OPC UA Client and Server products are certified against Profiles that are defined in OPC 10000-7. Some of the Profiles specify security functions and others specify other functionality that is not related to security. The Profiles impose requirements on the certified products but they do not impose requirements on how the products are used. A consistent minimum level of security is required by the various Profiles. However, different Profiles specify different details such as which encryption algorithms are required for which OPC UA functions. If a problem is found in one encryption algorithm then the OPC Foundation can define a new Profile that is similar, but that specifies a different encryption algorithm that does not have a known problem. OPC 10000-7 is the normative specification of the Profiles, but Profiles are maintained in an on-line application (http://opcfoundation-onlineapplications.org/profilereporting/) allowing for updating of Profiles, especially security related profiles, in a more timely manner than allowed by documentation publication cycles.
Policies refer to many of the same security choices as Profiles; however the policy specifies which of those choices to use in the Session. The policy does not specify the range of choices that the product offers, they are described in the Profiles that it supports.
These policies are included in Certification Testing associated with OPC UA Applications. The Certification Testing ensures that the standard is followed and that the appropriate security algorithms are supported.
Each security mechanism in OPC UA is provided in OPC UA Applications in accordance with the Profiles with which the OPC UA Application complies. At the site, however, the security mechanisms may be deployed optionally. In this way each individual site has all of the OPC UA security functions available and can choose which of them to use to meet its security objectives.