This repository provides a structured and practical cybersecurity audit program designed for organizations operating in the manufacturing industry.
Manufacturing environments are unique because they combine traditional Information Technology (IT) systems with Operational Technology (OT), Industrial Control Systems (ICS), production networks, engineering workstations, industrial automation systems, wireless shop-floor devices, and third-party vendor access.
A cybersecurity audit in this context must go beyond standard IT controls. It must also consider production availability, operational continuity, industrial safety, intellectual property protection, and resilience against cyber threats such as ransomware, data leakage, unauthorized access, and disruption of manufacturing operations.
This audit program focuses on the following key cybersecurity domains:
- Asset Management
- Vulnerability Management
- Network Security
- Wireless Security
- Data Governance
- Data Leakage Prevention
- Work From Home and Remote Access Security
- Antivirus, Endpoint Protection, and EDR
The purpose of this project is to provide a reusable cybersecurity audit framework for manufacturing organizations.
It can be used by:
- Cybersecurity auditors
- Internal audit teams
- Information Security Officers
- CISO teams
- Risk and compliance teams
- OT security teams
- IT infrastructure teams
- Consultants assessing manufacturing environments
The main objectives are to:
- Identify cybersecurity weaknesses.
- Assess the maturity of implemented security controls.
- Evaluate risks impacting IT and OT environments.
- Review the protection of production systems and sensitive data.
- Provide practical and risk-based remediation recommendations.
- Support audit preparation, compliance reviews, and cybersecurity improvement programs.
Manufacturing companies face specific cybersecurity challenges because their environments often include both corporate IT systems and industrial OT systems.
Common manufacturing cybersecurity risks include:
- Weak segmentation between IT and OT networks.
- Legacy industrial systems that cannot be easily patched.
- Remote vendor access to production systems.
- Use of industrial protocols with limited security features.
- Ransomware spreading from corporate IT to production networks.
- Unauthorized access to PLCs, HMIs, SCADA systems, and engineering workstations.
- Data leakage involving product designs, CAD files, formulas, recipes, or production data.
- Wireless exposure on shop floors, warehouses, and production areas.
- Lack of visibility over industrial assets.
- Incomplete monitoring of OT network traffic.
Unlike traditional IT environments, a cyber incident in manufacturing may directly impact:
- Production availability.
- Product quality.
- Delivery timelines.
- Industrial safety.
- Business continuity.
- Customer commitments.
- Intellectual property.
- Regulatory compliance.
The audit covers the following cybersecurity domains.
To verify whether the organization maintains a complete, accurate, and regularly updated inventory of IT, OT, network, wireless, cloud, and industrial assets.
The asset inventory should include, where applicable:
- Servers
- Workstations
- Laptops
- Virtual machines
- Network devices
- Firewalls
- Switches
- Routers
- Wireless access points
- PLCs
- HMIs
- SCADA systems
- Engineering workstations
- MES systems
- Industrial switches
- IoT and IIoT devices
- Production terminals
- Barcode scanners
- Industrial tablets
- Vendor access devices
- Cloud assets
The organization should be able to demonstrate that:
- All assets are inventoried.
- Each asset has a designated owner.
- Critical production assets are identified.
- Assets are classified by business criticality.
- Unsupported or obsolete assets are tracked.
- Unauthorized assets are detected and investigated.
- The inventory is reconciled with technical discovery sources.
- IT asset inventory
- OT asset inventory
- CMDB export
- Asset owner matrix
- Asset criticality classification
- Discovery reports
- EDR asset list
- Vulnerability scanner asset list
- Network diagrams
- End-of-life and end-of-support reports
To assess whether vulnerabilities are identified, prioritized, remediated, tracked, and verified across IT and OT environments.
The organization should have a formal vulnerability management process covering:
- Internal vulnerability scanning
- External vulnerability scanning
- Authenticated scanning
- Cloud vulnerability assessment
- Endpoint vulnerability assessment
- OT-safe vulnerability assessment
- Patch management
- Remediation tracking
- Risk acceptance
- Compensating controls
- Rescanning and closure validation
In OT environments, vulnerability assessment must be performed carefully. Aggressive scanning may disrupt legacy industrial devices, PLCs, or production systems.
