What is ISO 27001?

Key takeaways

• ISO 27001 certifies the management system, not specific controls. The certification says the organization runs a system that systematically manages information security; the controls implemented inside that system are subject to the organization's risk assessment.
• The standard has two parts: clauses 4-10 (mandatory management system requirements) and Annex A (a reference set of controls; the 2022 revision lists 93 controls in four themes).
• For mid-market manufacturers, ISO 27001 is most useful when customers (especially European or regulated-industry customers) require it, or when the certified posture supports a broader competitive positioning.
• Certification requires sustained discipline, not a one-time project. Annual surveillance audits and triennial recertification keep the ISMS active.
• ARG produces audit findings mapped to ISO 27001 Annex A controls for clients who pursue certification, alongside the broader NIST CSF 2.0 and CMMC mappings.

What is an Information Security Management System (ISMS)?

An Information Security Management System is the set of policies, processes, procedures, and controls that an organization uses to systematically manage information security risk. The ISMS is not the security tools; it is the management system that decides which tools and processes to use, based on documented risk assessment.

The defining property of an ISMS is that it operates on a continuous improvement cycle. The standard expectation is the Plan-Do-Check-Act cycle:

• Plan. Establish ISMS objectives, scope, risk assessment, and risk treatment plan.
• Do. Implement the risk treatment plan and the selected controls.
• Check. Monitor and review the ISMS, including internal audits and management review.
• Act. Maintain and improve the ISMS based on what the Check phase surfaces.

The ISMS is a system the organization operates, not a state the organization reaches. Certification confirms the system is in place and effective.

This contrasts with control-based frameworks like NIST SP 800-171 or CIS Controls, where the deliverable is a specific set of controls being in place. ISO 27001 expects controls to be in place too, but the certification focuses on the management system that selects, operates, and improves the controls over time.

The structure of ISO 27001: clauses, Annex A controls, and certification scope

ISO 27001:2022 has two structural parts.

Clauses 4 through 10: Management system requirements. Mandatory requirements every certified ISMS must satisfy. The clauses cover:

• Clause 4: Context. Understanding the organization, interested parties, ISMS scope.
• Clause 5: Leadership. Top management commitment, policy, roles and responsibilities.
• Clause 6: Planning. Risk assessment, risk treatment, security objectives.
• Clause 7: Support. Resources, competence, awareness, communication, documented information.
• Clause 8: Operation. Operational planning and control, risk assessment, risk treatment.
• Clause 9: Performance evaluation. Monitoring, internal audit, management review.
• Clause 10: Improvement. Nonconformity and corrective action, continual improvement.

These clauses are the substance of the standard. An organization that implements specific controls without satisfying clauses 4-10 is not certifiable, regardless of how strong the controls are.

Annex A: Reference set of controls. A list of 93 controls (in the 2022 revision; previous revisions had 114) organized into four themes:

• A.5 Organizational controls (37 controls). Policies, roles, supplier relationships, threat intelligence, information transfer.
• A.6 People controls (8 controls). Screening, terms of employment, awareness, disciplinary process.
• A.7 Physical controls (14 controls). Physical security perimeters, monitoring, equipment security.
• A.8 Technological controls (34 controls). Access control, cryptography, system security, application security, network security, logging, vulnerability management.

The organization selects which Annex A controls apply, based on its risk assessment. The Statement of Applicability documents which controls are in scope, which are excluded, and why. The 2022 revision is harmonized with NIST SP 800-53, making cross-mapping cleaner than in previous versions.

Certification scope. The organization defines the scope: which parts of the organization, which systems, which information are covered by the ISMS. The scope is documented and audited; the certificate references the scope explicitly. A mid-market manufacturer can certify the entire organization or a specific business unit or process.

Why mid-market manufacturers pursue ISO 27001 (and when it is overkill)

ISO 27001 is the right framework for some mid-market manufacturers and overkill for others. The decision depends on three factors.

1. Customer expectations. European customers, regulated-industry customers (medical devices, automotive, aerospace), and large enterprise customers increasingly require ISO 27001 from their suppliers. If your top three customers ask for ISO 27001 in their vendor reviews, the certification is a customer requirement, not a security choice.

