their major owners;
• A person involved in the management of the certification body, the review, or the certification decision
for the chartered laboratory SHALL NOT have a significant financial interest in a supplier or major
user of auditable products.
The following requirements apply to a chartered laboratory regarding its sales and purchase activities:
• A chartered laboratory SHALL NOT have significant sales of any products or services to suppliers of
auditable products, other than certification services;
• Prices and agreements related to any products or services that a chartered laboratory purchases from
a supplier of auditable products SHALL NOT have dependencies on related certification activity.
6.4.1 Overview
Clause 6 Resource requirements in [ISO/IEC 17065] covers the following topics in associated sub clause s of
that document:
The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 6 of that
document that refer to certification scheme requirements.
CSA-200-4.2 21/37
Table 3 – Scheme references for ISO/IEC 17065 clause 6
6.1.2
Management of 6.1.2.1 b Certification scheme [CSA-200] 6.4.3.1
competence for requirements for training
personnel involved in the of personnel involved in
certification process certification
This sub section lists additional scheme specific requirements related to clause 6 Resource requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure CSA certification scheme.
The level of knowledge required for IEC 62443 as indicated in the last row of Tables 4-5, SHALL at a
minimum be sufficient for the individual to prepare and present a one hour overview o n the scope of
application and contents of the standard, and be capable of quickly finding the answers to questions about
what the standard requires on a particular topic, if given access to the text of the standard. For the other
security standards and practices listed in the table, the level of knowledge required SHALL at a minimum be
equivalent to 8 hours of training on the standard or practice.
CSA-200-4.2 22/37
Table 4 – FSA-C and SDA-C auditor qualifications
CSA-200-4.2 23/37
Category of FSA-C auditor SDA-C auditor
qualification /
experience
Relevant auditing • Min 1 year experience performing technical • Min 1 year experience
work experience product audit OR 2 years in position in which performing software process
has been audited on 3 or more products audit OR 2 years in position
in which software process
has been audited on 3 or
more products
Relevant industry • General knowledge of at least two different • General knowledge of end-
specific knowledge IACS AND end software development
• General knowledge of application of IACS and life cycle AND
roles and duties of employees at sites using • General knowledge of IACS
IACS AND architectures
• Moderate level knowledge of networking and
communication protocols AND
• Able to independently read and interpret
requirement specifications for IACS products
AND
• Able to independently read and understand
user installation and configuration documents
for IACS products AND
• Knowledge of methods used to protect
communications and detect / prevent
communication attacks
Knowledge of IEC 62443 Standard plus at least one of: IEC 62443 Standard plus at least
security standards • Common Criteria one of:
• ISO/IEC 27001 • Common Criteria
• IEC 61508 • ISO/IEC 27001
• IEC 61508
The [ISO/IEC 17065] requirement 6.1.2.1a) in the sub clause 6.1.1 Management of competence for personnel
involved in the certification process refers to competencies of personnel involved in the certification process.
The minimum qualifications for personnel that that are responsible for the technical aspects of VIT testing
and interpretation of results shall include those specified in Table 5.
Table 5 – VIT-C lead evaluator qualifications
CSA-200-4.2 24/37
Category of VIT-C lead evaluator
qualification /
experience
Professional • CISA, CISSP, GICSP, CACE, CACS, or equivalent
certification
Work experience • Min 5 years experience
post BS degree
Relevant • Min 4 year detailed system level product development involvement for IACS OR
development work • Min 4 years of Systems Integration experience for IACS OR
experience • Min 3 years System Level Product Test for IACS
• Experience includes 1 year with software security-related responsibilities
• Experience includes 2 years involvement with networking technologies
Relevant test work • Min 1 year experience performing testing on IACS
experience
Relevant industry • Successful completion of training class or 1 year experience in job demonstrating
specific knowledge proficiency with VIT tool to be used AND
• General knowledge of at least two different IACS OR detailed knowledge of one
IACS AND
• Moderate level knowledge of networking and communication protocols AND
• Able to independently read and understand user installation and configuration
documents for IACS Products
Knowledge of IEC 62443 Standard plus at least one of:
security standards • Common Criteria
• ISO/IEC 27001
• IEC 61508
Staff training SHALL BE kept up-to-date and staff SHALL keep up-to-date of current normative specification
issues (includes participation in technical groups or committees).
The [ISO/IEC 17065] requirements 6.2.1 Internal resources and 6.2.1 External resources in the sub clause
6.2 Resources for evaluation refer to compliance with applicable requirements in ISO/IEC 17025, 17020, and
17021. Accreditation to ISO/IEC 17025 is required for a CSA chartered laboratory. Requirements from
ISO/IEC 17020 which apply to inspection activities, have been adapted and incorporated in this document as
follows and hence are noted but not repeated here:
CSA-200-4.2 25/37
ISO/IEC 17020 Topic CSA-200 requirement
requirement
records
("Inspection records" in
17020)
6.5.1 Overview
Clause 7 Process requirements in [ISO/IEC 17065] covers the following topics in associated sub clauses of
that document:
• General (7.1)
• Application (7.2)
• Evaluation (7.4)
• Review (7.5)
• Surveillance (7.9)
• Records (7.12)
The following table provides scheme references, for [ISO/IEC 17065] requirements in clause 7 of that
document that refer to certification scheme requirements.
