Shop

Artificial Intelligence Notice: ISA prohibits the entry of any ISA intellectual property (“ISA IP”), including standards, publications, training or other materials into any form of Artificial Intelligence (AI) tools, such as ChatGPT. Additionally, creating derivatives of ISA IP using AI is also prohibited without express written permission from ISA’s CEO. In the case of such use, ISA will suspend a licensee’s access to ISA IP, and further legal action will be considered. Please review ISA's policies for Use of AI Tools, Intellectual Property and Terms and Conditions for further information.

Cancel

ISASecure Automation Control System Security Assurance (ACSSA) for Evaluators (IC49)

Evaluate Industrial Control System Cybersecurity Against ISA/IEC 62443

ISASecure Automation Control System Security Assurance (ACSSA) (IC49) delivers a clear, step-by-step approach to evaluating the cybersecurity of industrial control systems (IACS) in alignment with the ISA/IEC 62443 standards. Learn how to determine eligibility for inspection or certification, understand the roles of evaluators, control system owners and service providers and define a focused evaluation scope.

Gain practical insight into reviewing risk assessments, assessing maturity levels (ML2 and ML3) and examining documented policies and procedures. Verify real-world practices through interviews and artifact review, then inspect technical configurations across zones and conduits. This course emphasizes objective evidence, risk-based sampling methods and how to identify and document nonconformities, showing how individual findings come together to form a defensible evaluation result.

Build hands-on skills to plan and execute ACSSA evaluations, sample zones and conduits and produce traceable reports that map findings directly to ISA/IEC 62443 requirements. Strengthen the organization’s ability to conduct structured, well-documented evaluations of operational control systems, generate credible evidence of security program maturity and demonstrate how service-provider practices and contractual scope influence overall security posture.

Create structured reports that support internal decision making, regulatory discussions and insurer reviews. Understand how sampling choices affect confidence in evaluation results so you can deliver assessments that stand up to scrutiny.

Note: The IC49 course is a prerequisite for performing inspections and certifications under the ACSSA program.

ACSSA for Evaluators Badge
IC49 is the official course for the ISASecure Automation Control System Security Assurance (ACSSA) program. The ACSSA for Evaluators Specialist certificate is earned by successfully completing ISA's IC49 course and passing the ISA ACSSA Evaluators Specialist exam.
 

Required Prerequisite

Students must have detailed knowledge and experience in implementing the ISA/IEC 62443 standards, specifically:
  • ANSI/ISA-62443-2-1-2024, Security for Industrial Automation and Control Systems – Part 2-1: Security Program Requirements for IACS Asset Owners
  • ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for Industrial Automation and Control Systems, Part 2-4: Security Program Requirements for IACS Service Providers (IEC 62443-2-4:2015+AMD1:2017 CSV, IDT)
  • ANSI/ISA-62443-3-2-2020, Security for Industrial Automation and Control Systems, Part 3-2: Security Risk Assessment for System Design
  • ANSI/ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems, Part 3-3: System Security Requirements and Security Levels
It is highly recommended that students possess the ISA/IEC 62443 Expert certificate.

Who Should Attend IC49?

IC49 is designed for professionals experienced in applying the ISA/IEC 62443 standards to evaluate or support cybersecurity programs, including:
  • OT cybersecurity specialists
  • Conformity Assessment Body Auditors
  • Consultants supporting industrial cybersecurity programs
  • Engineers responsible for system security reviews
  • Asset owners interested in applying ACSSA methods in internal security programs
  • Asset owners preparing for ACSSA evaluations

View Offerings by Format

Classroom (IC49)

Length: 3 days 
CEU Credits: 2.1

View IC49 Classroom Offerings

Virtual Classroom (IC49V)

Length: 3 days
CEU Credits: 2.1

Virtual Classroom Offering (IC49V)

Visit our course formats page for a detailed description of each format.

