A focused course, tailored for you
OT Security Audit: The IEC 62443 Engagement Playbook
How IT-trained auditors scope, evidence, and report OT engagements without defaulting to the IT audit checklist.
The OT audit scope keeps shrinking at kick-off because nobody on the client side knows what to hand over. By the time the plant engineer joins the call, the IT scope is locked, the schedule is set, and the industrial control environment becomes an appendix. The findings that matter most never get written.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
The 12 modules
Module 1. Why IT Audit Methods Break in OT Environments
Most IT audit frameworks assume you can run vulnerability scans, review patch levels, and verify endpoint protection. OT environments reject all three assumptions. This module covers the fundamental differences: unpatched legacy systems that must stay running, proprietary industrial protocols that standard inspection tools cannot read, and safety-critical processes where a false positive from an IDS can halt a production line. You leave with a revised scope assumption checklist for OT engagements.
Module 2. OT Asset Discovery Without Disrupting Operations
Active network scanning can destroy unmanaged switches and PLCs. Passive discovery using traffic mirroring, firmware enumeration, and vendor documentation review is the safe path. This module covers the passive discovery toolkit, how to build a defensible asset inventory from incomplete client records, and how to handle the plant engineer's objection that they do not know what is on the floor. Output: an asset register template aligned to IEC 62443-2-1 asset identification requirements.
Module 3. Zone-and-Conduit Mapping Against IEC 62443-2-1
The zone-and-conduit model is the structural core of IEC 62443. This module builds the mapping methodology: how to identify security zone boundaries from network diagrams and physical walkthroughs, how to document conduits including wireless and removable media paths, and how to flag undocumented connections the client has not declared in scope. Output: a zone-and-conduit diagram with gap annotations that drives the full audit finding set for the engagement.
Module 4. Purdue Model Levels and What Gets Audited at Each
Level 0 (sensors and actuators), Level 1 (PLCs and RTUs), Level 2 (SCADA and HMI), Level 3 (site operations), Level 4 (enterprise). This module maps the Purdue Model to IEC 62443 security levels and clarifies which audit procedures apply at each layer. Applying Level 4 controls to Level 1 equipment produces findings that cannot be remediated. Includes a level-by-level audit procedure card for utilities, manufacturing, and oil-and-gas client engagements.
Module 5. Legacy PLC and SCADA Vulnerability Assessment
The client's HMI runs an operating system that is no longer supported. The PLC firmware has not changed since commissioning. Standard vulnerability scanning is not an option. This module covers compensating control assessment methodology, how to document legacy system risk against IEC 62443-2-3 patch management requirements, and how to write a finding that acknowledges operational constraints without letting the client treat unchanged configuration as a control. Includes a legacy risk register template.
Module 6. Remote Access and IT/OT Convergence Audit Points
Remote access to OT environments, especially vendor jump servers, is the most common initial access vector in ICS incidents. This module covers the audit program for remote access controls: session logging requirements, jump server hardening against IEC 62443-3-3 use control requirements, two-factor authentication in environments where OT vendors resist it, and the documented exception process when operational necessity overrides a security control. Includes test procedures for jump server configuration review.
Module 7. Wireless and Portable Media Risk in Industrial Environments
A USB stick used to update PLC firmware is a critical audit point. Wireless connectivity added by plant engineers without IT involvement is another. This module covers audit procedures for removable media policy compliance, wireless network inventory including unauthorized access points, the authorization path required under IEC 62443-2-1, and how to test whether physical security controls around media handling are actually enforced. Includes a portable media control audit test script for fieldwork.
Module 8. NCIIPC Requirements for Critical Infrastructure Client Engagements
India's National Critical Information Infrastructure Protection Centre has specific requirements for operators across energy, telecom, transport, and water sectors. This module maps NCIIPC guidelines to the IEC 62443 framework and identifies obligations that appear in NCIIPC guidance but not in IEC 62443 directly. Output: a cross-reference table for auditors working with NCIIPC-designated sector clients, covering annual compliance reporting requirements and the specific audit evidence NCIIPC expects from operators.