2. Market positioning. ISO 27001 is internationally recognized. A manufacturer competing for international customers, or differentiating against less-mature competitors, can use ISO 27001 as a market signal. The signal is more valuable in industries where security posture is part of competitive differentiation.

3. Operational maturity. ISO 27001 expects an organization with sustained operational discipline. A manufacturer running on heroics and ad-hoc processes will struggle to maintain certification. A manufacturer with documented processes, change control, and structured improvement cycles will find ISO 27001 a natural fit.

When ISO 27001 is overkill:

• No customer demand. No customers asking for it; no obvious competitive advantage; no regulatory driver.
• Other frameworks fit better. If CMMC is required for defense work, that takes priority; if NIST CSF 2.0 covers the customer-facing need, certification of the management system may not add proportional value.
• Organization too early-stage. A pre-revenue or early-stage manufacturer may not have the operational discipline to sustain ISO 27001 cost-effectively.

The right answer for many mid-market manufacturers is to map controls to ISO 27001 (so the evidence is reusable) without pursuing certification immediately. Certification follows when customer demand or strategic positioning justifies the cost.

Examples of ISO 27001 implementation pitfalls

Patterns ARG sees during ISO 27001 readiness work at mid-market manufacturers:

• Risk assessment is generic, not organization-specific. Standard templates copied without adaptation. ISO 27001 expects an assessment that reflects the organization's actual risks; generic risk registers do not survive a certified-body audit.
• Statement of Applicability is overinclusive or underinclusive. Either every Annex A control is "applicable" without considering whether the organization actually does or needs to (overinclusive), or controls are excluded without documented justification (underinclusive). Both fail audit.
• Management review is calendared but not substantive. Quarterly or annual management reviews are held but the meeting notes record only "everything is fine". ISO expects evidence of substantive review with decisions and follow-up actions.
• Internal audit by the same people who run the controls. Internal audit needs independence. Auditing your own work does not satisfy the standard.
• Documented information is in scattered locations. ISO 27001 expects a controlled documented-information system. Documents living in personal OneDrives, paper folders, and shared SharePoint sites without version control fail audit.
• Awareness training is calendar-only. Annual classroom training without evidence of effectiveness measurement does not satisfy the awareness clause expectations.
• Supplier relationships not addressed. A.5.19 through A.5.23 cover supplier relationships; mid-market manufacturers often have informal vendor management that does not meet the standard.
• Nonconformity not closed-loop tracked. Issues are identified but not tracked through to corrective action and verification. The Plan-Do-Check-Act cycle is broken at Act.

Each pitfall is fixable. The fixes require sustained operational discipline rather than one-time investment.

How to scope an ISO 27001 certification project realistically

Scoping is the first decision that determines project cost and ongoing burden.

Scope dimensions:

1. Organizational scope. Whole company, a specific business unit, a specific process. Smaller scope is cheaper to certify and maintain but may not satisfy customer expectations.
2. Geographic scope. Single site, multiple sites, all sites. Multi-site adds audit complexity.
3. Information scope. All information processed by the organization, or a specific information category (e.g., customer-supplied data, design files, financial data).
4. System scope. All systems in the organizational scope, or a defined subset.

Practical scoping for a mid-market manufacturer:

• Conservative scope. Define a specific information category and the systems that handle it. Certify a narrow ISMS first; expand scope at recertification if useful. Lower cost; less ambitious signal.
• Whole-organization scope. Certify the entire organization. Higher cost; stronger signal; more administrative burden.
• Functional-area scope. Certify a specific function (e.g., engineering and program management; or operations and supply chain). Useful when one functional area has customer-facing certification need.

Most mid-market manufacturers should start with a conservative scope and expand. Initial certification is expensive enough that ambitious scope produces buyer's remorse; narrow scope leaves room to grow.

Timeline:

• Months 1-3: Scoping, risk assessment, Statement of Applicability, policy development.
• Months 4-6: Control implementation, evidence capture, internal audit setup.
• Months 7-9: ISMS operation, evidence accumulation, internal audit, management review.
• Months 10-12: Stage 1 audit (documentation review), corrective action, Stage 2 audit (effectiveness).

