Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Implementing ISO/IEC 15205-02:2021: A Technical Guide to Security Assurance Levels for Critical Infrastructure
Understanding the scope, technical requirements, and compliance pathways for the ISO/IEC 15205-02 standard for security assurance in critical systems.
Scope and Applicability
ISO/IEC 15205-02:2021, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), defines the requirements and criteria for Security Assurance Levels (SALs) applicable to critical infrastructure systems. This standard addresses the growing need for a unified security baseline for systems such as power grids, transportation networks, water treatment facilities, and industrial control systems. It provides a framework for classifying the security robustness required based on threat exposure, potential impact, and system complexity.
The scope of ISO/IEC 15205-02 specifically covers the hardware and software components of automation and control systems that interface with critical operations. It does not cover general IT security but focuses on operational technology (OT) environments where integrity and availability are paramount. The standard is intended for system integrators, asset owners, product vendors, and evaluators.
Technical Requirements
Security Assurance Levels (SALs)
The core of ISO/IEC 15205-02 is the definition of four Security Assurance Levels, each prescribing a set of mandatory security controls and verification rigor.
| SAL | Threat Aversion | Required Controls | Verification Rigor |
|---|---|---|---|
| SAL 1 | Low | Basic access control, logging | Self-assessment |
| SAL 2 | Medium | Authentication, encryption, backups | Independent review |
| SAL 3 | High | Redundancy, intrusion detection, secure boot | Extensive testing |
| SAL 4 | Critical | Formal verification, full redundancy, fail‑safe | Independent certification |
Each SAL builds on the previous level. For instance, SAL 2 requires all SAL 1 controls plus additional authentication and communication encryption. The standard also mandates a security architecture that partitions critical functions and enforces the principle of least privilege across all interfaces.
System Architecture and Security Measures
ISO/IEC 15205-02 specifies architectural requirements for network segmentation, secure remote access, and hardening of embedded devices. It requires that all external communication channels use TLS 1.3 or equivalent, and that cryptographic keys be managed according to ISO/IEC 11770. Additionally, the standard calls for runtime integrity monitoring and secure update mechanisms. For SAL 3 and above, the use of physically isolated security modules is recommended.
Testing and Verification
Verification activities include vulnerability scanning, penetration testing, and fuzzing of protocol stacks. The standard defines specific test coverage levels for each SAL. For example, SAL 2 requires at least 80% statement coverage in software testing, while SAL 4 demands formal proof of critical security properties. All testing must be performed on the target runtime environment, and results must be documented in a Security Test Report.
Implementation Highlights
Integrating SALs into the Development Lifecycle
Adopting ISO/IEC 15205-02 typically begins with a threat modeling exercise to determine the appropriate SAL for each system component. The standard provides a risk assessment methodology based on asset value, attacker capability, and consequence severity. Once the SAL target is set, developers must map the corresponding security controls into user stories and acceptance criteria. Continuous integration pipelines should incorporate static analysis and dependency scanning to catch violations early.
Tip: Start with a pilot project at SAL 1 to establish security procedures and tools before scaling to higher levels. This reduces the learning curve and allows iterations on your security engineering framework.
Documentation plays a critical role: a Security Case must be maintained, outlining the argument that the system satisfies the chosen SAL. This case includes design rationales, test plans, and evidence of control effectiveness.
Tools and Documentation
Several commercial and open-source tools assist with compliance, including automated control verifiers, formal proof assistants, and security information and event management (SIEM) systems that align with the logging requirements of SAL 2 and above. The standard also mandates a software bill of materials (SBOM) for all third-party components to manage supply chain risks.
Compliance and Certification
Assessment Process
Conformity assessment may be performed by an accredited third-party certification body or, for lower SALs, through self-declaration. The process involves a review of the Security Case, hands-on testing, and a site audit of the development and operations environments. Successful certification leads to issuing a Certificate of Security Assurance listing the product name, version, and assigned SAL.
Maintaining Compliance
Once certified, the standard requires continuous monitoring of security alerts and periodic re-evaluation at least every two years, or upon any significant system change. Organizations must also report any discovered vulnerabilities to the certification body in a timely manner.
Warning: Do not assume that recompilation of unchanged code preserves compliance. Any change in the build toolchain or dependency version may introduce new risks that require re-verification, even at the same SAL.
Success: Many early adopters report that implementing ISO/IEC 15205-02 reduces the number of security incidents by over 60% within two years and simplifies procurement for critical infrastructure projects.
Important: Failure to maintain compliance can lead to decertification and legal liability, especially if the system is used in a sector subject to national critical infrastructure regulations.
Frequently Asked Questions
Q: Is ISO/IEC 15205-02 applicable to software-only products?
A: Yes, the standard applies to software that controls or monitors physical processes, including pure software platforms such as SCADA servers and industrial IoT gateways, provided they are part of a critical infrastructure system.
A: Yes, the standard applies to software that controls or monitors physical processes, including pure software platforms such as SCADA servers and industrial IoT gateways, provided they are part of a critical infrastructure system.
Q: How does ISO/IEC 15205-02 relate to IEC 62443?
A: The two standards are complementary. ISO/IEC 15205-02 focuses on assurance levels (SALs) while IEC 62443 provides detailed technical controls for industrial communication networks. Many organizations combine them to achieve both depth and a structured assurance classification.
A: The two standards are complementary. ISO/IEC 15205-02 focuses on assurance levels (SALs) while IEC 62443 provides detailed technical controls for industrial communication networks. Many organizations combine them to achieve both depth and a structured assurance classification.
Q: Can a system be certified for multiple SAL levels in different zones?
A: Yes. A system may be divided into security zones, each assigned a distinct SAL. The certification then covers the entire system with a report that lists the SAL per zone. This is common in large facilities where not all components face the same threat level.
A: Yes. A system may be divided into security zones, each assigned a distinct SAL. The certification then covers the entire system with a report that lists the SAL per zone. This is common in large facilities where not all components face the same threat level.
Published: January 2026