Do we need all plants in scope to get ISO 27001 certified?

No. ISO 27001 does not require you to include every plant, site, or system in a single certification scope. You can define a limited scope, such as specific plants, business units, or IT environments. However, how you scope the certification carries practical and audit implications that you should understand clearly.

How ISO 27001 scoping works

ISO 27001 certification is issued against a defined scope statement, not your entire company by default. The scope typically specifies:

• Which legal entities, functions, and locations are covered
• Which products, services, or processes are covered
• Which information systems, networks, and data types are included

You can, for example:

• Certify only a subset of plants (e.g., aerospace or defense plants)
• Certify only a central data center and core OT/IT services used by multiple plants
• Certify one pilot plant or region first, then expand the scope over time

Key constraints and tradeoffs in a multi-plant environment

In regulated, multi-plant manufacturing, partial scope is often practical, but it introduces dependencies you must manage carefully.

1. Shared services and infrastructure

If certified plants rely on corporate or shared services that are not fully within scope, you must show how the Information Security Management System (ISMS) controls extend to those dependencies. Examples include:

• Central Active Directory, identity and access management, or VPN services
• Shared MES, ERP, PLM, QMS, data historians, or file shares
• Corporate cloud platforms used by multiple plants

Auditors will expect you to:

• Document which shared components are in scope versus out of scope
• Show risk assessments that explicitly address cross-plant dependencies
• Demonstrate contracts, SLAs, or internal agreements that ensure required controls are in place for shared services

2. Interfaces between certified and non-certified plants

When some plants are in scope and others are not, interfaces and data flows become a focal point:

• Data exchanged between certified and non-certified plants must be controlled, monitored, and risk-assessed.
• Remote access from non-certified plants (e.g., engineering support, corporate IT, suppliers) must comply with the ISMS controls for the certified scope.
• Shared OT networks, jump hosts, or vendor remote support need clearly defined boundaries and hardening.

If boundaries are fuzzy or undocumented, auditors may challenge the scope definition or find nonconformities.

3. Impact on customers and contractual requirements

Some customers, especially in aerospace, defense, or medical, may:

• Require ISO 27001 certification for specific programs, products, or data types
• Expect that all plants handling their data or manufacturing their parts are included in the scope

In those cases, certifying only certain plants is acceptable only if:

• All work and information for that customer is contained within the certified scope, or
• You are transparent with the customer about which plants and systems are covered and which are not

Do not assume that a limited scope certificate will automatically satisfy customer or regulatory expectations without that alignment.

4. Operational reality in brownfield plants

In mixed, brownfield environments, including every plant in a first certification cycle is often unrealistic because of:

• Legacy equipment that cannot easily support modern security controls
• Non-standardized OT/IT architectures and local workarounds
• Limited ability to take downtime for hardening and validation
• Existing MES/ERP/QMS integrations that are sensitive to change

For these reasons, many organizations:

• Start with a narrower, well-controlled scope (e.g., key plants, central infrastructure)
• Use that to establish patterns, procedures, and evidence-generation practices
• Incrementally extend the ISMS and certification scope as controls mature and local constraints are addressed

5. Traceability, validation, and change control

In regulated manufacturing, the ISMS interacts with validation and change control practices for OT and IT systems. When you certify only certain plants:

• Configuration baselines, change records, and validation status for in-scope systems must be traceable and auditable.
• Changes in shared systems (e.g., MES upgrade) may affect both certified and non-certified plants, but evidence obligations will differ.
• Procedures must clearly specify which sites and systems follow ISO 27001-governed processes and which follow local or legacy controls.

Ambiguity here can cause audit issues, especially if evidence from non-certified plants is inadvertently presented as part of the certified ISMS.

When a broader plant scope may be justified

You may choose to include more plants in scope when:

• Plants are highly interconnected at the network, application, and data levels, making clean boundaries difficult
• Common OT and IT platforms already apply uniform controls across plants
• Key customers or programs span multiple plants, and splitting scope would complicate customer assurance

However, broad scope increases the effort needed to harmonize procedures, evidence generation, and internal audit coverage, especially in facilities with older assets and heterogeneous controls.

Practical approach for deciding scope

A pragmatic, defensible approach is to:

1. Identify drivers: Clarify whether the primary drivers are customer requirements, regulatory expectations, corporate risk appetite, or specific programs.
2. Map dependencies: Document shared services, networks, and data flows across plants and central IT, focusing on where program-critical or regulated data flows.
3. Define clear boundaries: Choose a scope that you can explain and defend to an auditor, with explicit inclusions/exclusions and interface controls.
4. Start with a manageable scope: Especially in brownfield environments, prioritize plants and systems where you can implement and demonstrate controls reliably.
5. Plan for expansion: Establish a roadmap to extend the ISMS and certification to additional plants as controls, standardization, and integrations mature.

In summary, you do not need all plants in scope to obtain ISO 27001 certification, but scoping decisions must be explicit, technically coherent, and consistent with how your plants, OT/IT systems, and data actually interact. In regulated manufacturing, getting the boundaries and interfaces right is more important than having a maximally broad scope on day one.