ISO 27001 • OT Security • Manufacturing Cybersecurity • ISMS Scope • Plant Operations

Common Mistakes: Missing Operational Technology Risks in ISO 27001 Scope

ISO 27001 implementation can look complete on paper and still miss the risks that matter most in manufacturing. If operational technology is left out of scope without a clear reason, the ISMS may protect email, laptops, and policies while leaving plant systems, remote vendor access, production networks, and recovery risks under-managed.

Quick Snapshot

OT Scope Mistake What Goes Wrong
Treating ISO 27001 as IT-only Plant operations, OT systems, and production risks are ignored.
Excluding OT without justification Auditors and customers may question whether scope reflects real business risk.
No OT asset visibility PLCs, HMIs, SCADA, engineering workstations, and plant networks are not risk-assessed.
Vendor access not reviewed Maintenance providers and equipment vendors may retain remote access.
Recovery gaps missed Backups and restore testing may not cover plant-critical systems.
Better outcome ISO 27001 scope clearly explains IT, OT, vendors, plant operations, and responsibilities.

Introduction

Many manufacturing companies start ISO 27001 with corporate IT.

That usually includes Microsoft 365, email, ERP, HR systems, finance systems, endpoints, cloud services, identity access, file shares, policies, vendor reviews, and incident response.

That is a good start.

But manufacturing does not run on email alone.

It runs on plant operations. It may depend on:

  • PLCs, HMIs, SCADA systems, and industrial networks
  • engineering workstations and production scheduling systems
  • quality systems, machine controllers, and plant historians
  • remote maintenance tools and vendor-managed equipment
  • IoT sensors, barcode systems, and warehouse systems
  • plant support systems that directly affect uptime, recovery, and customer commitments

If these systems are ignored during ISO 27001 scoping, the ISMS may miss major operational risks.

A ransomware event may not only affect email. A compromised vendor account may affect plant access. A failed backup may delay production recovery. A weak remote access path may expose OT systems. A missing asset inventory may slow incident response.

What Is Operational Technology?

Operational Technology, or OT, refers to systems that monitor, control, or support physical processes. In manufacturing, OT may include systems that keep production running.

OT Area Examples
Control Systems PLCs, HMIs, SCADA.
Industrial Networks Plant VLANs, switches, firewalls, remote access gateways.
Engineering Systems Engineering workstations, programming laptops, CAD/CAM systems.
Production Systems Production line control, scheduling, machine interfaces.
Monitoring Sensors, plant historians, energy monitoring, industrial IoT.
Quality Systems Inspection systems, calibration tools, batch records.
Maintenance Systems Remote support tools, vendor portals, maintenance laptops.
Warehouse / Plant Support Barcode scanners, label printers, inventory systems.

Practical rule: If a system affects production, safety, quality, maintenance, or plant uptime, it should be considered during ISO 27001 scoping.

Why OT Gets Missed During ISO 27001 Implementation

OT often gets missed because it does not look like normal IT.

Plant systems may be older. Ownership may sit with engineering or operations. Vendors may manage parts of the environment. Patching may be difficult. Downtime windows may be limited. Documentation may be incomplete. Plant teams may worry about disruption.

So the ISO 27001 team focuses on corporate systems because they are easier to understand and easier to evidence.

That creates a false sense of readiness.

Included in IT-Only Scope Often Missed
Email Remote vendor access to plant equipment.
Laptops Engineering workstation access.
ERP Production line dependencies.
HR systems OT network segmentation.
Cloud apps PLC/HMI backup and recovery.
Policies Vendor maintenance accounts.
Vendor register Critical equipment suppliers.

Mistake 1: Assuming OT Is Automatically Out of Scope

Some teams exclude OT by default. They may say: “ISO 27001 is for information security,” “OT is handled by plant operations,” “the vendor manages that,” or “we do not want the audit to become too complex.”

These concerns may be understandable, but they are not enough.

Better question:

Does OT affect the confidentiality, integrity, or availability of information or business operations? If yes, OT risk should at least be assessed.

OT Scenario Information Security Impact
Engineering workstation compromise Production settings or intellectual property exposed.
SCADA outage Availability impact.
Vendor remote access compromise Unauthorized system access.
Plant historian exposure Operational data leakage.
HMI account sharing Accountability gap.
Backup failure Recovery risk.
Quality system outage Customer and compliance impact.

Practical rule: OT does not need to be fully certified in the same way as corporate IT on day one, but it should not be ignored without risk-based justification.

Mistake 2: Writing Scope Too Narrowly

A narrow ISO 27001 scope can reduce audit complexity. But if it ignores major business risk, it can weaken the ISMS.

Weak scope example:

“The ISMS covers corporate IT systems.”

Better scope example:

“The ISMS covers corporate IT systems and selected manufacturing support processes that affect information security and operational continuity, including ERP, identity systems, engineering file repositories, remote access, vendor access management, backup and recovery, incident response, and risk management for plant-supporting systems across defined manufacturing locations.”

This is clearer. It does not overpromise full OT certification, but it shows that manufacturing risk is considered.

