
ISA/IEC 62443 is the global standard for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT) environments. It was developed jointly by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). It applies to manufacturers, system integrators, and component suppliers. For companies inside First Philippine Industrial Park (FPIP), getting certified under this standard is increasingly a supply chain requirement rather than an optional compliance exercise. Global Quality Services provides ISA/IEC 62443 certification consultancy for FPIP locators from gap analysis through to certification audit and post-certification support.
What Is First Philippine Industrial Park
FPIP is a joint venture between First Philippine Holdings (FPH) and Sumitomo Corporation. It was established in 1996 and is registered with PEZA as a special economic zone. The park spans more than 500 hectares across Tanauan and Santo Tomas in Batangas, about 52 kilometers south of Manila. It currently hosts more than 150 world-class locators and supports over 70,000 jobs. Key locators include Brother Industries, Canon, Collins Aerospace, Dyson, Murata, Nestlé, and TE Connectivity.
The locator base is concentrated in:
- Electronics and precision components manufacturing
- Aerospace parts and equipment
- Automotive and industrial parts
- Medical devices and healthcare products
- Consumer goods and office equipment
- Industrial gases, packaging, and supply chain services
Most of these sectors rely on networked production systems, PLCs, SCADA infrastructure, and automated assembly equipment. All of these fall within the scope of ISA/IEC 62443.
Why ISA/IEC 62443 Matters for FPIP Locators
FPIP’s locator base is strongly Japanese-affiliated. More than 37 of its original locators came from Japan. Japanese parent companies and buyers are among the most active in requiring OT security compliance from their Philippine manufacturing partners.
The same applies across FPIP’s aerospace, electronics, and automotive sectors. Buyers in these industries audit supplier OT environments as part of qualification. A factory floor with unsecured PLCs, unmanaged remote access, or no documented incident response process is a liability for procurement teams in Tokyo, Stuttgart, or Chicago.
Beyond buyer pressure, the Philippine government is also moving in this direction:
- The Department of Information and Communications Technology (DICT) has published the National Cybersecurity Plan 2023-2028, which covers industrial and critical systems security
- The Cybercrime Investigation and Coordinating Center (CICC) enforces Republic Act 10175, which applies to all organizations operating networked systems in the Philippines
- The National Privacy Commission (NPC) enforces the Data Privacy Act of 2012 for FPIP locators that process employee or customer data alongside OT systems
ISA/IEC 62443 certification addresses all of these within a single structured framework.
What the Standard Covers
The ISA/IEC 62443 series is organized into four main parts:
- Part 1 (General): Core concepts, terminology, and the Zones and Conduits model. This is the foundation of the entire series.
- Part 2 (Policies and Procedures): Requirements for asset owners. Covers governance, patch management, supplier security, and IACS cybersecurity management programs.
- Part 3 (System): Requirements for system integrators. Covers security risk assessment, security level assignment, and secure system design.
- Part 4 (Component): Requirements for component manufacturers. Covers technical security requirements for devices, network equipment, and software, as well as secure development lifecycle requirements.
The Zones and Conduits model sits at the center of the standard. It requires partitioning the IACS environment into security zones based on risk. It then requires defining the communication channels, called conduits, between those zones. Each zone is assigned a Security Level based on the degree of protection needed.
Certification Programs Available
Formal certification is available through the ISASecure program, managed by the ISA Security Compliance Institute. The available schemes are:
- Component Security Assurance (CSA): For individual IACS components such as PLCs, embedded devices, host devices, and network devices. Certifies against ISA/IEC 62443-4-2 and 62443-4-1.
- IIoT Component Security Assurance (ICSA): An enhanced version of CSA for components with direct internet connectivity. Includes two tiers of security assurance.
- System Security Assurance (SSA): For integrated control systems such as full SCADA or DCS platforms. Certifies against ISA/IEC 62443-3-3.
- Security Development Lifecycle Assurance (SDLA): For product suppliers. Certifies that a company’s product development process meets ISA/IEC 62443-4-1 at maturity level 3 or 4.
FPIP manufacturers operating as asset owners focus on implementing a cybersecurity management program under Part 2-1 and achieving verified Security Levels across their production zones.
