Under the trend of Internet of Things and Industry 4.0, two major fields, IT and OT, are integrated. However, this has also led to frequent information security incidents, and these incidents have made information security an issue that OT must face. This research compares the risk management standard IEC 62443-3-2 for industrial system security in OT domain, ISO/IEC 27005 for information security in IT domain, Risk IT Framework and NIST SP800-39 to evaluate the key concerns of integrated information security risk management approach, and focuses on the risk management process, granularity of concerns, and classification methods in OT and IT standards.
We propose the application of ISO/IEC 27005 to IEC 62443-3-2 to provide organizations with the concept of integrating OT and IT to reduce information and network security risks in industrial areas, reduce the huge losses caused by information security incidents, and improve information security. It also improves the quality of information security protection and ensures the security of organization information and network, thus enabling organizations to operate sustainably.