Hard2bit

Case study · Manufacturing · Compliance

ISO 27001 from scratch at a manufacturing company

A mid-sized manufacturer received an ultimatum from its main customer: achieve ISO 27001 certification or drop out of its supply chain. There was no ISMS, no asset inventory and no defined security function. Ten months later it passed the certification audit with no major non-conformities.

Sector

Industrial manufacturing

Size

~180 employees · 2 plants

Framework

ISO/IEC 27001:2022

Starting point

No previous ISMS

Duration

10 months to certification

Outcome

Certified · no major NCs

The starting point

The company manufactured components for an enterprise customer that had tightened its supply-chain requirements: ISO 27001 certification within twelve months, or a gradual loss of orders. Until then, security had been the diffuse responsibility of a three-person IT team. There was no reliable asset inventory, backups were never tested, and the office and plant networks shared a single segment.

The board had a legitimate concern: that the project would become a graveyard of policies with no real effect. Our condition was the opposite — every control implemented had to leave operational evidence that someone could show an auditor without preparing anything the week before.

How we approached it

We worked in five phases, each with deliverables closed before opening the next:

  1. Gap analysis against ISO/IEC 27001:2022 — all 93 Annex A controls assessed on site, not by questionnaire. Result: 68% of applicable controls had no recognisable implementation.
  2. Inventory and risk assessment — an asset inventory built from scratch (servers, endpoints, production lines with embedded IT, unmanaged SaaS) and a risk methodology approved by the board, with explicit acceptance thresholds.
  3. ISMS design and Statement of Applicability — policies and procedures written in the company's own language, with named owners per control. The production-line electronics were excluded from scope with a documented rationale; the plant IT perimeter was included.
  4. Phased implementation — first whatever reduced real risk (office/plant segmentation, MFA, backup management with restore tests, access and leaver management), then the documentation layer. Role-based training rather than generic awareness.
  5. Internal audit and certification support — a full internal audit six weeks before the certification visit, with fifteen deviations found and closed before the certification body arrived.

Results

10 months

from kick-off to certificate, within the customer's deadline

0

major non-conformities at the certification audit

93

Annex A controls assessed and resolved in the Statement of Applicability

Beyond the certificate: the plant network is now segmented from the office network, backups are restore-tested monthly with records kept, and the security committee meets quarterly around a dashboard the board actually understands. The enterprise customer kept its orders, and the company now uses the certificate as a commercial argument with new clients.

What made it work

  • Start with the controls that reduce risk, not the ones that fill paper: audits are won in operations.
  • An honest, well-justified scope is worth more than an ambitious one that cannot be sustained.
  • An internal audit with real time to react (six weeks) turned certification into a formality with no surprises.

Related services

Need ISO 27001 certification?

Hard2bit is ISO 27001 certified — we implement what we operate ourselves. Tell us your starting point and we'll propose a realistic scope, phasing and timeline.