Module 9. CERT-In Incident Reporting Obligations for OT Events
The CERT-In mandatory 6-hour reporting direction covers OT and SCADA breaches alongside IT incidents. This module covers audit procedures for incident response plan coverage of OT events, the detection capability gaps that make a 6-hour reporting window difficult to meet in air-gapped environments, and how to write a finding that distinguishes inadequate OT incident detection from inadequate IT incident response. Includes a gap assessment checklist against CERT-In requirements for industrial environment incidents.
Module 10. Writing OT Findings for Mixed Audiences
A finding that names a firmware vulnerability means nothing to a CFO or operations director. A finding that states an attacker with access to the Level 2 SCADA layer can halt a specific production line for several hours before manual failover is possible means something to both. This module covers the finding structure: technical description, business impact in operational terms, compensating control status, remediation recommendation with operational constraint acknowledgment, and risk ranking calibrated to production impact rather than vulnerability score.
Module 11. Engagement Management Across IT, OT, and Plant Teams
OT audits require a different stakeholder approach. Plant engineers prioritize availability over confidentiality. IT security teams may lack visibility into the OT environment. Site safety requirements affect audit procedures. This module covers pre-engagement questionnaire design for mixed IT/OT scope, the physical walkthrough protocol including permit-to-work requirements at energy and heavy industry sites, how to manage scope disputes between a CISO and a plant director, and the communication plan that keeps both audiences aligned without disruption.
Module 12. The Final OT Audit Report and Board Presentation
The OT audit report must serve three audiences: the technical remediation team, the compliance committee, and the board. This module builds the report structure: an executive summary calibrated to operational risk language, a finding matrix ranked by production impact and exploitability, a remediation roadmap that respects OT change management cycles, and a board presentation format that connects OT vulnerability status to business continuity exposure. The implementation playbook includes a report template pre-structured for IEC 62443 and NCIIPC client engagements.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
Client declares the OT environment out of scope at kick-off: Modules 1 and 3 build the case for why the zone-and-conduit boundary must be audited and provide the methodology to do it without disrupting operations.
Asset register shows only a single row for the entire plant network: Modules 2 and 4 cover passive discovery methodology and the Purdue Model audit procedure card for mapping what is actually present at each level.
Client says PLC firmware cannot be patched without a multi-month change freeze: Modules 5 and 6 cover compensating control assessment and the remote access audit points where patching gaps create the highest exploitation risk.
CERT-In reporting obligation surfaces as a finding gap mid-engagement: Modules 9 and 10 cover the specific gap assessment checklist and the finding structure that translates the CERT-In technical requirement into a remediation action the client can close.
Who it is for
An IT security auditor at a consulting firm or internal audit function who is increasingly asked to scope and run OT security audits. Solid foundations in ISO 27001, NIST CSF, or general IT audit methodology. Has encountered at least one OT engagement where the standard approach did not hold, and wants a structured methodology that produces defensible findings in industrial environments without disrupting client operations.
Who this is NOT for. Not for plant engineers or OT product vendors. Not for consultants building an OT practice from scratch with no IT audit background. Not for someone looking for IEC 62443 implementation guidance for operators rather than auditors of operators.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. 6-8 hours across 12 modules, structured for working through alongside an active OT engagement. Each module is self-contained and can be applied to current client work immediately.
FAQ
Is this relevant for auditors who work across both IT and OT, or only dedicated OT specialists?
Built specifically for auditors who cross both domains. Every module acknowledges the IT audit background and translates the OT-specific difference. An auditor who already knows ISO 27001 and NIST CSF will recognize the structural parallels and build on them rather than starting from scratch.
Does the course cover India-specific requirements or only international frameworks?
Both. Modules 8 and 9 cover NCIIPC critical infrastructure obligations and CERT-In mandatory reporting requirements specifically. The cross-reference table maps NCIIPC guidance to IEC 62443 section by section, so you can run a single engagement that satisfies both.
What if my client's OT environment is not IEC 62443 certified and does not claim to comply?
Most OT audit clients are not certified. The course uses IEC 62443 as the audit framework, not as a certification target. The methodology applies to any industrial environment: you assess against the standard's requirements regardless of whether the client has formally adopted it.