Mistake 3: No OT Asset Inventory

You cannot assess OT risk if you do not know what exists.

Many manufacturers have partial inventories. IT knows laptops and servers. Plant operations knows machines. Vendors know controllers. Engineering knows workstations. Maintenance knows remote access tools. But no one has one complete view.

OT Asset Inventory Field Purpose
Asset Name Identifies the system.
Asset Type PLC, HMI, workstation, server, sensor, gateway.
Location Plant, line, area, facility.
Owner Internal accountable person.
Vendor / Manufacturer External dependency.
Network Zone OT, IT, DMZ, isolated, remote.
Criticality High, medium, low.
Remote Access Yes / No.
Related Risk Links to risk register.

An OT asset inventory does not need to be perfect on day one. It does need to start.

Mistake 4: Not Mapping OT to Business Impact

OT risks should be connected to business outcomes. A plant system may seem technical, but its impact may be operational, financial, safety-related, or customer-facing.

OT Business Impact Question Why It Matters
Which production line depends on this system? Recovery priority.
Would downtime delay customer orders? Customer impact.
Does it affect product quality? Compliance and customer trust.
Is vendor support required for recovery? Dependency risk.
Are backups available? Recovery confidence.
Who makes shutdown or restart decisions? Crisis governance.
OT Asset Business Impact
Production line HMI Line cannot operate normally.
Engineering workstation PLC updates and troubleshooting delayed.
Plant historian Loss of operational trend visibility.
Quality inspection system Shipping delay or quality hold.
Remote access gateway Vendor maintenance disruption.

Mistake 5: Ignoring Remote Vendor Access

Remote vendor access is one of the most important OT risk areas. Manufacturers often rely on vendors for machine maintenance, PLC support, SCADA support, troubleshooting, software updates, calibration, remote diagnostics, warranty support, and plant monitoring.

Vendor Access Risk Impact
Vendor account shared by multiple people No accountability.
Vendor access always enabled Higher exposure.
No MFA Account compromise risk.
No session logging Weak investigation capability.
No approval workflow Access happens without oversight.
Former vendor technician still has access Unauthorized access risk.

Vendor access evidence to collect:

  • vendor access list and remote access approval record
  • MFA evidence and session logs
  • access review sign-off and vendor security review
  • contract security terms and emergency access record
  • termination or removal evidence

Review OT Vendor Access Before the Audit

Canadian Cyber helps manufacturers review remote vendor access, supplier controls, privileged accounts, OT access evidence, and ISO 27001 readiness.

Mistake 6: Treating OT Accounts Like Shared Plant Convenience

Shared accounts are common in plant environments. They may exist because operators rotate shifts, equipment is old, systems do not support named accounts, vendors configured default users, or production cannot stop for login issues.

But shared accounts create accountability risk.

Shared Account Question Why It Matters
Which systems use shared accounts? Visibility.
Why are named accounts not possible? Justification.
Who knows the password? Access risk.
Is password change controlled? Security.
Is use logged another way? Accountability.
Is there a plan to reduce shared use? Improvement.

If shared OT accounts cannot be eliminated, document the risk, approval, compensating controls, and improvement plan.

Mistake 7: Missing OT Backup and Recovery Requirements

Backups are often discussed for IT systems. But plant recovery may depend on OT backups too.

OT Backup Question Why It Matters
Are PLC configurations backed up? Recovery.
Are HMI configurations backed up? Recovery.
Are engineering workstation images backed up? Recovery.
Are SCADA project files backed up? Recovery.
Are machine recipes or settings backed up? Quality and production.
Has restore been tested? Evidence.

Evidence to collect:

  • backup inventory and backup success reports
  • restore test record and configuration backup samples
  • vendor recovery procedure and recovery priority list
  • business impact assessment and corrective actions from failed tests

Mistake 8: No OT Incident Response Scenario

A generic cyber incident response plan may not be enough. Manufacturing needs plant-aware scenarios.

OT Incident Scenario What It Tests
Ransomware affects production scheduling IT and plant coordination.
Remote vendor account compromise Access containment.
Malware on engineering workstation OT isolation and recovery.
SCADA visibility outage Plant response and escalation.
Quality system unavailable Customer and production impact.
Backup restore failure Recovery decision-making.

Who should join the tabletop?

  • IT, OT / engineering, plant manager, and maintenance lead
  • operations, legal, communications, and executive sponsor
  • vendor manager, quality manager, and customer success if relevant

If plant operations is not in the tabletop, the scenario may be too IT-focused.

Run a Plant-Aware Incident Tabletop

Canadian Cyber helps manufacturers run ransomware, plant disruption, remote vendor compromise, OT recovery, and supplier incident tabletop exercises.

Mistake 9: OT Risks Are Not Linked to ISO 27001 Controls

OT risks should connect to controls. Otherwise, the risk register becomes a list with no treatment.

OT Risk ISO 27001 Control Area
Remote vendor access compromise Access control, supplier security.
Engineering workstation malware Endpoint security, malware protection.
OT backup missing Backup and business continuity.
Shared plant accounts Identity and access management.
Plant network exposure Network security.
OT incident confusion Incident response.
Vendor support dependency Supplier relationship security.

