HomeResourcesWhitepapers › Manufacturing
Whitepaper · 10 pages · Free

ISO 27001 First-Time Certification: The 7 Most Common Failures in Manufacturing

Manufacturing ISO 27001 failures cluster around the OT/IT boundary. Organisations that scope out their operational technology environments, miss OT-specific threats in risk assessment, or fail to apply security controls to production systems consistently fail Stage 2. These are the seven failures and how to fix them.

Published May 2026·Manufacturing·ISO 27001 Manufacturing Cyber Security OT Security

Why Manufacturing ISO 27001 Certification Fails

ISO 27001 certification failure in manufacturing is rarely caused by insufficient IT security management. It is caused by inadequate scope definition, insufficient OT/IT boundary controls, and asset management that covers enterprise IT without covering the operational technology that represents the most significant information security risk in a manufacturing environment.

43%of manufacturing organisations fail ISO 27001 Stage 2 on first attempt — vs 28% for service sector organisations
OT/IT boundaryThe single most common Stage 2 finding in manufacturing ISO 27001 audits
3.4xManufacturing organisations experience cyber incidents at 3.4x the rate of equivalent service sector organisations
Download the complete whitepaper
All 10 pages — free, instant access.
No spam. No sales calls. We will email you a copy for reference.

The Seven Most Common Failures

  1. ISMS scope excludes OT environment. Defining scope to cover only enterprise IT — excluding SCADA, DCS, PLC networks, industrial IoT — is the most common Stage 2 finding. Auditors assess whether the scope is appropriate for the organisation's information security risks. An ISMS excluding OT is not appropriate for a manufacturer where OT represents the primary operational risk.
  2. Asset register does not cover production systems. An asset register listing servers and laptops without industrial controllers, HMIs, historians and engineering workstations is incomplete. Annex A.8 asset management applies to all information assets in scope — including OT assets.
  3. Risk assessment does not address OT-specific threats. Standard IT risk assessments identify enterprise IT threats. OT-specific threats — targeted attacks on industrial control systems, firmware attacks, supply chain compromise of OT software — require specific threat modelling that IT-oriented risk methodologies do not produce.
  4. Business continuity does not cover production system recovery. Annex A.17 must cover all in-scope systems. Production system recovery has different timelines, validation requirements, and vendor dependencies than enterprise IT recovery. Generic IT recovery plans do not address these.
  5. Supplier security assessment excludes OT vendors. Annex A.15 must address all suppliers who access in-scope systems. OT vendors with remote access to production systems are frequently absent from supplier security assessments despite representing a significant access risk.
  6. Physical security not applied to OT areas. Annex A.11 applies to all areas containing in-scope systems. Control rooms, engineering workstation areas, and areas containing industrial controllers frequently have inadequate physical security compared to server rooms.
  7. Incident response does not address production system incidents. A cyber incident affecting SCADA or a production PLC requires different response than a data breach: safety considerations, vendor engagement, and validation before return to service. Standard IT incident procedures do not address these requirements.
Manufacturing ISO 27001 Readiness Checklist
ISMS scope includes OT environment — SCADA, DCS, PLC, industrial IoT, engineering workstations
Asset register covers all OT assets in scope
Risk assessment addresses OT-specific threat vectors
Business continuity covers production system recovery with OT-specific timelines
OT vendors with remote access included in supplier security assessment
Physical security controls applied to OT areas — control rooms, HMI stations
Incident response covers production system cyber incidents including safety implications
Pursuing ISO 27001 for your manufacturing operation?

Cyber security specialists. Certification programme within 48 hours.

Get a Proposal →WhatsApp
About AjaCertX
AjaCertX is a specialist compliance, certification and assurance partner serving manufacturing organisations. Our Cyber and Digital Security practice delivers ISO 27001, OT security assessment and NIS2 compliance.
WhatsAppConnect