What is the relationship and difference between IC33 and EN60?

Questions & AnswersCategory: WBS ProgramWhat is the relationship and difference between IC33 and EN60?
Anonymous Vendetta asked 1 month ago

It might appear to be that both courses have a similar scope or that there is an overlapping or to be considered as a replacement.

1 Answers
Best Answer
Maximillian G. Kon Staff answered 1 month ago

IC33 has been created by ISA to help the industry and its participants to understand the requirements for conducting cybersecurity risk assessments in compliance with ISA/IEC-62443-3-2 standard and taking the best decisions. In practice, there are several similar methods that meet the requirements.

If people do not understand the requirements, they won’t be able to take the best decisions. As with all the other courses, IC33 is agnostic. It does not endorse any method for complying with the requirements, nor does it endorse any vendor. ISA/IEC-62443-3-2 standard tells you what to do, and it provides the participants with one practical method at the end of the class.

While it also provides a mechanism to certify that the participants have gained valuable knowledge, it does not certify experience.

On the other hand, the EN60 provides a methodology for complying with all ISA/IEC-62443-3-2 and ISA/IEC-62443-2-1 requirements and complementary with the requirements of any popular regulation. It is an all-in-one methodology. We have packed hundreds and thousands of requirements into a simplified, an optimal sequence of activities.

During EN60 we don’t deepen in the multiple ISA/IEC-62443 requirements as the IC33 does. We don’t deepen into the regulations, either. We have facilitated this interpretation by making it easier for everyone in their own language.

The EN60 complements the IC33, and it is oriented to energy, oil and gas industries. It is not a replacement. It will truly help to understand ISA/IEC-62443-3-2 fully to all its extent. EN60 is for everyone, even for people with no cybersecurity background. Organizations and professionals tend to deviate from the requirements and especially when there are a lot of other initiatives claiming the same goal, driven by IT security inertia.