As of April 2026 the UK Health and Safety Executive will be transitioning from OG86 to ISA / IEC 62443 as the basis of COMAH site inspections. Given that the ISA /IEC 62443 family of standards contains a far more comprehensive set of requirements than the out-going OG86 document, this will place additional requirements on COMAH Duty Holders, particularly in the areas of:
Establishing and improving an organisational Security Program or Cyber Security Management System (ISA / IEC 62443-2-1) and requiring equivalent Security Programs to be in place in their integration and maintenance service provider partners (ISA / IEC 62443-2-4)
Identification of zones and conduits and determination of target Security Levels (ISA / IEC 62443-3-2)
Identification of system security requirements (ISA /IEC 62443-3-3)
Possibly the largest change for COMAH Duty Holders will be the expectation that, as asset owners, they will be required to determine their own corporate risk appetite and follow the two-stage initial and detailed risk assessment workflows laid out in ISA / IEC 62443-3-2. This is in contrast to OG86 Edition 2 which only required an initial (high-level) risk assessment to be carried out for systems whose compromise would result in Major Accident consequences.
The enhanced risk assessment process is linked to more stringent requirements for security countermeasures (ISA / IEC 62443-3-3), proportionate to the risk, than the basic requirements laid out in OG86 Appendix 5.
OG86 is expected to be maintained for the foreseeable future as a measure of basic cyber hygiene, but only in cases where initial risk assessment has identified no enhanced security requirements.
