WisePlant – A WiseGroup Company
2199 Alerts Management

Course 2199: Comprehensive Handling and Management of Industrial Cybersecurity Alterations Applying the ISA/IEC-62443 Standard

Recommend or Share:

Cybersecurity requires monitoring, detecting, surveilling and alerting based on numerous cybersecurity events occurring in control systems. This activity, necessary to accompany the safe operation of the plant, requires a series of fundamental activities, explained in this course 2199, that must be executed correctly prior to its implementation.

The generation of security alerts is followed by assertive, immediate and delay-free cyber incident management. Alerts should be classified and categorized according to a realistic risk possibility and in context with the industrial process, without false positives. Responses must be specific and rapid to ensure preventive, effective and efficient avoidance of the occurrence of potential consequences.

The generation of cybersecurity alerts (cyber incidents) may or may not have a correlation with the disturbances and alarms of the processes and finally the occurrence of the potential consequences. Developing the ability to anticipate physical facts about the plant requires specific knowledge that can only be achieved with specific knowledge of the plant.

It is crucial to design and implement surveillance, alerting, and incident management systems – without false alerts – through a process of rationalization of security alerts, based on specific knowledge and the result of detailed cyber risk assessment.

Additionally, when you are monitoring, alerting and responding to cybersecurity incidents, it is significantly different to do it on a system that has all its risks mitigated, than to do it on a system that does not.

Objectives of the 2199 Course:

The objective of the course is the main activities and requirements of the Life Cycle of Security Alert Management according to ISA/IEC-62443 and ANSI/ISA-18.2-2016. The course focuses on the design, installation, and administration of a Cybersecurity Alert System in industrial processes.

To meet this objective, the concepts, models, and conceptualization for the management and management of alerts will be presented. The application of these criteria for the development of the alert philosophy, rationalization of alerts, basic design of alerts, advanced alert techniques, design of HMI for alerts, evaluation of monitoring, detection and response actions.

Participants will learn alert management lifecycle activities with reference to the ISA/IEC-62443 and ISA/18.2 standards and how to address common problems with security alert and process alarm management systems. Key benefits of attending this course include:

  • Learn best practices to improve alerting system performance.
  • Learning methods for solving common alert management concerns.
  • Learn about the best practices for an affective and successful implementation of the alert management system.
  • Avoid generating false security alerts that do not lead to any action or distractions.
  • You design responses to security alerts before they happen, with fast and accurate responses.
  • Learn the metrics to measure success in managing alerts and continuous improvement.

At the end of the 2199 academic year, participants will be able to:

  • Develop an alert management philosophy.
  • Identify alerts.
  • Streamline alerts, including classification and prioritization.
  • Design basic alerts, their monitoring, detection and notification.
  • Determine when advanced alerting techniques should be used.
  • Document alerts for operations.
  • Design reports monitoring and evaluate the performance of the alert system.
  • Manage changes in alert systems.

To meet the proposed objectives, a programmed hourly intensity of 16 hours is required.

Course Contents:

  • Introduction.
    • Vision through time of the Design of an Alert System.
    • History of Accidents related to Alert Management.
    • Importance of Alert Management.
    • Principles, Guidelines, Standards, and Best Practices.
    • Management of an Alert System based on ISA/IEC-62443 and ISA/18.2-2016.
  • Philosophy and Identification of alerts.
  • Streamlining alerts.
    • Preparation of the rationalization of alerts.
    • Justification of alerts.
    • Prioritization of alerts.
    • Classification of alerts.
  • Alarm design.
    • Alert status.
    • Types of alerts.
    • Configuration and Monitoring.
    • Times and alert messages.
  • Implementation of the alert system.
    • HMI design.
    • Alert display.
    • Existing solutions for alert management.
    • Success stories of alert systems.
  • Alert system operation and maintenance considerations.

Modalities and schedules:

  • Face-to-face and/or virtual.
  • Duration: 16 hours total.

Who is it for?

The course is aimed at the following groups of professionals:

  • Engineering personnel who perform specification, maintenance or updating of process alarm systems.
  • Industrial cybersecurity personnel who execute specification, maintenance or updating of cybersecurity alert systems.
  • Process engineering, control and operation personnel of industrial process plants.
  • Corporate Cybersecurity and/or Industrial Information Security Personnel.


  • Course Material.
  • Access to the Educational Campus.
  • Complementary material in digital form available on the educational campus.


It has no specific requirements. It is recommended that the professional has knowledge of some of the following: Industrial Process Alarm Management Standard, ISA/18.2, International Cybersecurity Standards by industry consensus ISA/IEC-62443, Corporate Cybersecurity or Information Security Standards ISO-27000, Industrial risk management standards such as ISA/IEC-61511, functional safety, Regulations and/or national standards such as NIST, NERC, and others. Experience in corporate project management and cultural change management, Other industrial risk management standards (worker safety, environmental safety, etc.


A first certificate of knowledge is issued upon completion of the course

  • Certificate: “Practitioner of design, implementation, safe operation and maintenance of the security alert system and incident response”
  • CRE credits: 1,6
  • The certification exam is taken in class at the end of the course. Available in Spanish, Portuguese, and English.

A second certificate of experience is issued after practical implementation in real projects.

  • Certificate: “Expert in design, implementation, safe operation and maintenance of the security alert system and incident response”
  • CRE credits: cumulative, depending on the duration of the activities carried out by the practitioner.
  • The certificate is issued after a demonstration of practical experience with the active participation of the practitioner in real projects making use of the methodology.


All participants who meet the course requirements and successfully pass the final exam with a good grade will be awarded a Digital Badge. The Digital Badge certifies that the participant has attended the 2199 training course and has executed the final evaluation test with a good grade, verifying that said participant has assimilated the new knowledge reasonably.

All practitioners who develop and demonstrate active participation in the different activities of the methodology, and who have accumulated a minimum number of hours of attendance in each of the specific activities. They will be eligible to obtain the corresponding certificate of experience. Supervision by a certified project leader is required. Process similar to the hours of an airplane pilot.