Guided to your IEC 62443 certification
A certification rarely fails on your technology, but on evidence that does not hold up under assessment. Going into an IEC 62443 audit unprepared risks rework, delay and a postponed market entry. And the same evidence later carries your CE conformity assessment under the CRA.
An audit does not assess your intent, it assesses your evidence. Without a solid basis, that only shows in the assessment itself, when corrections are expensive and dates are tight.
Failed audit
A failed assessment means rework, a second attempt and months of delay before the certificate is in hand.
Delayed market entry
Every postponed certification pushes back launch, revenue and committed delivery dates.
Locked out of critical markets
In OT and critical-infrastructure markets, IEC 62443 is increasingly an entry requirement. Without a certificate, you drop off the shortlist.
Wasted budget
Months of preparation are lost if the evidence does not meet the requirements of the standard.
These are what stall certification projects. The more of them apply to you, the more important an honest assessment of where you stand before the audit.
Unclear evidence requirements
What the standard actually requires as evidence is often a matter of interpretation. Without a clear reading, you produce documentation that does not hold up in the audit.
IEC 62443-4-1 or 4-2?
Which part of IEC 62443 applies to your product and your organisation drives scope and effort, and is rarely obvious at first.
No established SDLC
IEC 62443-4-1 requires a lived secure development lifecycle. Building one retroactively under audit pressure ties up a lot of capacity.
Gaps in the evidence chain
Requirement, implementation and test evidence have to line up without gaps. Breaks in that chain show up immediately in the assessment.
Aligning with the certification body
Synchronising scope, expectations and timelines with the test or certification body costs a lot of time without prior experience.
Time pressure before the audit
Dates with the certification body are fixed. Whatever is not solidly demonstrated by then pushes the certificate back.
From readiness check to a passed audit
A certification is plannable once you translate the requirements of the standard into concrete evidence, and know what assessors look for.
That is what we bring from successful certification projects, including an IEC 62443-4-1 certification for an international pump manufacturer. We take you through the process in a structured way, from the readiness assessment to a successful audit. The same evidence base is what your CE conformity assessment under the CRA builds on.
IEC 62443 expertise from audit practice
Our experience also comes from working in and with testing organisations. We know 4-1 and 4-2 from both sides and translate the requirements into evidence that holds up under assessment.
An honest readiness assessment
We tell you openly how far you are from the certificate, instead of letting you walk into an audit that is bound to fail.
Close to test and certification bodies
We have experience working with accredited bodies (e.g. TÜV) and know what they expect from the evidence.
Capability, not dependency
We anchor the necessary SDLC and evidence routine so that follow-up products stay certifiable too.
Four steps to the certificate
A certification cannot be forced, but it can be planned. Our approach takes you from an honest assessment of where you stand to a passed audit.
Readiness check
We assess your standing against IEC 62443-4-1 and/or -4-2 and define a realistic certification scope.
Gap analysis & plan
We surface the gaps between your current state and the standard's requirements and prioritise the measures through to the audit.
Build the evidence
We support delivery in day-to-day engineering: the secure development lifecycle, technical measures and the matching evidence documentation.
Audit support
We prepare the assessment, align with the certification body and accompany you through the audit to the certificate.
In the end you do not just hold audit-ready documentation. You hold a passed audit and an organisation that stays certifiable for the products that follow.
Clear scope & plan
The basis of any certification: knowing what gets assessed and what to do before then.
- Readiness assessment against IEC 62443-4-1 / -4-2
- Definition of scope and security level
- Prioritised action plan with an effort estimate
Audit-ready evidence
The documentation that holds up in the assessment, with no breaks between requirement, implementation and test.
- Complete evidence documentation
- An established, documented SDLC (for 4-1)
- A gap-free chain of requirement, implementation and test
Passed audit & certificate
The actual goal: the certificate in hand and an organisation that can keep it.
- A successfully passed IEC 62443 assessment
- An issued certificate (4-1 and/or 4-2)
- A certifiable organisation for follow-up products
- A solid basis for CE conformity assessments
This service is for manufacturers for whom an IEC 62443 certification or CE conformity assessment decides market access.
Component & device makers
Manufacturers that need an IEC 62443-4-2 certification for their products and components.
Organisations with their own development process
Manufacturers that want to certify their secure development lifecycle to IEC 62443-4-1.
Suppliers to critical markets
Manufacturers whose customers in OT, automation or critical-infrastructure contexts require certificates as a precondition.
We faced the challenge of bringing our entire mobile robot portfolio into EN 18031 compliance under significant time pressure. Secuvise did not just provide advice, but actively supported us hands-on, from structured information gathering and gap analysis through to executing conformity testing. Without this pragmatic support, we would not have met our deadline.
Secuvise has always supported us closely and reliably in developing our security concepts. The collaboration has been consistently constructive and collegial, exceeding our expectations. I look forward to continued partnership across all areas of cybersecurity.
What is the difference between IEC 62443-4-1 and -4-2?
IEC 62443-4-1 certifies your organisation's secure development process (secure development lifecycle). IEC 62443-4-2 certifies the technical security properties of a specific component or product. Many manufacturers need both, because a secure product is hard to demonstrate without a secure process behind it.
Do we need 4-1, 4-2 or both?
That depends on your product, target market and customer requirements. In the readiness check we establish the right scope and tell you which certification actually secures your market access, before effort goes into the wrong scope.
How long does a certification take?
The pace depends on your maturity, especially on how far your secure development lifecycle is already established. After the readiness check you get a realistic roadmap with an effort estimate. The earlier you start, the more room you keep before the audit date.
Does Secuvise issue the certificate?
No. The certificate is issued by an accredited certification body (e.g. TÜV). We work as an independent advisor: we prepare you, build the evidence, coordinate with the body and accompany the audit. That separation is deliberate and strengthens the credibility of the result.
Are IEC 62443 and the CRA connected?
Yes. An IEC 62443-4-1 development process and 4-2 evidence feed directly into the requirements of the Cyber Resilience Act and provide core evidence for the CE conformity assessment. If the regulatory framework is your main concern, see CRA & Product Regulation.
Did not find the answer you need?
Talk to us. We are happy to clarify your question directly and place it in the context of your specific product and certification situation.
Book a callReady for certification?
Want to know whether you are ready for an IEC 62443 audit and which scope makes sense for you? In a short initial call we place where you stand, name the biggest gaps before the audit and outline the next steps. Factual, structured and without sales pressure.
Book a free initial call
Fill in the form. We will get back to you shortly to arrange a short initial call.