The audit should verify that OT vulnerability assessments are performed using safe methods such as:
- Passive discovery
- Vendor-approved scanning
- Maintenance-window scanning
- Testing in lab or pre-production environments
- Coordination with OT and production teams
- Compensating controls when patching is not possible
- Vulnerability management policy
- Vulnerability scan reports
- Authenticated scan configuration
- External scan results
- Internal scan results
- OT vulnerability assessment procedure
- Patch management reports
- SLA matrix
- Remediation tickets
- Risk acceptance forms
- Rescan evidence
- Vulnerability dashboards
To assess whether the network architecture is secure, segmented, monitored, and protected against unauthorized access and lateral movement.
The organization should be able to demonstrate that:
- The network architecture is documented.
- OT is segmented from corporate IT.
- Firewall rules are reviewed periodically.
- Network access follows least privilege.
- Production systems are not directly exposed to the internet.
- Remote access to OT is strictly controlled.
- Suspicious traffic is monitored and investigated.
- Logs are centralized and retained.
- Network diagrams are kept up to date.
A manufacturing network may include:
| Zone | Examples |
|---|---|
| Enterprise IT Zone | Email, Active Directory, ERP, user workstations |
| DMZ | Jump servers, file transfer servers, update servers |
| OT Supervisory Zone | SCADA, HMI, historians, MES |
| Control Zone | PLCs, controllers, industrial switches |
| Safety Zone | Safety systems, where applicable |
| Vendor Access Zone | Remote maintenance access, vendor gateways |
- Network architecture diagrams
- IT/OT segmentation diagrams
- Firewall rule base
- Firewall review evidence
- VLAN configuration
- Routing tables
- VPN configuration
- IDS/IPS logs
- SIEM logs
- Remote access logs
- Network monitoring alerts
To assess whether wireless networks are securely configured, segmented, monitored, and protected against unauthorized access.
The organization should ensure that:
- Wireless access points are inventoried.
- Corporate, guest, IoT, and industrial wireless networks are separated.
- Strong authentication is used.
- Weak encryption protocols are disabled.
- Guest Wi-Fi is isolated from internal networks.
- Rogue access points are detected.
- Wireless configurations are reviewed periodically.
- Industrial wireless devices are documented and secured.
Wireless assets in manufacturing environments may include:
- Barcode scanners
- Warehouse handheld terminals
- Industrial tablets
- Wireless sensors
- Mobile operator panels
- Maintenance laptops
- AGVs
- Robots
- IoT and IIoT devices
- Wireless architecture
- SSID list
- Access point inventory
- Wireless controller configuration
- Guest Wi-Fi rules
- Rogue AP detection reports
- RADIUS authentication logs
- Wireless access reviews
To assess whether the organization properly classifies, owns, protects, retains, and monitors sensitive data.
The organization should have controls covering:
- Data classification
- Data ownership
- Access rights management
- Data retention
- Data deletion
- Sensitive data mapping
- Data flow documentation
- Third-party data sharing
- Protection of intellectual property
- Protection of production data
Sensitive data in manufacturing may include:
- CAD files
- Product designs
- Engineering drawings
- Industrial recipes
- Formulas
- Production parameters
- Machine configurations
- Quality control reports
- Supplier data
- Customer contracts
- Employee data
- Maintenance records
- Production performance data
- Data classification policy
- Data owner register
- Access control matrix
- Data retention policy
- Data flow diagrams
- Sensitive data inventory
- Third-party sharing agreements
- Access review evidence
To assess whether the organization can prevent, detect, and respond to unauthorized data exfiltration.
The organization should have DLP controls covering:
- Endpoint data leakage
- Email data leakage
- Web uploads
- Cloud uploads
- USB and removable media
- Printing
- Sensitive file transfer
- DLP alert review
- Incident escalation
The audit should focus on the unauthorized transfer of:
- CAD files
- Engineering drawings
- Product designs
- Recipes and formulas
- Supplier data
- Customer data
- Quality reports
- Production documentation
- Machine configuration files
- DLP policy
- DLP rule configuration
- DLP incident reports
- USB control policy
- Email DLP logs
- Cloud upload monitoring reports
- Printing control logs
- DLP exception records
To assess whether remote workers, administrators, and third-party vendors access company systems securely.
Remote access should be governed by controls such as:
- Remote access policy
- MFA enforcement
- VPN access control
- Managed device requirement
- Device compliance checks
- Least privilege access
- Time-bound vendor access
- Privileged session monitoring
- Bastion or jump server usage
- Periodic access review
Remote access to OT systems is highly sensitive. Unauthorized or poorly controlled access can directly impact production systems.