Key Requirements for Certification
These requirements apply regardless of whether the organization is an asset owner, system integrator, or component supplier:
- Risk Assessment: Identify threats, vulnerabilities, and operational consequences across all zones and conduits. This must follow a structured methodology aligned to ISA/IEC 62443-3-2.
- Security Level Definition: Set Target Security Levels for each zone. Then verify that Achieved Security Levels meet those targets.
- Zones and Conduits Design: Partition the IACS environment into security zones. Document all inter-zone communication with appropriate protective controls.
- IACS Cybersecurity Management Program: Establish documented governance, policies, and clear responsibility assignments for sustaining OT security. Align to ISA/IEC 62443-2-1.
- Patch Management: Build a repeatable process for identifying, testing, and applying security patches. This must protect production availability and system safety.
- Supply Chain Security: Assess cybersecurity requirements for all third-party suppliers, service providers, and system integrators operating within or connecting to the IACS environment.
- Incident Response: Maintain documented detection, response, and recovery procedures. These must account for OT environment priorities, which differ significantly from IT incident response.
- Lifecycle Management: Address cybersecurity across the full IACS lifecycle from design and procurement through to decommissioning.
Steps to Achieve Certification at FPIP

- Step 1 — Scoping and Asset Inventory: Define the certification boundary. Identify all IACS assets and communication paths. Establish a clear separation between IT and OT environments inside your FPIP facility.
- Step 2 — Gap Analysis: Compare your existing OT security controls against the applicable ISA/IEC 62443 requirements. Produce a prioritized remediation plan aligned to your certification pathway.
- Step 3 — Zone and Conduit Mapping: Document all security zones. Assign Security Level targets based on risk assessment findings. Design conduit controls between zones.
- Step 4 — Formal Risk Assessment: Conduct a structured risk assessment aligned to ISA/IEC 62443-3-2. Cover threat identification, vulnerability analysis, consequence evaluation, and risk prioritization specific to your FPIP production environment.
- Step 5 — Program Implementation: Develop and deploy the required policies, technical controls, training, and organizational measures. The goal is achieving the defined Security Levels across all zones.
- Step 6 — Internal Audit: Conduct a full internal audit against the applicable ISA/IEC 62443 parts. Identify remaining gaps. Close all non-conformances before engaging a certification body.
- Step 7 — Certification Assessment: Engage an accredited ISASecure certification body and complete the formal evaluation.
- Step 8 — Post-Certification Maintenance: Sustain certification through monitoring, patch management, periodic reassessments, and program updates as systems and threats evolve.
Industries at FPIP That Benefit Most
These are the industries that benefit the most from ISA/IEC 62443:
Electronics and Precision Components
FPIP hosts manufacturers of connectors, printed circuit boards, motors, and electronic assemblies for global OEM buyers. These buyers routinely require OT security compliance from production facilities. TE Connectivity and Murata are examples of global electronics manufacturers whose supply chain requirements set the standard for the whole zone.
Aerospace Parts and Equipment
Collins Aerospace and similar suppliers operate precision manufacturing environments with networked CNC systems and quality control automation. These are IACS environments. OT security failures in aerospace manufacturing carry safety and contractual consequences.
Automotive and Industrial Parts
FPIP hosts Honda-affiliated logistics and parts operations along with other automotive suppliers. Japanese automotive buyers are among the most stringent in requiring supplier OT security documentation.
Medical Devices and Healthcare Products
JMS Healthcare and Tokai Medical Products are among FPIP’s medical device manufacturers. The Food and Drug Administration Philippines (FDA) regulates medical device manufacturing. Secure production systems support both FDA compliance and buyer qualification requirements.
Consumer Goods and Office Equipment
Brother and Canon manufacture complex electromechanical products at FPIP using heavily automated production lines. Parent company OT security requirements flow directly down to FPIP operations.
Industrial Machinery and Components
Manufacturers of motors, geared drives, overhead cranes, and cutting tools operate CNC and PLC-driven production environments that fall directly within ISA/IEC 62443 scope.
Philippine Regulatory Context
FPIP locators should be tracking the following regulatory frameworks:
- Republic Act 10175 (Cybercrime Prevention Act of 2012): Establishes the legal framework for cybercrime offenses. Enforced by DICT and the CICC. Applies to all organizations with networked systems in the Philippines.
