There are many ways to produce a software product. The traditional Information Technology (IT) way of creating a product was to incorporate the waterfall model, where rigid requirements were laid out before development began. Over the years, an agile process where flexibility is paramount has become the norm. One of the now widely used agile processes for development is Scrum.
The need to incorporate cybersecurity is imperative no matter the process used to create a product. Although it may seem easier to incorporate cybersecurity into a waterfall process it is still possible to incorporate those same cybersecurity requirements into an agile process. IEC 62443 can be used to provide guidance in the phases intended to include cybersecurity into scrum for product development. More specifically, IEC 62443-4-1 can be used as a standard to check if the specific scrum process used allows for cybersecurity to be considered and implemented during development. IEC 62443-4-2 gives guidance on cybersecurity in the product itself and ensuring the IEC 62443-4-1 process was incorporated. The following topics describe how IEC 62443-4-1 and IEC 62443-4-2 can be used in a Scrum process for the development and security of a product.