ISO 27001 does not mandate a specific frequency for risk assessments, even in factory environments. It requires that risk assessments are defined, performed, maintained, and kept up to date. In practice, most industrial organizations combine a regular cycle (often annual) with event-driven reviews when relevant changes occur.
Typical baseline frequency in factories
In a regulated, brownfield manufacturing environment, a realistic pattern is:
- At least once per year for a formal, documented risk assessment covering the scope of the ISMS (including key OT systems, if in scope).
- Every 2–3 years for a deeper, structural refresh of the risk assessment methodology, asset inventory, and risk criteria, aligned with business and regulatory changes.
- Event-driven updates whenever there is a material change or trigger that could affect risk.
The precise cadence should be defined in your ISMS procedures and approved through your normal governance and change control processes.
Event-driven triggers in a factory context
Beyond the baseline cycle, ISO 27001 expects you to maintain risk information so that it reflects reality. In a factory, that means updating all or part of your risk assessment when:
- New production lines, cells, or facilities are introduced, especially where new OT networks, controllers, robots, or IIoT connectivity are added.
- Major changes to OT/IT architecture, such as new MES, SCADA, historians, remote access solutions, or cloud integrations.
- Significant process or product changes that affect information flows, recipes, NC programs, or controlled technical data.
- Security incidents or near misses, especially those involving production systems, quality data, or regulated records.
- Major vendor or infrastructure changes, such as network segmentation projects, identity and access management changes, or decommissioning legacy servers.
- New regulatory or customer requirements that materially change confidentiality, integrity, or availability expectations.
In many cases you do not need to redo the entire risk assessment. You can perform a scoped, change-driven update and re-evaluate affected risk scenarios and treatment plans.
Factors that should drive your cadence
The “right” frequency is highly dependent on your context. Key factors include:
- Rate of change in the plant: Rapid deployment of automation, connectivity, and data integrations pushes toward more frequent reviews (for example, semi-annual).
- Criticality of operations: High criticality (safety-related production, aerospace or defense work, life sciences, long product liability tails) justifies a tighter cadence and more conservative triggers.
- OT security maturity: Plants early in OT security and network segmentation work often uncover new assets and dependencies; a more frequent cycle helps keep the risk picture accurate.
- Integration with other risk processes: If you already run regular safety, quality, or business continuity risk reviews, aligning ISO 27001 reviews to those cycles may be more sustainable than adding a separate schedule.
- Regulator and customer expectations: Some customers or regulators will expect to see at least annual risk assessment evidence and show-how-you-updated-it-after-changes rather than a static, three-year-old document.
Coexistence with legacy and mixed-vendor systems
In brownfield factories, full system replacement just to “clean up” cyber risk is rarely viable due to validation burden, downtime risk, and qualification constraints. Your risk assessment schedule should reflect that reality:
- Map legacy assets explicitly (old PLCs, unsupported HMIs, custom integrations) and re-check their risks whenever network topology or remote access changes.
- Accept that compensating controls (segmentation, monitoring, procedures) are long-lived and must be re-evaluated regularly rather than assuming fast replacement of weak components.
- Integrate with existing processes such as MOC, equipment qualification, and CSV/validation so that risk reviews are automatically triggered when validated systems change.
A practical approach is to anchor your ISO 27001 risk assessment updates to existing plant change control workflows. Any change that would trigger re-validation, re-qualification, or a major MOC should also trigger a targeted information security risk review.
Pragmatic minimums and tradeoffs
If you need a concrete starting point for a typical factory with mixed OT/IT in an ISO 27001 ISMS scope:
- Define a formal, documented risk assessment at least annually, with clear scope and methodology.
- Specify in your procedure that material changes, incidents, or audit findings trigger a scoped re-assessment of affected assets and scenarios.
- Align with budget and staffing: Very frequent full-scope assessments without adequate resources often lead to superficial results, which is worse than a well-executed annual assessment plus meaningful interim updates.
Ultimately, the acceptable frequency should be risk-justified, documented in your ISMS procedures, and consistently followed. It should also be supported by actual evidence of updates over time, not just a stated policy.