CSA-200-4.2 26/37
Table 7 – Scheme reference for ISO/IEC 17065 clause 7
7.2 Application 7.2 Information that scheme [CSA-300] 5.1 and 5.2
requires for client requirements C.R1, R2
application and R4 in for initial
certification;
requirements for
products with a version
previously certified are in
[CSA-301]
CSA-200-4.2 27/37
ISO/IEC 17065 sub ISO/IEC 17065 Scheme topic ISASecure CSA
clause requirement reference referenced reference
7.8 Directory of certified 7.8 last paragraph Information about [CSA-200] 6.5.3.3
products certified products made
available to a directory
This sub section lists additional scheme specific requirements related to clause 7 Process requirements in
[ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other documents of the
ISASecure CSA certification scheme.
6.5.3.1 Application
CSA-200-4.2 28/37
Requirement CSA.R15 – Determining applicant eligibility
The chartered laboratory SHALL be responsible for determining whether a product presented by a potential
client meets the scope for a CSA certification, and which component type(s) apply to the product (software
application, embedded device, host device, network device) . The chartered laboratory MAY request guidance
from ISCI in this matter. If the client does not concur with the decision of the chartered laboratory, they MAY
use the compliant escalation process described in Requirements CSA.R41 and CSA.R42.
6.5.3.2 Evaluation
[ISO/IEC 17025] 7.2.1.3 on selection of test methods, specifies using the latest valid version of the standards
upon which tests are based, where appropriate. The appropriate versions of ISASecure specifications to use
for a certification SHALL be identified in accordance with transition policies and specification listings found
on the ISASecure web site at http://www.ISASecure.org.
Detailed reporting on VIT-C results for a component SHALL be carried out in accordance with the
requirements on VIT-C reporting in the technical specification for VIT-C, which is listed in the normative
references for [CSA-300].
CSA-200-4.2 29/37
6.5.3.2.2 Deleted
• Identify personnel responsible for preparation, review of technical content, and initial or revision
approval;
The [ISO/IEC 17065] requirement 7.8 refers to certification information to be published in a directory of
certifications granted by the certification body.
6.5.3.4 Surveillance
The ISASecure CSA certification scheme does not require surveillance, where that term refers to inspection
of samples of actual shipped product for compliance with certification requirements . ISCI does not require a
chartered laboratory to verify periodically that components shipped by the supplier that are labeled with a
version number that has been certified, are i n fact that version. However, ISO/IEC 17065 requires that the
chartered laboratory monitor the use of the ISASecure symbol. This includes proper symbol use as it relates
to product version. Certification of updated and upgraded product versions (as defined in 3.1.23 and 3.1.24),
and certification to updated ISASecure versions, are covered in [CSA-301]. As required by CSA.R38 and
described in [CSA-301], maintaining CSA certification for updates of a certified product requires maintenance
by the supplier of a SDLA process certification, which in turn requires periodic recertification audits under the
SDLA scheme, as described in [SDLA-300].
6.5.3.5 Deleted
The [ISO/IEC 17065] sub clause 7.11 refers to termination, reduction, suspension , or withdrawal of
certification. Reduction and suspension are not defined for CSA certification. The following requirements
apply to withdrawal and termination.
• The product remains in a support status such that a n SDLA certified SDL process still applies to the
product;
CSA-200-4.2 31/37
• The supplier retains their SDLA certification, or if their SDLA certification is lost, reinstates it within a
year grace period; AND
The following requirement defines actions as referenced in [ISO/IEC 17065] sub clause 7.11.3, that are
required by the scheme upon termination, reduction, suspension or withdrawal.
The [ISO/IEC 17065] requirement 7.13.1 under 7.13 Complaints and appeals, refers to the certification body
process related to complaints and appeals.
A chartered laboratory SHALL be responsible for managing the resolution of complaints related to any aspect
of compliance for a product it evaluated or certified.
Requirement CSA.R42 – Escalation for complaints and appeals related to application of specifications
An appealed complaint MAY request a ruling on whether the ISASecure specifications were correctly applied
in a specific instance. Such a complaint SHALL NOT be escalated to the ASCI b oard of directors, but is
resolved within ISCI. This ruling could impact:
• Whether the certification process is applicable to a particular product that has applied for certification ;
6.6.1 Overview
Clause 8 Management system requirements in [ISO/IEC 17065] covers the following topics in associated sub
clauses. Sub clause 8.1 describes two options open to certification bodies to meet the ISO/IEC 17065
management system requirements. Option A is the option for a certification body to comply with the
management system requirements listed in sub clauses 8.2 -8.8 of [ISO/IEC 17065]. Option B is the option for
CSA-200-4.2 32/37
a certification body to comply with ISO 9001 requirements. Option B does not require that the certification
body be certified to ISO 9001.
