In regulated industrial and manufacturing contexts, it is usually not enough to ask suppliers only about ISO 27001. You should also probe how they use ISO 27002 to select and implement specific security controls, particularly where they handle your designs, manufacturing data, or regulated product information.
How ISO 27001 and ISO 27002 differ for supplier assessments
- ISO 27001 defines the requirements for an information security management system (ISMS): governance, risk assessment, objectives, and continual improvement. Certification is against ISO 27001.
- ISO 27002 is a catalogue of controls and implementation guidance. It helps answer: which controls were selected, why, and how they are applied in practice.
An ISO 27001 certificate alone does not tell you which controls are actually in place, how strong they are, or how well they align to your specific manufacturing, IP protection, or regulatory obligations.
What to ask suppliers in practice
Instead of asking only “Are you ISO 27001 certified?”, extend your due diligence to include ISO 27002 by asking for:
- ISO 27001 status: Certification scope, sites covered, and certificate validity. Confirm if key production or data-processing sites are actually in scope.
- Statement of Applicability (SoA): A list of controls derived from ISO 27002 (or equivalent) with justification for inclusion or exclusion. This is critical; it shows how they translated ISO 27002 guidance into their control set.
- Key control coverage: Evidence or description of how specific ISO 27002 controls are implemented for:
- Access control for design and process data
- Network segregation between OT and IT where relevant
- Backup and recovery of production and quality data
- Change management around manufacturing and quality systems
- Logging and incident response processes
- Risk-based tailoring: How they use risk assessment to decide which ISO 27002 controls are strengthened or relaxed for critical manufacturing and regulated data.
Where depth of questioning should increase
It is especially important to go beyond a simple ISO 27001 question when suppliers:
- Host or operate your MES, QMS, PLM, or related cloud services.
- Have remote access into your OT network, equipment, or plant data.
- Process export-controlled, safety-critical, or highly sensitive design data.
- Provide long-life equipment where software and firmware updates will continue for many years.
In these cases, you should align on specific ISO 27002 control expectations and on how evidence will be provided over time, not just at onboarding.
Brownfield and coexistence realities
In mixed environments with legacy MES/ERP/PLM and external suppliers, your questions about ISO 27001 and ISO 27002 should acknowledge that:
- Some suppliers may have partial ISO 27001 coverage (for example, office IT but not OT or hosted platforms).
- Controls guided by ISO 27002 may be implemented differently across plants, systems, and vendors, especially where legacy assets or integration constraints exist.
- Full replacement of non-compliant systems is often impractical due to validation burden, downtime risk, and qualification of new platforms. You may need compensating controls and stronger oversight instead.
Because of this, questions should focus on how ISO 27002-based controls coexist with legacy systems, how changes are controlled, and how traceability and validation evidence are maintained.
How to phrase requirements without overcommitting
In contracts and supplier questionnaires, you can:
- Reference ISO 27001 certification as a baseline expectation where proportionate to risk.
- Require a Statement of Applicability aligned to ISO 27002 or an equivalent control framework.
- Specify which ISO 27002 control areas are most critical for your use case (for example, access control, operations security, supplier relationships, and system acquisition and development).
- Request periodic updates and evidence when major changes are made to systems processing your data, tying back to change control and validation requirements.
Bottom line
You should not stop at asking whether a supplier is ISO 27001 certified. For regulated and long-lifecycle manufacturing environments, you also need to understand how they apply ISO 27002 in practice: which controls are in scope, how those controls coexist with legacy and OT systems, and how they maintain traceability, validation, and change control over time.
