According to ISA/IEC 62443-3-2, the risk analysis phase in the IACS security lifecycle includes both the business rationale and the risk identification and classification. This ensures that risk decisions are based not only on technical vulnerability but also on business impact and operational context.

“The risk analysis process includes identification and classification of risks based on a defined business rationale. This ensures that the protection requirements are aligned with the organization’s risk tolerance and operational priorities.”

— ISA/IEC 62443-3-2:2020, Section 6.4 – Risk Assessment and SL Targeting

The term business rationale refers to understanding the value and criticality of the asset or system in order to make informed security decisions.