How to integrate ISO 9001 and ISO 27001

Update 2022-05-03.

ISO 27001 is one of the most popular standards in the world, and I see many companies have a need for information security with increased use of information technology, clouds, etc. If you already have implemented ISO 9001 and want to implement ISO 27001, or you plan to implement both standards at once, the best approach is to create an Integrated Management System (IMS) that will meet the requirements of both standards. This will save you a great amount of time in the implementation, and it will also decrease the effort of maintaining the system and achieving continual compliance with both standards.

Common requirements of ISO 9001 and ISO 27001 to create an integrated management system are:
  • Context of the organization
  • Interested parties and their requirements
  • Document control
  • Competence, awareness, and communication
  • Internal audit and management review
  • Nonconformities and corrective actions

Start with the common ground

The key for saving time and effort is good planning. Your implementation project should be based not only on the current state of your organization, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit. Some of the most important places where you can speed up the implementation are the following common requirements of both standards:

  • Context of the Organization – Both standards require identification of internal and external issues relevant to the company, but from different perspectives. ISO 9001 focuses on quality, and ISO 27001 focuses on information security. For more information, see: How to identify the context of the organization in ISO 9001:2015.
  • Interested Parties and their Requirements – The organization will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created. For more information, see: How to determine interested parties and their requirements according to ISO 9001:2015 and How to identify interested parties according to ISO 27001 and ISO 22301.
  • Responsibility and Authority to be identified – The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way. For more information, see: How to comply with new leadership requirements in ISO 9001:2015 and How to document roles and responsibilities according to ISO 27001.
  • Competence, Awareness, Communication, Control of System Documents and Records – All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well – and, they can be addressed in the same way and at the same time.
  • Internal Audit and Management Review – Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted is the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately.
  • Both require systems for nonconformity and corrective actions – The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.

With all of these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards. The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review as well as the inputs will be different, and the same goes for most of the above-mentioned common clauses.

ISO 9001: How to integrate it with ISO 27001

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences that are mostly present in clauses 6 and 8. ISO 27001 adds the following into the IMS:

  • Information security risk assessment – The organization needs to develop a methodology for identification and evaluation of information security risks. This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001, since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001. For more information, see: How to write ISO 27001 risk assessment methodology.
  • Information security risk treatment – This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001. For more information, see: 4 mitigation options in risk treatment according to ISO 27001.

Harvest the benefits

By integrating the two management systems, there are many synergies that allow for combined resources to save time and money on maintaining and improving the management system.

With a holistic management system approach that embodies international best practice, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities. In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their processes, as well as achieve significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability.

To automate your compliance with ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Strahinja Stojanovic
Strahinja Stojanovic

Strahinja Stojanovic is certified as a lead auditor for the ISO 13485, ISO 9001, ISO 14001, and OHSAS 18001 standards by RABQSA. He participated in the implementation of these standards in more than 100 SMEs, through the creation of documentation and performing in-house training for maintaining management systems, internal audits, and management reviews.