Choosing your OT GRC framework: IEC 62443, NIST CSF, CIRMP and ISO 27019 in an Australian context

Part one of this series argued that no GRC framework lands cleanly without a functional hierarchy underneath it. ISA-95 gives you that hierarchy. The next decision is which framework to lead with, because in an Australian OT programme you’re almost certainly going to be evidencing against more than one at the same time.

This post works through the four that matter for an Australian operator:

• IEC 62443: the international standard family for IACS security.
• NIST CSF 2.0 paired with NIST SP 800-82 Rev. 3: the function-based framework most US operators run on, with the OT-specific overlay.
• ASD CIRMP: the Critical Infrastructure Risk Management Program mandated under SOCI Act Part 2A for responsible entities for critical infrastructure assets.
• ISO 27019: the OT-specific extension to ISO 27002, sitting under an ISO 27001 ISMS.

None of them are competing for the same job. The mistake is treating them like they are.

IEC 62443: the architectural framework

IEC 62443 (formerly ISA-99) is the framework you can actually build an industrial automation and control system against. It’s the only one of the four that defines:

• A zone-and-conduit model that maps onto Purdue.
• Security Levels (SL-1 to SL-4) with technical requirements per zone.
• Component-level requirements for products, suppliers and integrators (IEC 62443-4-1 and 4-2).
• A risk assessment and design lifecycle (62443-3-2) that produces auditable artefacts.

Lead with IEC 62443 when:

• You are designing or re-architecting the OT environment, not just running an assurance pass over it.
• Your vendors and integrators are already certified or working toward it (Check Point, Cisco, Siemens, Rockwell, Schneider all publish 62443 conformance statements).
• You need defensible security level targets per zone, for example to a regulator or an insurer asking “how secure is your control network“.

Where it earns its place: as the architectural backbone. CIRMP, NIST CSF and ISO 27019 all map onto it cleanly because it’s the only one with native concepts for zones, conduits and component capability levels.

Where it falls short: it doesn’t speak the language of risk registers, executive reporting or compliance attestation. You won’t satisfy a board paper with 62443 outputs alone.

NIST CSF 2.0 + NIST SP 800-82 Rev. 3: the function-based framework

NIST CSF 2.0 organises controls into six functions: Govern, Identify, Protect, Detect, Respond, Recover. NIST SP 800-82 Rev. 3 is the OT-specific guide that tells you how those functions land in an ICS environment.

Lead with NIST CSF when:

• You report into a board or executive that wants outcome-based reporting, not zone diagrams.
• You operate across IT and OT and need a single framework that covers both without forcing OT into IT-shaped controls.
• Your enterprise security programme already runs on CSF, so extending it into OT with SP 800-82 is a much shorter path than introducing a parallel standard.

Where it earns its place: as the reporting and maturity layer. CSF function-and-category outcomes are what executive sponsors actually read. The current-profile / target-profile / action-plan structure is the cleanest way to communicate a multi-year OT programme to people who do not want to read 62443.

Where it falls short: it’s deliberately framework-agnostic at the control level. SP 800-82 helps, but without 62443 underneath you’ll keep relitigating “what does Protect-PR.AC look like for a Level 2 HMI”.

ASD CIRMP: the Australian regulatory floor

For responsible entities under SOCI Act Part 2A, CIRMP is not optional. The 2023 Rules require a written, board-approved risk management program covering four hazard categories: cyber and information security, personnel, supply chain, and physical and natural. Annual reports to the regulator and to the Department of Home Affairs are mandatory.

The cyber-and-information-security hazard category lets you nominate the framework you’re managing against. Essential Eight Maturity Level One is the floor, but you can elect AS/NZS ISO/IEC 27001, NIST CSF, the 2022 NIST CSF, or “an equivalent framework or standard”. IEC 62443 is not on the named list, which catches operators out.

Lead with CIRMP when:

• You are a responsible entity for a critical infrastructure asset and you have no choice in the matter.
• The board needs evidence the programme is being run, not designed.

Where it earns its place: as the regulatory compliance wrapper. The hazard categories, the annual attestation, the board-signoff requirements: none of those drop out of IEC 62443 or NIST CSF without translation.

Where it falls short: it tells you what to evidence, not how to build. Treat CIRMP as the reporting envelope, not the architectural blueprint.

ISO 27019: the OT extension to an ISO 27001 ISMS

ISO 27019 extends ISO 27002 with OT-specific guidance for energy utility process control. It is the right answer in one specific shape of organisation: you already run a certified ISO 27001 Information Security Management System on the enterprise side, you want OT covered by the same ISMS, and the executive sponsor is already comfortable with the ISO governance model.

Lead with ISO 27019 when:

• ISO 27001 certification is a contractual or market requirement (common in energy, utilities, regulated infrastructure with European or APAC corporate parents).
• You want OT inside the existing ISMS scope rather than running a parallel programme.
• Your auditor is already credentialed to ISO 27001 / ISO 27019, so internal capability and audit cost matter.

Where it earns its place: as the ISMS-aligned management system layer for OT. The ISO process map and risk treatment plan are tightly defined and well understood.

Where it falls short: outside an ISO 27001-certified organisation it is a heavy lift for limited additional value. Most Australian operators we work with are not in this shape today.

How to pick the lead framework

Three questions in order:

1. Are you a SOCI responsible entity? If yes, CIRMP compliance is non-negotiable. CIRMP becomes the regulatory envelope. The “which framework leads” question is then about what sits inside it.

2. Are you designing or operating? If the work in front of you is re-architecture, segmentation, vendor selection, security level targets, IEC 62443 leads the technical layer. If the work is assurance, maturity, board reporting, incident lifecycle, NIST CSF leads the management layer.

3. Is ISO 27001 already in scope? If yes, ISO 27019 is the natural OT extension and you avoid running two parallel management systems.

The strongest position for most Australian OT operators is a stacked one:

• IEC 62443 underneath as the architecture and control catalogue.
• NIST CSF on top as the reporting and maturity language.
• CIRMP as the regulatory wrapper that consumes both.
• ISO 27019 only when an ISO 27001 ISMS is already certified and OT scope is being added.

ISA-95 is what makes the stack work. Once each system has a functional level, every control in 62443, every category outcome in CSF, every hazard mitigation in CIRMP, and every Annex A control in ISO 27019 maps to the same architectural artefact. The evidence packs derive from the model, not from four independent audits.

Where this is going next

Part three will work through the design layer in detail: how to take a functional hierarchy and the chosen GRC stack, and produce a defensible OT reference architecture (zones, conduits, identity boundary, Industrial DMZ design, control placement per Purdue level) that an Australian operator can actually deploy and an Australian regulator will accept.

Talk to our OT consulting team

If you’re choosing the lead framework for an OT programme, or trying to reconcile three you’ve inherited, talk to our consulting team. We work across pre-CIRMP scoping, framework selection, and full architecture delivery. The starting point is always the same: ISA-95, then the framework choice, then the design.