Recently, we saw the release of new versions of two of the best-known ISO standards: ISO 9001 (requirements for Quality Management Systems) and ISO 14001 (requirements for Environmental Management Systems). Like ISO 22301 and ISO 27001:2013, these standards follow a similar structure, based on Annex SL, Appendix 2 of ISO/IEC Directives (for more information about Annex SL, as well as about the PDCA cycle in ISO management systems, please read Has the PDCA cycle been removed from the new ISO standards?).
Since the new versions of the standards define transition periods for the adequacy of ISO management systems certified against previous versions, integrated or not, we can expect a cycle of implementation / integration projects all over the world in the next few years. In this article, I will present to you a brief overview of the main aspects you should consider to take advantage of the standards’ similarities, which makes it easier to integrate them and enable your organization to work more efficiently.
ISO’s management systems high-level structure
Since the publication of Annex SL, all ISO management systems must be developed following this structure:
- Normative references
- Terms and definitions
- Context of the organization
- Performance evaluation
For certification purposes, the most important clauses are clauses 4 through 10. In clauses 4, 5, 7, 9, and 10, the texts of the standards are almost the same. The specifics of each standard are concentrated on clauses 6 and 8, as follows:
- Clauses 6 and 8 of ISO 9001 refer to Product / Service planning and realization
- Clauses 6 and 8 of ISO 14001 refer to Environmental management
- Clauses 6 and 8 of ISO 27001 refer to Risk management
Therefore, you can see that most of the standards’ requirements (clauses 4, 5, 7, 9, and 10) can be unified without compromising the individual standard’s purpose.
Approach to integrate management systems
When talking about an integrated management system (IMS), we mean systems where we deal with as many requirements as possible in the same way. E.g., if two systems have policy requirements (like management approval, revision, and communication), why don’t we deal with them the same way? Why don’t we control documents and records in the same form?
When thinking about integrating management systems, there are many courses of action to be considered based on the organization’s context, the number of existing systems, and the systems’ maturity, for example. In terms of standards requirements, you can use PAS 99 as a guide (it can help you map and define one set of documentation, policies, procedures, and processes suitable for all of your management systems). For actions to be considered, see the following:
Awareness & training. Use a single procedure to prescribe the method and frequency of training and awareness activities, as well as the same training materials related to common requirements. This makes it easier to make the organization’s employees aware of the standards’ requirements, how these requirements can help improve business results, and how employees can help to implement and be compliant with them.
Objectives and policy definition. Identify the organization’s purposes for the system and develop a single policy that covers all the organization’s management systems.
Context definition. Determine all the internal / external factors and interested parties through a unified system to find correlations more quickly and more thoroughly.
Actions to treat risks / seize opportunities. Previously known as preventive actions, your organization should develop plans to deal with potential negative / positive impacts that it may be exposed to.
Documentation design and implementation. Use unified documentation for the processes of the integrated management system, like document and records control and internal audit.
Internal audit. Make use of the same internal auditor to verify if the integrated processes are being realized as planned and achieving the expected results.
Management review. Turn multiple reviews into a single one to aid top management’s understanding of the integrated management system achievements and results.
Corrective actions. A single procedure can be used to take and follow up on the measures taken if processes and / or results are not as expected.
For organizations with certified systems, or those considering certification, when top management asks about the certificates and the certification processes, you can answer that by using the IMS approach the certification process will be cheaper, because the integrated certification will be performed only one time for all integrated systems.
Benefits of an integrated management system
The main benefits of implementing an integrated management system are:
- Decreased cost when going for an integrated certification audit
- Cost optimization by unification of internal audits, document control, training, and administration
- Maintenance optimization through using the same approach to manage multiple standards
- Better understanding by top management of systems issues, increasing agility and effectiveness of related decisions involving multiple standards’ requirements
- Less effort required to integrate new management systems
Integrated management system: A good answer to address multiple challenges
An integrated management system is relevant to any organization because it helps the organization to deal effectively with challenges like limited resources, growing competitiveness, and higher expectations from customers and other interested parties (e.g., government and regulatory bodies) – regardless of its market.
Therefore, if you have many management systems in your organization, or you are planning to deploy new ones, now is an ideal time to consider management system integration in your organization, to improve results and optimize the alignment of management practices.
To see an example of integrated systems documentation, please see these free materials: Project plan for ISO 27001 / ISO 22301 implementation and ISO 9001 vs. ISO 27001 matrix.
Rhand Leal has 10 years of experience in information security, and for the 6 years he had continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.