ISA/IEC 62443-2-1 explicitly requires that the IACS Security Program be integrated into the organization’s overall management structure.
Step 1: Integration principle
The standard states that IACS security must align with business processes, governance, and enterprise security management rather than operate in isolation.
Step 2: Alignment with ISMS
Where an Information Security Management System (ISMS) exists, the IACS SP should be embedded within it to ensure consistent risk management, policy enforcement, and continuous improvement.
Step 3: Why other options are incorrect
Standalone security programs create silos. Full outsourcing violates asset owner accountability. Purely technical approaches ignore human and process factors.
Step 4: Operational outcome
Embedding the SP ensures sustainability, consistency, and executive oversight.
Therefore, the correct answer is by embedding it into organizational processes and the ISMS.