• Options (8.1)
This sub section lists additional scheme specific requirements related to clause 8 Management system
requirements in [ISO/IEC 17065], beyond those derived from [ISO/IEC 17065] together with the other
documents of the ISASecure CSA certification scheme. They apply whether the chartered laboratory elects
Option A or Option B to fulfill the management system requirements.
• Identify the personnel responsible for quality, other general and the specific responsibilities for
quality, and the authority delegated to each activity;
CSA-200-4.2 33/37
Requirement CSA.R47 – Facility security
Chartered laboratory measures and procedures related to security SHALL include provisions for: controlling
access, off hours security, and fire protection for the facility; informing all personnel securi ty policies; limiting
distribution of confidential information; limiting access to and safe storage of records (including certificates
and reports); back-up or off-site storage; and designate personnel responsible for monitoring security.
The intent of the following broader provision is to improve the ISASecure product certification programs.
Accreditation of a chartered laboratory involves an assessment of the organization against the requirements
in the following documents:
Technical readiness assessment is based upon review of documented laboratory processes and procedures
as well as review of artifacts from sample audits ca rried out by the laboratory on a component, as described
in Section 7.3. To be recognized as a chartered laboratory for the ISASecure CSA program, a laboratory
shall attain the following accreditations, performed by an IAF/ILAC recognized accreditation body:
• Accredited to IAF ISO/IEC 17065, with technology scope of accreditation covering ISASecure CSA
certification; and
• Accredited to ISO/IEC 17025, with technology scope of accreditation covering ISASecure CSA FSA-C
and VIT-C specifications.
This internationally recognized accreditation shall be obtained by a laboratory within 18 months of obtaining
a provisional chartered laboratory status, as described in Section 5. The following section discusses
requirements for attaining provisional chartered laboratory status.
Provisional chartered laboratory status allows an organization to begin certification activities befo re
accreditation has been formally granted by a CSA accreditation body. Formal granting of the accreditation
can occur several months after the evaluation of the laboratory has taken place and results submitted by the
evaluators to the board within the CSA accreditation body that makes the final accreditation decision.
CSA-200-4.2 35/37
ASCI will grant a laboratory provisional chartered status based on the results of an evaluation of the
laboratory by qualified assessors for ISO/IEC 17065 and ISO/IEC 17025. Provisional chartered status is
granted if the evaluation shows that the organization complies with:
• Those technical readiness criteria in Table 8 that may be verified based upon process and procedure
documentation evidence. These criteria are in rows 1-3 Table 8.
The accreditation body will assess the remaining technical readiness criteria once the chartered lab oratory is
operating and has examples of product evaluation results available.
The evaluation for a candidate chartered laboratory is performed by an assessor that has been qualified by
an IAF/ILAC recognized accreditation body. A candidate organization shall apply for accreditation as required
by the accreditation body. A candidate chartered laboratory also applies to ASCI using the form [ISASecure-
202]. “Provisional” chartered laboratory status is a term applied by ASCI/ISCI within the ISASecure program
and is not recognized or managed by the accreditation body.
During the period when a chartered laboratory is operating in provisional status, ASCI shall be made aware
of the laboratory’s expectations for receipt of formal internationally recognized accreditation by an IAF/ILAC
organization. ASCI shall have the option to perform an interim review and update its evaluation for
provisional status of the chartered laboratory 6 months after it is received. Once a chartered laboratory has
achieved accreditation by an IEC 17011 accreditation body, that accreditation body d etermines the
requirements and frequency for maintenance audits to maintain accredited status.
The technical readiness assessment for CSA accreditation focuses on SDA-C, FSA-C, and VIT-C. The
evaluation consists of assessment of evidence supplied by the candidate laboratory per the evaluation
criteria in Table 8. The requirements numbered VIT-C.Rnn or VIT.Rnn are from [SSA-420].
1 Organization statement of test • ISCI-specified tool is in place as specified for VIT per VIT-
tool and version in use for VIT-C C.R1
CSA-200-4.2 36/37
ID Evidence supplied by candidate Evaluation criteria
laboratory
3 Application form and instructions • Application requests all items required per [CSA-300]
to be given to suppliers Requirement ISASecure_C.R4
submitting components
5 Evidence demonstrating that the • Verify that steps for creation of reproduced result required
vulnerability identification test only information in the evaluation report; and that results are
result can be reproduced based same as initial results
on information in evaluation
report; document steps used to
reproduce these
CSA-200-4.2 37/37