Learning Objectives

Section 1: Overview of Automation and Control System Security Assurance (ACSSA)
  • Describe the ACSSA program
  • List the benefits of the ACSSA program
  • List the standards addressed by ACSSA
  • State the objectives of an ACSSA evaluation
  • Explain why an asset owner might elect ACSSA inspection vs. certification
  • Identify the ACSSA specifications and their purpose
  • Describe the roles of the ACSSA participants
Section 2: IACS Eligibility for ACSSA
  • Identify the criteria to determine the eligibility of an asset owner’s IACS
  • Define the IACS to be evaluated
Section 3: ACSSA Evaluation Process
  • Describe the activities involved in an ACSSA evaluation 
Section 4: Create the ACSSA Evaluation Plan
  • Identify asset owner information 
  • Describe the contents of an evaluation plan 
  • Describe the process for creating an approved plan 
  • Exercise 1
    • Practice the creation of an evaluation plan
Section 5: Evaluate the IACS Risk Assessment Process and Results
  • Define the risk assessment evaluation
  • Employ methods to evaluate asset owner conformity to security risk assessment requirements
  • Exercise 2
    • Practice the inspection of risk assessment policies, procedures and artifacts
Section 6: Evaluate the IACS Security Program
  • Define the asset owner maturity level 2 evaluation 
  • Employ methods to evaluate conformity of asset owner policies and procedures as documented to ISA/IEC 62443-2-1 requirements 
Section 7: Evaluate Service Providers' Policies and Processes
  • Define the scope of service provider evaluation 
  • Employ methods to evaluate conformity of service provider policies and procedures as documented to ISA/IEC 62443-2-4 requirements 
  • Explain the criteria for passing the ACSSA evaluation at maturity level 2 for an ISA/IEC 62443-2-1 or ISA/IEC 62443-2-4 requirement
  • Exercise 3
    • Practice the inspection of policies and procedures for conformity to standards
Section 8: Evaluate IACS Security Program Execution
  • Define the asset owner maturity level 3 evaluation
  • Define sampling plan
  • Employ the methods to evaluate asset owner policy and procedure artifacts
Section 9: Evaluate IACS Technical Configuration
  • Employ methods to evaluate the usage of required system technical capabilities
  • Examine the configuration of technical capabilities
Section 10: Evaluate Service Provider Security Program Execution
  • Employ methods to evaluate service provider policy and procedure artifacts
  • Exercise 4
    • Practice the inspection of policies and procedures for conformity to standards
Section 11: Gather Evaluation Results
  • Describe how individual evaluation results create an overall evaluation status 
Section 12: Create Evaluation Report
  • Describe the differences between inspection and certification reports
  • Describe the contents of the evaluation report
  • Describe what information is reported about non-conformities to the asset owner
  • Enumerate the criteria for nondisclosure of documentation related to the evaluation
  • Exercise 5
    • Practice the creation of an evaluation report for the asset owner
Section 13: ACSSA Certificate
  • Describe the content of an ACSSA certificate 
  • Describe the lifecycle of an ACSSA certificate
Section 14: ACSSA Surveillance
  • Describe surveillance
  • Practice planning of surveillance activities
  • Practice execution of surveillance activities
  • Practice updating the certification status based on surveillance results 
Section 15: ACSSA Recertification
  • Describe the activities performed for recertification
  • Compare recertification to initial certification and surveillance
  • Explain the requirements to make a decision about recertification

Recommended Resources

  • It is recommended that students become familiar with the ISASecure ACSSA specifications prior to class. 
  • If you have access to the ACSSA specification, it is recommended that you bring it to class. If you do not possess a copy, the specific parts needed to complete the exercises will be provided.


Not sure this course is

right for you?


Complete a knowledge check designed to evaluate your level of understanding of the course material and show you the types of questions you’ll be able to answer after completing the course.

Take the IC49 Knowledge Check

Custom Training Solutions

If your company is interested in bringing training on site to your team, please contact trainingsales@isa.org or call +1 919-549-8411.

ISA Member Discount

To get the member price on today’s purchase, log in as a member or complete the join process before you complete your purchase. To join and/or register by phone, call Customer Experience at +1 919-549-8411.