This document is intended for asset owners and product suppliers who wish to improve the security maturity of their organization. The Industry IoT Consortium (IIC) IoT Security Maturity Model (SMM) set of documents consisting of the Practitioners Guide, profile documents and mapping guidance, provides a detailed model and approach for achieving a good fit of security governance, technology and operations maturity to meet business needs. It can be used in conjunction with other detailed guidance, such as the IIC Industrial Internet Reference Architecture , the IIC Industrial Internet of Things Connectivity Framework , IIC Industrial Internet of Things Security Framework , and the IIC Industrial Internet of Things Trustworthiness Framework Foundations document as well as the ISA/IEC 62443 documentation set.
Developed by the International Society of Automation (ISA) and its ISA99 committee, the 62443 document suite is a well-respected, understood and adopted set of guidance that is used in a variety of industries, including manufacturing, utilities such as electricity, water and gas, transportation systems and building systems. This guidance is useful for the stakeholders the 62443 guidance is intended for, including asset owners, product suppliers and service providers, as summarized later in this document.
For asset owners, the scope of the SMM is the organization responsible for the operational technology (OT) environment, especially industrial automation and control systems (IACS) in a variety of industries, including manufacturing, utilities such as electricity, water and gas, transportation systems and building systems. We provide a way to relate the detailed guidance in 62443-2-1, 62443-3-3, and 62443-4-2
with SMM practices and comprehensiveness levels. We provide guidance on relating 62443-2-4
with SMM, for support to be expected by service providers for integration and maintenance as well as relating 62443-4-1 with SMM for support to be expected by product suppliers, making it easier for asset owners to address gaps in their security maturity.
For product suppliers, the scope of the SMM is the organization responsible for the development of the products. We provide a way to relate the detailed guidance in 62443-3-3 and 62443-4-2.