For OT remote access, the organization should enforce:
- MFA
- Named accounts
- Time-bound access
- Approval workflow
- Bastion or jump server
- Session logging
- Session recording where possible
- Vendor access review
- Emergency access review
- Remote access policy
- VPN user list
- MFA configuration
- Device compliance reports
- Vendor access records
- Bastion logs
- Privileged session recordings
- Remote access review reports
- Emergency access logs
To assess whether endpoints, servers, and critical workstations are protected against malware, ransomware, and unauthorized activity.
The organization should ensure that:
- Antivirus or EDR is deployed on endpoints and servers.
- Signatures and detection engines are updated.
- Real-time protection is enabled.
- Tamper protection is enabled.
- Malware alerts are investigated.
- Infected endpoints can be isolated.
- Engineering workstations are protected.
- Unsupported systems have compensating controls.
- Antivirus exclusions are documented and reviewed.
Engineering workstations are high-risk assets because they may connect directly to PLCs, controllers, and industrial systems.
The audit should verify that:
- Engineering workstations are protected.
- USB usage is controlled.
- Malware protection is active where technically possible.
- OT endpoints have vendor-approved security controls.
- Unsupported systems are isolated and monitored.
- Ransomware response procedures include production systems.
- Antivirus coverage report
- EDR deployment report
- Agent health report
- Malware alert logs
- Signature update status
- Tamper protection configuration
- Endpoint isolation procedure
- Antivirus exclusion list
- Ransomware response playbook
This audit program may be aligned with the following frameworks and standards:
| Framework | Purpose |
|---|---|
| NIST Cybersecurity Framework | General cybersecurity governance and risk management |
| NIST SP 800-82 | Operational Technology and Industrial Control Systems security |
| CIS Critical Security Controls | Practical cybersecurity control implementation |
| ISO/IEC 27001 | Information security management system |
| ISO/IEC 27002 | Security control guidance |
| IEC 62443 | Industrial automation and control systems security |
| CISA Cybersecurity Performance Goals | Baseline cybersecurity practices for critical infrastructure |
| MITRE ATT&CK for Enterprise | Enterprise attack techniques and detection mapping |
| MITRE ATT&CK for ICS | Industrial control system attack techniques |
The audit follows a structured methodology composed of six phases.
Activities:
- Define the audit scope.
- Identify business units and production sites.
- Identify IT, OT, security, and production stakeholders.
- Define audit criteria.
- Request initial documentation.
- Confirm audit timeline.
- Identify critical systems and production constraints.
Deliverables:
- Audit scope document
- Audit planning checklist
- Initial evidence request list
- Stakeholder list
Activities:
- Review cybersecurity policies.
- Review asset inventory.
- Review network diagrams.
- Review vulnerability reports.
- Review remote access procedures.
- Review data governance documentation.
- Review antivirus and EDR coverage.
- Review previous audit findings.
Deliverables:
- Documentation review notes
- Evidence gap analysis
- Preliminary observations
Activities:
- Review vulnerability scan results.
- Analyze network segmentation.
- Review firewall rules.
- Validate wireless configuration.
- Review endpoint protection status.
- Analyze remote access logs.
- Review DLP alerts.
- Assess asset inventory accuracy.
Deliverables:
- Technical assessment results
- Control effectiveness evaluation
- Security gap list
Activities:
- Interview IT teams.
- Interview OT teams.
- Interview network administrators.
- Interview production representatives.
- Interview data owners.
- Interview SOC or security monitoring teams.
- Interview remote access and vendor management owners.
Deliverables:
- Interview notes
- Process validation results
- Control implementation observations
Activities:
- Consolidate findings.
- Assess business impact.
- Rate findings by severity.
- Identify root causes.
- Define recommendations.
- Validate findings with stakeholders.
Deliverables:
- Risk-rated findings register
- Draft audit report
- Corrective action plan
Activities:
- Present final findings.
- Agree on remediation owners.
- Define target remediation dates.
- Validate management responses.
- Issue final audit report.
