Who should own the ISMS in an aerospace or industrial organization?

In aerospace and industrial organizations, the Information Security Management System (ISMS) cannot be effectively owned by a single person or function acting in isolation. Formal accountability should sit at the executive level, but day-to-day ownership is usually assigned to a designated security leader and supported by a cross-functional governance structure.

Formal accountability: senior leadership

Ultimate accountability for the ISMS should sit with executive management, typically:

• CEO, GM, or business unit leader for the regulated operation, with
• Formal delegation to a CISO, CIO, or VP responsible for risk and compliance.

This is important because ISMS decisions affect capital allocation, production risk, contractual obligations (e.g., defense and aerospace primes), and regulatory exposure. Executive ownership is also what makes cross-functional enforcement credible when security controls conflict with schedule or cost pressures.

Operational ownership: ISMS lead or CISO

Day-to-day ISMS ownership is typically assigned to one clear role, for example:

• CISO (or equivalent security leader) in larger organizations.
• Information Security Manager or ISMS Manager in mid-size plants or business units.
• IT/OT Security Lead in smaller organizations where a formal CISO role does not exist.

This role is usually responsible for:

• Maintaining the ISMS scope, Statement of Applicability, and risk treatment plans.
• Coordinating risk assessments and ensuring they cover both IT and OT assets.
• Driving alignment with frameworks like ISO 27001 and industrial cybersecurity standards such as IEC 62443, where applicable.
• Ensuring incident management, vulnerability management, and change control processes are defined and implemented.
• Reporting security posture and major risks to executive management.

In regulated industrial environments, the ISMS lead must have enough authority to slow or block high-risk changes, but also enough operational understanding to avoid impractical policies that would be ignored on the plant floor.

Shared responsibility: IT, OT, engineering, operations, and quality

Even with a clear ISMS owner, effective implementation in aerospace and industrial contexts requires shared responsibility, especially across IT/OT boundaries:

• IT owns enterprise networks, identity, cloud environments, and many core business applications (ERP, PLM, email, collaboration).
• OT / Controls engineering owns PLCs, SCADA, HMIs, DCS, and safety systems that often run on legacy platforms and cannot easily be patched or reconfigured without requalification.
• Manufacturing engineering and operations own production processes, equipment utilization, and changeovers, and must evaluate how controls affect throughput, downtime risk, and maintenability.
• Quality and regulatory teams own documentation, validation, deviation management, and audit readiness (including traceability and evidence that controls are followed).

Without explicit responsibilities across these groups, ISMS controls risk becoming IT-only policies that do not adequately cover production systems, test stands, special processes, and engineering data flows.

Governance structure: steering committee and RACI

In brownfield aerospace and industrial environments with a mix of MES, ERP, QMS, PLM, and legacy point solutions, a structured governance model is usually necessary. Typical elements include:

• ISMS steering committee with representation from IT, OT, operations, engineering, quality, supply chain, and legal/contract management where applicable.
• Formal RACI (responsible, accountable, consulted, informed) for key ISMS processes such as risk assessment, change control, vendor onboarding, incident response, and audit support.
• Plant-level security champions or site coordinators to translate global policies into workable local procedures, especially when equipment age, vendor constraints, or validation status differ by location.

This structure helps avoid two common failure modes:

• Security controls designed centrally that cannot be implemented on legacy production systems without unacceptable downtime or requalification cost.
• Site-level workarounds that undermine corporate policies, leaving gaps in traceability and increasing audit and incident risk.

Why ownership is complicated in regulated, long-lifecycle environments

In aerospace and high-spec industrial plants, ISMS ownership is more complex than in typical IT-only organizations due to:

• Long equipment lifecycles: CNCs, test rigs, and special process equipment may be in service for decades, often with unsupported operating systems and restricted change windows.
• Validation and qualification burdens: Even minor system or configuration changes can trigger requalification, documentation updates, and potential customer approvals.
• Integration debt: MES, ERP, PLM, QMS, and custom middleware are tightly coupled. A security policy that looks simple on paper can break critical data flows if not carefully analyzed.
• Export controls and technical data handling: Design data, repair data, and test results often fall under export control or customer restrictions, creating specialized handling and evidence requirements.

Because of these constraints, ISMS ownership must explicitly include:

• Close coordination with change control and configuration management processes.
• Risk-based approaches that consider both security impact and operational/qualification impact.
• Documented justifications and compensating controls when standard measures (for example, frequent patching or aggressive network segmentation) are not feasible for certain assets.

Practical pattern: how organizations usually assign ownership

In practice, many aerospace and industrial organizations converge on a model like:

1. Executive sponsor: Business unit leader or COO accountable for ISMS effectiveness.
2. ISMS owner: CISO or Information Security Manager responsible for operating the ISMS and reporting on performance.
3. Cross-functional governance: ISMS steering committee with IT, OT, operations, engineering, quality, and supply chain, responsible for risk acceptance decisions and prioritization of remediation work.
4. Site and function owners: Local operations leaders, engineering managers, and system owners responsible for implementing and maintaining controls in their scope, under corporate policy.

This model keeps accountability at the top, while making the ISMS a shared, operationally grounded responsibility instead of an IT-only initiative.