ISA/IEC TR 62443-1-5 provides formal guidance on the creation and structure of cybersecurity profiles within the ISA/IEC 62443 framework. A security profile is intended to tailor existing requirements to a specific industry sector, application, or use case without altering the integrity of the base standard.
Step 1: Purpose of a security profile
The technical report clarifies that profiles are selections and combinations of existing requirements, not a mechanism to invent new controls. Profiles ensure consistent application of ISA/IEC 62443 while addressing sector-specific risk, regulatory, or operational needs.
Step 2: Authorized source documents
TR 62443-1-5 explicitly states that security profiles may reference requirements from:
ISA/IEC 62443-2-1 (asset owner security program requirements)
ISA/IEC 62443-2-4 (service provider requirements)
ISA/IEC 62443-3-3 (system security requirements)
ISA/IEC 62443-4-1 (secure product development lifecycle)
ISA/IEC 62443-4-2 (technical component requirements)
These documents collectively cover organizational, system, and component security.
Step 3: Why other options are incorrect
Limiting profiles to only Parts 3-3 and 4-1 excludes governance and lifecycle requirements.
Parts 1-1 and 1-2 are foundational and definitional, not requirement sources.
Referencing standards outside the 62443 family violates the intent of maintaining internal consistency.
Step 4: Standard integrity
By restricting profiles to these documents, ISA ensures profiles remain interoperable, auditable, and certifiable.
Thus, Option C is the only correct answer.