Deliverables:
- Final cybersecurity audit report
- Executive summary
- Detailed findings
- Corrective action plan
- Evidence appendix
Findings should be rated using the following severity levels.
| Severity | Description |
|---|---|
| Critical | Weakness that could lead to production disruption, ransomware propagation, OT compromise, major data leakage, or severe business impact |
| High | Significant weakness with a realistic exploitation path and important business impact |
| Medium | Control weakness that increases risk but may be partially mitigated |
| Low | Documentation, process, monitoring, or improvement issue with limited direct impact |
Each control may be assessed using the following maturity scale.
| Rating | Maturity Level | Description |
|---|---|---|
| 0 | Not Implemented | The control does not exist |
| 1 | Initial | The control exists informally but is inconsistent or undocumented |
| 2 | Defined | The control is documented but not fully implemented |
| 3 | Implemented | The control is implemented and supported by evidence |
| 4 | Managed | The control is monitored, measured, and reviewed |
| 5 | Optimized | The control is continuously improved and integrated into governance processes |
The following evidence may be requested during the audit.
- IT asset inventory
- OT asset inventory
- CMDB export
- Asset ownership matrix
- Asset criticality classification
- Network discovery reports
- Unsupported asset list
- Asset lifecycle procedure
- Asset onboarding and decommissioning records
- Vulnerability management policy
- Vulnerability scan reports
- Authenticated scan configuration
- External scan reports
- Internal scan reports
- OT vulnerability assessment procedure
- Patch management reports
- Remediation SLA matrix
- Risk acceptance records
- Vulnerability tickets
- Rescan evidence
- Network architecture diagrams
- IT/OT segmentation diagrams
- Firewall rule base
- Firewall rule review evidence
- VPN configuration
- IDS/IPS logs
- Remote access logs
- Internet exposure assessment
- Network monitoring alerts
- SIEM logs
- Wireless architecture
- SSID list
- Access point inventory
- Wireless controller configuration
- Guest Wi-Fi rules
- Rogue AP detection reports
- RADIUS authentication logs
- Wireless review reports
- Data classification policy
- Data owner register
- Data flow diagrams
- Access control matrix
- Retention policy
- Sensitive data inventory
- Third-party data sharing agreements
- Access review reports
- DLP policy
- DLP rule configuration
- DLP incident reports
- USB control policy
- Email DLP logs
- Cloud upload monitoring reports
- Printing control logs
- DLP exception records
- Remote access policy
- VPN user list
- MFA configuration
- Device compliance reports
- Vendor access records
- Bastion logs
- Privileged session recordings
- Remote access review reports
- Emergency access records
- Antivirus coverage report
- EDR deployment report
- Malware alert logs
- Agent health report
- Signature update status
- Tamper protection configuration
- Endpoint isolation procedure
- Antivirus exclusion list
- Ransomware response playbook
The following questions can be used during interviews, walkthroughs, evidence review, and control testing.
- Does the organization maintain a complete inventory of IT and OT assets?
- Does the asset inventory include servers, workstations, laptops, network devices, firewalls, wireless access points, PLCs, HMIs, SCADA systems, engineering workstations, MES systems, IoT/IIoT devices, and cloud assets?
- Are all assets assigned to a clearly identified owner?
- Are critical production assets formally identified?
- Are assets classified based on business criticality, sensitivity, environment, and operational impact?
- Are unsupported or end-of-life systems tracked?
- Is the asset inventory regularly reconciled with discovery tools, vulnerability scanners, EDR platforms, Active Directory, DHCP records, and network data?
- Is there a formal process for onboarding, updating, and decommissioning assets?
- Are unknown or unauthorized assets detected and investigated?
- Are vulnerability scans performed regularly across internal, external, cloud, and endpoint environments?
- Are authenticated scans used where technically possible?
- Are OT systems assessed using safe, approved, and non-disruptive methods?
- Are vulnerability assessments coordinated with production and OT teams?
- Are vulnerabilities prioritized based on severity, exploitability, asset criticality, exposure, and business impact?
- Are remediation SLAs formally defined and monitored?
- Are critical and high vulnerabilities remediated within the agreed timeframe?
- Are exceptions formally documented, justified, approved, and time-bound?
- Are compensating controls implemented when vulnerabilities cannot be remediated immediately?
- Are remediated vulnerabilities verified through rescanning or technical validation?
- Are vulnerability metrics reported to management regularly?
- Is the OT network segmented from the corporate IT network?
- Is the network architecture documented and approved?
- Are network diagrams regularly updated?
- Are firewall rules reviewed periodically?
- Are firewall rules based on the principle of least privilege?
- Are production systems protected from direct internet exposure?