Practical rule: Every high OT risk should have a treatment action, owner, due date, and evidence link.

Mistake 10: No Plant Operations Evidence in the ISMS

If plant operations is part of the ISMS scope, evidence should reflect it.

Plant operations evidence examples:

  • OT access review and remote vendor access review
  • maintenance access approval and engineering workstation inventory
  • critical equipment vendor list and restore test evidence
  • plant incident tabletop and network segmentation review
  • physical access records, recovery priorities, and corrective actions
SharePoint Evidence Metadata Purpose
Site / Plant Location.
OT Asset Related system.
Control Area Access, backup, vendor, incident.
Evidence Owner Plant or IT owner.
Period Covered Month, quarter, year.
Review Status Requested, uploaded, approved, rejected.
Related Risk Links to OT risk.

Build My Manufacturing ISMS SharePoint Workspace

Canadian Cyber’s ISMS SharePoint solution helps manufacturers track ISO 27001 evidence for IT, OT, vendors, access, backup recovery, internal audits, corrective actions, and management review.

How to Decide Whether OT Belongs in Scope

Not every OT system must be fully included immediately. But each decision should be risk-based.

Include OT More Directly When Consider Limited Scope or Roadmap When
The system supports critical production. OT asset inventory is immature.
Customer commitments depend on it. Plant systems are legacy and sensitive.
Remote access is used. Controls require phased implementation.
It stores or processes sensitive information. Vendor dependencies need clarification.
It connects to IT systems. Production downtime limits testing.
An outage would create major business impact. Segmentation is still being assessed.

Out of scope should not mean out of mind.

OT Scope Review Checklist

Use this checklist during ISO 27001 implementation.

Question Yes / No
Has OT been discussed during scope definition?
Is there an OT asset inventory or roadmap to build one?
Are plant-critical systems identified?
Are OT risks included in the risk register?
Are remote vendor access paths documented?
Is MFA required for remote access where possible?
Are shared accounts documented and risk-assessed?
Are OT backups identified?
Has recovery been tested for plant-critical systems?
Are OT vendors included in supplier reviews?
Is plant operations included in incident response planning?
Are exclusions documented with rationale?

Common Warning Signs

Your ISO 27001 scope may be too IT-focused if:

  • plant managers were not interviewed
  • OT assets are not listed anywhere
  • remote vendor access is unknown
  • engineering workstations are not reviewed
  • shared plant accounts are not documented
  • backup testing covers only office systems
  • incident response tabletop does not include plant scenarios
  • vendor reviews exclude equipment suppliers
  • production impact is not in the risk register
  • OT exclusions are undocumented

These are fixable issues, but they should be fixed before audit pressure or an incident.

What Good Looks Like

A strong ISO 27001 approach to OT risk can show:

  • clear scope statement and OT scoping rationale
  • OT asset inventory or phased plan
  • plant-critical system list and IT/OT responsibility matrix
  • OT risk register entries and treatment actions
  • remote vendor access review and shared account risk treatment
  • backup and recovery evidence
  • plant incident tabletop evidence
  • OT vendor register and engineering workstation controls
  • management review decisions, SharePoint evidence links, and corrective action tracking

This does not mean every plant system must be perfect. It means OT risk is visible, owned, and managed.

Canadian Cyber’s Take

At Canadian Cyber, we often see manufacturers begin ISO 27001 as a corporate IT project. That is understandable. Corporate IT is easier to scope and evidence.

But manufacturing risk often lives where IT, OT, vendors, and plant operations meet.

That includes:

  • remote maintenance access and engineering workstations
  • production support systems and vendor-managed equipment
  • backup recovery and plant incident response
  • quality systems and operational data

A practical ISO 27001 program does not need to over-scope every OT asset on day one. But it must recognize OT risk, document decisions, assign owners, and build a roadmap.

Takeaway

Operational technology risks should not be missed during ISO 27001 scoping.

Manufacturers need to look beyond corporate IT and review:

  • plant systems and engineering workstations
  • remote vendor access and shared accounts
  • OT backups and plant incident response
  • critical suppliers and operational data
  • production recovery needs and documented exclusions

The goal is not to make ISO 27001 harder. The goal is to make it real.

How Canadian Cyber Can Help

Canadian Cyber helps manufacturing organizations build ISO 27001 programs that reflect IT, OT, vendors, and plant operations.

  • ISO 27001 scope reviews
  • OT risk assessments
  • IT/OT responsibility mapping
  • OT asset inventory planning
  • remote vendor access reviews
  • supplier risk register setup
  • backup and recovery evidence reviews
  • plant incident tabletop exercises
  • SharePoint ISMS setup
  • internal audit preparation
  • corrective action tracking
  • management review preparation
  • vCISO support for manufacturing cybersecurity

Stay Connected With Canadian Cyber

Follow Canadian Cyber for practical guidance on ISO 27001, OT security, manufacturing cybersecurity, vendor risk, incident response, SharePoint ISMS, internal audits, and vCISO support.