ISO/IEC 27001 does not formally define “4 categories” of requirements or controls. The standard is structured around:
- Management system requirements (clauses 4 to 10), and
- The Annex A information security controls, grouped into control domains.
Annex A in the current edition (ISO/IEC 27001:2022) organizes controls into 4 control themes, but they are not titled as “four categories of ISO 27001” in the normative text. The themes are:
- A.5 Organizational controls
- A.6 People controls
- A.7 Physical controls
- A.8 Technological controls
Training material or summary slides often call these the “four categories” of ISO 27001 controls, which is probably what you have seen. In practice, you need to map your risks, assets, and existing controls to the specific Annex A controls and document applicability in your Statement of Applicability.
Why this matters in regulated manufacturing environments
In industrial and regulated settings, those four themes cut across multiple existing systems and organizations. For example:
- Organizational controls must align with existing quality management, engineering change control, and plant governance. Policies alone do not create compliance if they conflict with entrenched production practices.
- People controls (training, awareness, access provisioning) often need to integrate with HR, training records, and qualification systems already validated for quality or safety purposes.
- Physical controls need to coexist with plant security, safety systems, and long-lived equipment; a full redesign of physical security is rarely realistic given downtime and qualification constraints.
- Technological controls must be layered on top of brownfield OT, legacy MES/ERP/PLM/QMS stacks, and vendor-managed systems. Many controls (for example logging, encryption, or network segregation) are limited by what existing equipment and integration points can technically and safely support.
Because of these constraints, adopting ISO 27001 in such environments is usually an exercise in incremental integration, not wholesale replacement of existing systems. Attempts to “rip and replace” major systems purely for ISO 27001 alignment often run into:
- Validation and qualification burden for regulated processes and computerized systems
- Extended downtime that production cannot tolerate
- Complex interactions with legacy interfaces, vendor systems, and safety functions
- Traceability and change-control requirements that slow large-scale transitions
When planning ISO 27001 alignment, it is more robust to:
- Start from your formal risk assessment and asset inventory.
- Map existing controls in each of the four Annex A themes across IT, OT, and process domains.
- Identify realistic gaps and mitigations that respect validation, downtime, and integration constraints.
- Document all decisions and justifications in your risk treatment plan and Statement of Applicability.