- Is remote access to OT systems strictly controlled?
- Is traffic between IT, DMZ, OT, and industrial zones monitored?
- Are insecure or legacy protocols identified and risk-assessed?
- Are network logs centralized and monitored?
- Are suspicious network activities investigated and escalated?
- Are all wireless access points inventoried and approved?
- Are corporate, guest, IoT, and industrial wireless networks logically separated?
- Is strong authentication used for corporate wireless access?
- Are weak encryption protocols disabled?
- Is guest Wi-Fi isolated from internal systems?
- Are rogue access points detected and investigated?
- Are wireless configurations periodically reviewed?
- Are wireless devices used on the shop floor documented?
- Are industrial wireless devices segmented from critical OT systems?
- Are wireless logs retained and reviewed?
- Is sensitive data formally classified?
- Are data owners assigned for critical business, production, customer, supplier, employee, and intellectual property data?
- Is access to sensitive data granted based on the principle of least privilege?
- Are access rights reviewed periodically?
- Are data retention and deletion rules defined?
- Are sensitive data flows documented?
- Is production data protected according to its business value and operational sensitivity?
- Are engineering documents, CAD files, formulas, recipes, and product designs protected?
- Are third-party data sharing activities governed by contracts, confidentiality clauses, and access controls?
- Are users trained on how to handle sensitive and confidential information?
- Is DLP deployed on endpoints, email, web, and cloud channels?
- Are DLP policies aligned with the organization’s data classification scheme?
- Are USB and removable media devices controlled?
- Are sensitive files monitored when copied, uploaded, printed, or emailed?
- Are unauthorized uploads to personal cloud storage blocked or monitored?
- Are outbound emails inspected for sensitive attachments or confidential data?
- Are DLP alerts reviewed and investigated?
- Is there a formal escalation process for suspected data leakage incidents?
- Are DLP rules tested and tuned to reduce false positives?
- Are exceptions to DLP controls approved and documented?
- Is MFA enforced for remote access?
- Are only managed and compliant devices allowed to connect remotely?
- Is VPN access restricted based on user role and business need?
- Is split tunneling controlled based on risk?
- Are vendor accesses approved, time-bound, and monitored?
- Are privileged remote sessions recorded or logged?
- Is remote access to OT systems performed through a bastion, jump server, or secure remote access gateway?
- Are shared accounts prohibited for remote access?
- Are inactive remote access accounts disabled?
- Are remote access rights reviewed periodically?
- Are emergency remote access activities reviewed after use?
- Are all endpoints and servers protected by antivirus, EDR, or equivalent endpoint security controls?
- Are antivirus signatures and detection engines updated automatically?
- Is real-time protection enabled?
- Are users prevented from disabling or tampering with endpoint protection agents?
- Are malware alerts investigated and escalated?
- Can infected endpoints be isolated from the network?
- Are engineering workstations protected?
- Are HMI, SCADA, and OT servers protected where technically possible?
- Are antivirus exclusions documented, justified, and periodically reviewed?
- Are unsupported systems protected by compensating controls?
- Are ransomware detection and response capabilities tested?
At the end of the audit, the following deliverables should be produced:
- Cybersecurity audit report
- Executive summary
- Risk-rated findings register
- Evidence tracker
- Asset management gap analysis
- Vulnerability management maturity assessment
- Network segmentation assessment
- Wireless security assessment
- Data governance assessment
- Data leakage prevention assessment
- Remote access security assessment
- Antivirus, EDR, and endpoint protection coverage assessment
- OT security observations
- Corrective action plan
- Management action plan
- Audit evidence appendix
For manufacturing organizations, the highest-priority cybersecurity areas are usually:
- IT/OT network segmentation
- OT asset inventory
- Remote vendor access governance
- Vulnerability and patch management
- Backup and recovery of production systems
- Endpoint protection on engineering workstations
- USB and removable media control
- Data leakage prevention for intellectual property
- Security monitoring and incident response
- Business continuity and disaster recovery
- Protection of PLC, HMI, SCADA, and MES environments
- Access control for privileged and production-related accounts
| Finding | Risk Level | Recommendation | Owner | Target Date | Status |
|---|---|---|---|---|---|
| Incomplete OT asset inventory | High | Establish a centralized OT asset inventory and reconcile it with passive discovery data. | OT Security / Infrastructure | To be defined | Open |
| Excessive firewall rules between IT and OT | Critical | Review and restrict firewall rules based on least privilege. | Network Team | To be defined | Open |
| Vendor VPN accounts permanently enabled | High | Implement time-bound vendor access with MFA and session monitoring. | IAM / Network Team | To be defined | Open |
| Missing DLP controls for CAD files | Medium | Configure DLP policies to monitor and restrict unauthorized transfer of engineering files. | Data Protection Team | To be defined | Open |
| EDR not deployed on engineering workstations | High | Deploy EDR where technically supported or implement compensating controls. | Endpoint Security Team | To be defined | Open |
Observation: The audit identified that several third-party vendor VPN accounts remain permanently enabled, including accounts used for remote maintenance of production-related systems.