- National Cybersecurity Plan 2023-2028: DICT’s national roadmap covering industrial and critical systems security across Philippine organizations.
- Data Privacy Act of 2012: Enforced by the NPC. Applies to any FPIP locator processing personal data of employees, customers, or international counterparts alongside OT systems.
- PEZA Rules and Regulations: PEZA-registered FPIP locators are expected to maintain internationally recognized certifications as part of their operating and buyer compliance obligations.
- Department of Environment and Natural Resources (DENR): For FPIP manufacturers handling chemical inputs or industrial materials, DENR oversight under Republic Act 6969 applies. Robust IACS security is part of responsible operations in these categories.
Why Global Quality Services
Global Quality Services has supported certification projects across Philippine manufacturing zones for 26 years. Our consultants work directly inside your facility. We do not apply generic IT security checklists to OT environments.
We understand that production availability is non-negotiable. Our approach accounts for that from the first scoping session.
With GQS, FPIP locators receive:
- Scoping and asset inventory that correctly defines IACS boundaries inside your production facility
- Gap analysis mapped to your specific certification pathway, whether asset owner program alignment, SSA, CSA, or ICSA
- Zones and conduit documentation and Security Level assignment aligned to ISA/IEC 62443-3-2 and 3-3, using your actual plant topology
- Formal risk assessment specific to your FPIP production environment
- Policy, procedure, and technical control development aligned to the applicable standard parts
- Internal audit facilitation conducted against ISA/IEC 62443, not generic IT checklists
- Certification audit coordination with your chosen ISASecure-accredited certification body
- Post-certification maintenance covering patch management review, periodic reassessments, and program updates
- Scope extension to ISO 27001, ISO 22301, or VAPT for FPIP locators consolidating OT and IT security compliance under one engagement
If your company operates at First Philippine Industrial Park and manages IACS or OT systems as part of your manufacturing or engineering operations, contact Global Quality Services to start your ISA/IEC 62443 certification engagement.
Frequently Asked Questions
What is ISA/IEC 62443 and who does it apply to at FPIP?
ISA/IEC 62443 is the international standard for securing IACS and OT environments. It applies to three groups: asset owners who operate IACS systems, system integrators who build and maintain control solutions, and component suppliers who manufacture IACS products. At FPIP, it is relevant to electronics manufacturers, aerospace and automotive parts suppliers, medical device producers, and any locator that runs automated production systems connected to a network.
Is ISA/IEC 62443 certification mandatory for PEZA-registered companies?
No current Philippine law mandates it for all PEZA locators. However, buyer-driven requirements from Japanese, European, and North American OEM clients are making it a practical requirement for many FPIP manufacturers. Companies that wait for a regulatory mandate usually discover the requirement first in a supplier questionnaire from a buyer who has already moved on.
How long does certification take for an FPIP facility?
It depends on the complexity of the IACS environment, the number of zones in scope, and the maturity of existing OT security controls. Most FPIP manufacturers with documented production systems complete the process from gap analysis to certification within six to twelve months. Facilities with limited OT security documentation, or those pursuing SSA or SDLA certification, should plan for a longer engagement. GQS provides a detailed timeline assessment during initial scoping.
What is the difference between CSA, SSA, and SDLA?
CSA certifies individual IACS components against ISA/IEC 62443-4-2 and 4-1. SSA certifies an integrated control system such as a SCADA or DCS against ISA/IEC 62443-3-3. SDLA certifies a product supplier’s development process against ISA/IEC 62443-4-1. FPIP manufacturers operating as asset owners typically focus on program alignment under Part 2-1 and zone-level security assurance. Component suppliers and OEMs pursue CSA or SDLA for their products.
Can GQS handle ISA/IEC 62443 alongside ISO 27001 or other certifications an FPIP locator already holds?
Yes. ISO 27001 addresses IT information security. ISA/IEC 62443 is built for OT and IACS environments where safety and availability come first. The two standards are complementary. GQS can coordinate a combined implementation covering both within a single engagement. For FPIP locators also holding ISO 9001 or ISO 14001, the same integrated planning and audit scheduling approach applies.