You are not required to implement all 93 Annex A controls as-is. ISO/IEC 27001 requires you to perform a risk assessment, decide which Annex A controls are applicable and proportionate, justify any exclusions, and document this in the Statement of Applicability. In regulated, brownfield manufacturing environments, feasibility, integration, and validation constraints often drive a risk-based, prioritized adoption rather than a blanket rollout.

In regulated manufacturing, it is more useful to think in KPI categories than a universal list of five. Typical examples span safety, quality, delivery, cost, and asset performance. Specific definitions, calculations, and targets must align to your processes, data quality, and validation approach, and should coexist with existing MES/ERP/QMS metrics without creating conflicting "sources of truth."