Risk: Permanent vendor access increases the risk of unauthorized access, credential misuse, lateral movement, and potential compromise of industrial systems. In a manufacturing environment, this could result in production disruption, unauthorized changes to systems, or exposure of sensitive operational data.
Severity: High
Recommendation: Implement a formal vendor remote access process requiring prior approval, MFA, time-bound access, session logging, and periodic review. Vendor access to OT systems should be routed through a controlled bastion or jump server, and privileged sessions should be monitored or recorded.
Expected Evidence for Closure:
- Updated remote access policy
- Vendor access approval workflow
- MFA enforcement evidence
- VPN access logs
- Bastion or jump server logs
- Periodic access review evidence
manufacturing-cybersecurity-audit/
│
├── README.md
│
├── 01-planning/
│ ├── audit-scope-template.md
│ ├── audit-planning-checklist.xlsx
│ └── stakeholder-interview-list.md
│
├── 02-evidence-request/
│ ├── evidence-request-list.xlsx
│ └── evidence-tracker.xlsx
│
├── 03-audit-program/
│ ├── asset-management-audit-program.md
│ ├── vulnerability-management-audit-program.md
│ ├── network-security-audit-program.md
│ ├── wireless-security-audit-program.md
│ ├── data-governance-audit-program.md
│ ├── data-leakage-audit-program.md
│ ├── remote-access-audit-program.md
│ └── endpoint-security-audit-program.md
│
├── 04-findings/
│ ├── findings-register-template.xlsx
│ └── example-findings.md
│
├── 05-reporting/
│ ├── executive-summary-template.md
│ ├── detailed-audit-report-template.md
│ └── corrective-action-plan-template.xlsx
│
└── 06-references/
├── frameworks-mapping.md
└── glossary.md
The audit can be considered successful when:
- The audit scope is clearly defined and approved.
- IT and OT stakeholders are involved in the assessment.
- Evidence is collected and reviewed objectively.
- Cybersecurity risks are rated consistently.
- Findings are linked to business and production impact.
- Recommendations are practical and achievable.
- Management validates the corrective action plan.
- Remediation owners and target dates are assigned.
- Follow-up activities are defined.
This audit program provides a general cybersecurity assessment structure for manufacturing environments. It should be adapted based on:
- Organization size
- Production complexity
- OT architecture
- Regulatory requirements
- Geographic scope
- Cloud usage
- Third-party dependency
- Business risk appetite
- Available cybersecurity capabilities
Some OT environments may contain legacy systems that cannot support modern security tools. In such cases, compensating controls should be defined, documented, approved, and monitored.
Cybersecurity testing in OT environments must be performed carefully. Activities such as active scanning, vulnerability exploitation, configuration changes, or traffic manipulation can disrupt production systems if performed without proper planning.
Before performing technical tests in OT environments, the audit team should ensure that:
- Production and OT teams are informed.
- Testing activities are approved.
- Maintenance windows are respected.
- Backup and rollback procedures are available.
- Vendor recommendations are considered.
- Critical production periods are avoided.
- Emergency contacts are identified.
- Testing scope and methods are documented.
This project is intended for educational, audit preparation, and professional cybersecurity assessment purposes. It should be adapted to the specific organization, regulatory requirements, production environment, risk appetite, and applicable legal obligations.
The audit activities must be performed carefully in manufacturing and OT environments. Active scanning, configuration changes, or testing activities should not be performed on production industrial systems without prior approval, impact assessment, and coordination with production and OT teams.
Prepared by Ziad Charafi as a cybersecurity audit framework for manufacturing industry environments, with a focus on IT, OT, industrial systems, data protection, remote access security, endpoint protection, and operational resilience.