Total timeline: nine to eighteen months for a manufacturer starting from a baseline IT security program.

Best practices for maintaining certification year over year

Certification is the start, not the end. Maintaining certification requires annual surveillance audits and triennial recertification.

1. Calendar the cycle. Surveillance audits are scheduled by the certifying body annually. Internal audits run on a documented cycle (typically annual for full coverage). Management review is at least annual. The calendar is set up front; surprises produce nonconformities.
2. Capture evidence as a byproduct of operations. Logs, records, screenshots, signed acknowledgments, meeting minutes. Captured continuously rather than reconstructed before each audit.
3. Track changes formally. New systems, new vendors, organizational changes, policy changes. Each triggers a review of impact on the ISMS.
4. Run substantive internal audits. Independent (not auditing your own work), scoped to a portion of the ISMS each cycle, with documented findings and corrective actions.
5. Hold real management reviews. Quarterly is common; semi-annual minimum. Decisions are made, actions are assigned, follow-up is documented.
6. Track nonconformities to closure. Every nonconformity gets an owner, an analysis, a corrective action plan, and a verification step. The cycle is documented.
7. Coordinate with other frameworks. If the manufacturer also pursues CMMC, SOC 2, or other certifications, cross-mapping reduces duplicate work. Evidence captured once feeds multiple frameworks.
8. Plan for the 2022 update transition (if not already done). The 2022 revision is current. Older certifications against ISO 27001:2013 are expiring; transition audits are required.

ISO 27001 FAQs

How long does ISO 27001 certification take?

Typically nine to eighteen months for a first certification at a mid-market manufacturer. Six months to scope and stand up the ISMS, three to six months to operate it (so the certifying body has evidence the system works), one to two months for the stage-one and stage-two audits. Recertification every three years is shorter.

What is the difference between ISO 27001 and SOC 2?

ISO 27001 is an international standard with global recognition; SOC 2 is a US-based attestation report developed by the AICPA. ISO 27001 certifies the management system; SOC 2 attests to specific Trust Services Criteria over a specified period. Many organizations pursue both; some pursue one and map the controls to the other for customers that ask for the alternative.

Do customers ask for ISO 27001 in manufacturing?

Increasingly, especially manufacturers with European customers or in supply chains for regulated industries. Large customers in automotive, aerospace, energy, and medical devices have started flowing ISO 27001 expectations to mid-market suppliers. For purely domestic manufacturers without European exposure, ISO 27001 is less commonly requested than NIST CSF or CMMC.

Can a 50-person company realistically certify?

Yes. ISO 27001 scope is determined by the organization, not by size. A 50-person company can certify the entire organization or a defined subset. The administrative burden of the ISMS is meaningful for a small organization but manageable; the work is in establishing the management system, not in the size of the certified entity.

How ARG audit findings map to ISO 27001 Annex A controls

ARG maps engagement findings to ISO 27001 Annex A controls for clients pursuing or maintaining certification. The mapping happens during the engagement, not after, so the audit report supports the ISMS directly.

The work is led by David Ashby, with technical-control evaluation from James Wall. The mapping covers all four Annex A themes:

• A.5 Organizational controls. Policies, roles, threat intelligence, supplier relationships, classification, information transfer. Engagement findings on policy gaps, supplier governance, and threat-awareness practice map here.
• A.6 People controls. Screening, terms of employment, awareness, disciplinary process. Engagement findings on the security awareness program, role-based training, and personnel security map here.
• A.7 Physical controls. Physical security perimeters, entry, monitoring, equipment security. Physical security audit findings map directly.
• A.8 Technological controls. Access control, cryptography, system security, network security, logging, vulnerability management. Engagement findings on identity, network, OT, and continuous testing map here.

Each finding carries: location in the Statement of Applicability, current implementation state, evidence captured, recommended improvement, and cross-mapping to other frameworks the client is subject to (NIST CSF 2.0, CMMC, insurance underwriting).

For clients in the middle of certification work, the engagement output feeds the ISMS directly: findings drive the risk register, evidence supports the Statement of Applicability, and the continuous adversarial simulation layer produces ongoing evidence that controls work in operation rather than just on paper.

Apply as a founding client or see how the engagement works for the full delivery cycle.