Integrating ISO 27001 and ISO 9001 into a single management system

April 22nd, 2024 Posted in ISO 22301, ISO 27001

This article talks about integrating ISO 27001 and ISO 9001 into a single management system, why some organisations may be reluctant to make the transition and why they perhaps should make the leap regardless. 

Cyber security and data protection is becoming ever more critical to orgnisations worldwide, and, as threats grow, so too has the number of orgnisations looking to attain ISO certification, as the requirements to satisfy client’s or partners’ criteria in complying with the standards is increasing. Not only that, but as having multiple ISO standards is rapidly becoming the norm, many organisations are now looking towards integrating these standards as a means of reducing duplication and cost. 

It can seem a daunting task, but this article highlights why the short-term efforts are worth the long term benefits for your organisation, and you needn’t try to do it alone, a good ISO consultancy provider, such as Evalian, can support you with the heavy lifting. Let’s get into it.

What is an integrated management system?

When Annex SL and the harmonised approach for management system standards was introduced in 2015, the high-level structure has made the combination of disparate management systems supporting different ISO standards into a single integrated management system much easier to achieve than was previously possible. 

The high-level structure as defined includes common text, structure and guidance, this provides the familiar clause structure outlined in many ISO standards today: 

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation 
  10. Improvement 

Is creating an integrated management system too much effort?

Integrating ISO 27001 and ISO 9001 into a single management system may at first seem like a daunting and perhaps unattainable task, especially with large and complex organisations. Many organisations may fall into the trap of treating each ISO standard as its own project and thinking that it is too much work to pull together into a single system that meets the requirements of both standards. 

Integration is the future of ISO

The ISO Technical Management Board Joint Technical Coordination Group on Management System Standards website explains that all ISO management systems will be aligned and will seek to enhance current levels of compatibility between existing management system standards. Guidance on integrated management systems has been published which can be applied to all kinds of organisations in many industries and sectors. 

As we touched on earlier, ISO certification is growing in popularity, with many organisations having multiple ISOs, therefore looking at the integration of these, can be a cost-effective solution for many businesses. 

Benefits of integrating your management system

Streamlined Processes: Integrating ISO 9001 and ISO 27001 allows organisations to streamline their processes by eliminating duplication and reducing complexity. Instead of managing separate systems, a unified approach ensures coherence and increased levels consistency across quality management and information security processes. A single integrated management system provides for the requirements of both ISO 9001 and ISO 27001. 

Cost Savings: Managing a single integrated system can lead to cost savings in terms of resource allocation, training, and auditing. Rather than conducting separate audits for each standard, organisations can consolidate audit activities, saving significant money, time, and resources. Combined audits covering multiple standards may result in less audit days needed than for separate audits. The removal of duplication of effort and consolidation wherever possible and practicable can make a significant impact in terms of time and resources that are expended to cover the needs of the management system. 

Improved decision making: Where an organisation has managed to create an integrated management system, this gives stakeholders a better overview of the organisation’s performance, facilitating better decision-making. The combination and alignment of quality objectives with information security goals facilitates increased consistency and the ability to make better informed decisions. 

Competitive advantage: Demonstrating compliance with both ISO 9001 and ISO 27001 may provide customers with peace of mind knowing that an organisation has taken the time to certify to these internationally recognised standards, this enhances both reputation and credibility. Certification provides relevant stakeholders a commitment to quality, security, and continuous improvement, which leads to a competitive advantage, as ever increasingly customers require that organisations be certified to such standards as part of their procurement processes. 

Due to the potential significant savings that may be realised, there is ever increasing demand for the integration of management systems. 

Tips for your organisation

When looking at integrating management systems, focus on the commonalities of existing operational arrangements, these could include (but not be limited to) such things as:  

Meetings: Where individual meetings are currently used for quality and information security, these may be combined to cover both topics.  

Reporting: Reports may be consolidated to cover the requirements of both ISO 9001 and ISO 27001 requirements. 

Roles and responsibilities: Roles and responsibilities should be reviewed to identify any potential savings. Depending on the size and scale of the organisation, quality and information security roles may potentially be combined and handled by a single resource. Larger more complex organisations may still benefit with different teams using the same management system for different purposes, here the aim is more focused upon achieving savings through standardisation and the leveraging processes and other resources where possible and practicable.  

Awareness: Activities supporting awareness within the organisation may be combined to include both quality and information security arrangements. 

Communications: Separate communication plans / arrangements for quality and information security may be consolidated into a single plan. Meetings may be combined. Broadcasts and training content may be combined to include both quality and information security matters, reports may be consolidated. 

Competency arrangements: Consolidation of the defined levels of competency to effectively support the integrated management system as to ensure that the intended results are achieved. 

Induction training: Consolidation of training content to include both quality and information security related activities.

Supporting documentation: Documentation required by the organisation as necessary for the effectiveness of the integrated management system, an organisation may wish to review supporting documentation and ensure that any duplication, overlapping areas or areas of similarity are identified and consolidated as appropriate and applicable to the needs and requirements of the organisation.

Internal audit arrangements: Audits are expensive. Significant savings may be realised by consolidating audits where appropriate and applicable with the aim of reducing the number of audit days that are needed. 

Continual improvement arrangements: This is another area of similarity where the same process or methodology may be used in order to achieve and document continual improvement and consolidate arrangements within separate management systems for ISO 9001 and ISO 27001 into a single integrated management system. 

The above examples are a fantastic place to start but there are many more potential areas where savings may be realised, such as combining similar activities and operational arrangements. 

The clauses of ISO 9001 and ISO 27001 are mapped with close alignment and compatibility, this makes integration that much easier. Care and consideration do, however, need to be taken with standard specific requirements such as ISO 27001 6.1.2 information security risk assessment and ISO 27001 6.1.2 information security risk treatment, where the requirements differ significantly from ISO 9001 and should therefore be managed as a separate activity. Similarly with the ISO 27001 Annex A arrangements and the statement of applicability (SoA). 

When consolidating two different standards into a single integrated management system, organisations would do well to adopt the process approach combined with risk based thinking where inputs are used by the organisation to determine risks and opportunities, and a continuous improvement methodology such as PDCA may be used to properly evaluate and determine those activities and operational arrangements where savings and benefits may be realised.  

Conclusion

Many organisations may find the consolidation of two management systems into a single integrated management system an attractive proposition but may fear the potential effort and disruption. Whilst it is true that there is some effort involved in considering what savings may be made whilst still conforming to the requirements of each standard, it seems that the short-term pain in terms of planning is well worth the long-term gain in terms of savings and efficiencies. 

Support to integrate your management system

If you would like to discuss how to integrate your management system, Evalian are best-placed to help. Our stand-out ISO consultancy solutions are tailored around your orgnisation’s specific needs. Our expert ISO consultants are hands-on and act as an extended member of your team in order to provide you with the level of support you need. Contact us for a no-obligations chat using the form below, or to learn more about our ISO services, visit our ISO solutions packages page.

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

 

Image by Racool_studio on Freepik

Mike Smith

Written by Mike Smith

Mike is a security consultant with Evalian, with 20 years of auditing experience behind him, in both secure and commercial entities within a fortune 500 company. Mike is a qualified Lead auditor to several ISO standards including ISO9001, ISO27001 and ISO22301 and also has experience with process maturity assessments as well as project audits.