ISA/IEC 62443-3-2 intentionally avoids mandating a single risk assessment methodology. Instead, it defines requirements for the outcome and consistency of the risk assessment process.
Step 1: Methodology flexibility
The standard allows asset owners to use qualitative, quantitative, or hybrid methods based on system complexity, organizational maturity, and available data.
Step 2: Consistency requirement
What ISA/IEC 62443 does require is that the methodology be documented, repeatable, and consistent, particularly in how risks are ranked and compared.
Step 3: Security Level determination
Consistent risk ranking is essential for determining Target Security Levels (SL-T) and for justifying security decisions during audits.
Step 4: Why other options are incorrect
Avoiding standards undermines rigor. Using only qualitative methods may be insufficient. Mixing methodologies can introduce inconsistency and invalidate comparisons.
Therefore, the approach that best aligns with ISA/IEC 62443 is to follow any documented methodology that uses a consistent risk ranking scale.
