We have repeatedly emphasized the importance of developing an Integrated System to cover different areas, optimizing an organization's internal resources. However, perhaps it has not been emphasized enough that in addition to the classic "quality-environment" integrated system (ISO 9001 - ISO 14001), all other systems that refer to standards specifically designed for this purpose can also be integrated, depending on business needs.
An example that is being seen a lot lately, although still not much in Italy, is the integration of the quality system (ISO 9001) with the information security system (ISO 27001).
Integrating the two systems, let's remember, means that where there is an overlap between the requirements of ISO 9001 and those of ISO 27001, the same process applies, and the audit in the area is conducted through a single verification.
Since 2016, certifications according to the ISO 27001 standard have increased by 20% across Europe because data management – how data is used but also how it is protected – is becoming a key area of interest for businesses. For many organizations that already have the idea of implementing ISO 9001, it is therefore good to decide from the outset whether to implement ISO 27001 as well, to make the two systems work in perfect synchrony.
If, on the other hand, as often happens in our experience, the company was certified according to ISO 9001 first and only later realized the importance of securing its information and decided to adopt the ISO 27001 standard, it is good to think from the beginning about how to integrate these two systems in the most efficient way to save resources, starting with the time required to bring the second system integrated with the first to full capacity and have it certified.
Each management system requires documentation, some written procedures, audits, control forms and much more as support. Implementing two different systems at different times makes no sense if there are common requirements, as in the case of ISO 9001 and ISO 27001. An integrated system, in fact, is nothing more than a set of interconnected processes that share the same resources and meet the needs of stakeholders, without wasting valuable resources.
Let's start with the common points that the two standards have:
- Both standards focus on internal and external issues relevant to the company but do so from different perspectives;
- Both standards follow Annex SL, which means that there are similarities in the documentation and procedures required to effectively implement the two systems;
- The two documents require a reflection on the requirements of the various stakeholders with regard to quality and information security. These requirements can be addressed with the same process, and an integrated list of stakeholders can be created;
- ISO 9001 and ISO 27001 require that responsibilities and authority be identified, and although the roles and responsibilities within a quality system and an information security system are different, they can be defined in the same way through the same process, with considerable savings in resources;
- Other requirements such as those relating to competence, awareness, communication, control of documents and system records are common to the two systems and can be addressed in the same way;
- With regard to internal audits and management review, the requirements to be verified and the inputs and outputs of the review are different, of course, but the way in which the process is conducted is the same. Depending on the size and complexity of the company and its processes, the internal audit or management review can be performed simultaneously or separately;
- Both standards then require systems for managing non-conformities and corrective actions, and the underlying process can be the same for both standards, and there is no reason to separate them
Keep in mind, however, that although some requirements seem the same and can be covered by the same process, this does not mean that they will have the same results for both standards. The the focus of ISO 9001 is on quality products and services and customer satisfaction, while the ISO 27001 is focused on information security therefore, the results of the management review as well as the inputs will be different, and the same applies to most of the common requirements mentioned above.
By integrating various standards, in any case, there are many synergies that allow combining resources to save time and money for the maintenance and improvement of the management system.
With a holistic approach to the integrated management system that embodies international best practices, organizations can demonstrate compliance with ISO 27001 and ISO 9001 standards to customers, certification bodies and regulatory authorities.
Furthermore, by integrating quality management and information security, organizations can demonstrate both the quality and security of their processes, as well as gain a significant competitive advantage through improved organizational performance, risk reduction, improved customer satisfaction, and increased reputation and marketability.
Our auditors are experts in both systems and are able to verify the application of the requirements with the best possible effectiveness and efficiency. Choose ACSQ for your certification!