ISMS and ISO 27001 are related but not the same thing. One is the management system you run, the other is the standard that defines requirements for that system.
What is an ISMS?
An Information Security Management System (ISMS) is the set of policies, procedures, controls, roles, and records that you put in place to manage information security risks. It is the operational system that governs how you protect information across people, processes, and technology.
In a regulated industrial environment, an ISMS typically covers:
- Risk assessment and treatment for production, engineering, and quality data
- Access control across MES, ERP, QMS, PLM, historians, and OT networks
- Change control for configurations, patches, and security-relevant updates
- Incident detection, response, and post-incident review
- Supplier and third-party access to manufacturing and technical data
- Backup, recovery, and business continuity for critical systems and records
The ISMS exists regardless of whether you reference a particular standard. It is the practical way you manage security in daily operations.
What is ISO 27001?
ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It provides a structured set of requirements and a catalogue of controls (through Annex A and related standards) that organizations can adopt and be audited against.
Key points for ISO 27001 in industrial and manufacturing contexts:
- It defines what an ISMS must cover at a minimum, not every detail of how you implement it.
- It can be used purely as guidance, or as the basis for a formal, third-party certification program.
- It touches both IT and OT, but the actual scope you define (systems, plants, data types) is up to your organization.
- It interacts with existing requirements (for example, quality or safety standards) but does not replace them.
ISO 27001 itself does not guarantee compliance with regulations or industry-specific requirements; it is a framework for managing information security risk in a systematic way.
Key differences between ISMS and ISO 27001
- Nature: An ISMS is the actual management system you operate. ISO 27001 is the standard that defines requirements for such a system.
- Existence: You can have an ISMS without following ISO 27001, and you can use ISO 27001 as guidance without seeking certification.
- Certification: Organizations are certified to ISO 27001; the ISMS is what is being assessed. The ISMS itself is not a standard.
- Scope: Your ISMS scope is defined by your organization (for example, specific plants, systems, or data types). ISO 27001 provides the requirements your scoped ISMS must meet.
- Content: The ISMS includes concrete processes, system configurations, records, and behaviors. ISO 2701 describes requirements such as performing risk assessments, maintaining an asset inventory, or managing incidents.
Implications for regulated manufacturing and brownfield environments
In most industrial operations, the ISMS must be designed to coexist with a complex, brownfield landscape: legacy MES, ERP, QMS, PLM, on-prem historians, paper batch records, and long-lived production equipment. ISO 27001 does not assume a greenfield replacement of these systems.
Some practical implications:
- System coexistence: The ISMS must span multiple vendors and generations of equipment. Many controls (for example, access management, logging, patching) are implemented via compensating measures when older systems cannot support modern capabilities directly.
- Change control and validation: Tight change control and validation needs mean that retrofitting controls to MES, PLCs, or data historians can take significant time and testing. ISO 27001 requires managed change, but does not dictate specific validation methods.
- Scope definition: To manage risk and cost, plants often start with a narrower ISMS scope (for example, engineering data and production records for specific product families) rather than trying to cover every asset and site at once.
- Integration complexity: Centralized logging, identity management, and network segmentation across OT and IT usually require staged, multi-year work. ISO 27001 is compatible with this phased approach as long as risk is documented and treated.
Trying to fully replace existing manufacturing systems solely to align with ISO 27001 is rarely practical. The more realistic strategy is to design an ISMS that layers additional controls, monitoring, and processes on top of current systems, and to improve coverage over time under structured change control.
Summary
- An ISMS is the operational framework and set of controls you run to manage information security.
- ISO 27001 is the standard that defines requirements for an ISMS and may be used for certification.
- In regulated, long-lifecycle manufacturing, the ISMS must work across existing, heterogeneous systems and be implemented gradually, with clear traceability, validation, and change control.
