Which integrated management manual is best?
The topic of quality management and information security can be carried out as separate projects within the company. Companies often start by creating a quality management manual or quality management system. After this has been certified according to ISO 9001, larger companies start their ISO 27001 project. Due to the high complexity of organizational processes in larger corporations, QMS and ISMS must be created and maintained separately. However, for SMEs and smaller corporations, an integrated management manual according to ISO 9001 and ISO 27001 offers some advantages. It’s not just the structure of an integrated management system that differs from the classic, separately managed QM documentation and ISM documentation. In advance of an audit for the integrated set of rules, the certification body has to put in a lot of additional effort. The cost calculation becomes significantly more complex. In addition, the auditor used must also have the necessary industry knowledge for ISO 9001 audits as well as the ISO 27001 special training. This can therefore lead to very different audit offers and waiting times. The number of auditors approved for these combined audits is not very high. As a result, certification bodies sometimes have longer waiting periods until an appropriately approved auditor is available for this integrated audit. We have therefore put together several diagrams and individual videos for you, which you should definitely watch until the end.
How does an integrated management system differ from separately managed QMS and ISMS?
When creating 2 sets of rules according to separate standards, there is always a certain degree of overlap in content. If you combine the two sets of rules in a common set of documents, changes must be made to the structure of the documents at various points. As a result, some documents refer to both standards. The following video explains the difference and the special features in an even more understandable way.
Now that you have watched the short explanatory video, we would now like to look at the individual variants of integrated management systems in a little more detail. However, it is important that you have watched the previous video so that you can better understand the complex certification process. If you still have questions about the costs of certification, be sure to check out our cost-related information page for detailed explanations. There you will also find a simple overview of the individual cost blocks of the ISO27001 certification.
1. Integrated management system for ISO 27001 and data protection
If you want to combine the topics of information security (ISO 27001) and data protection (GDPR) in a common set of documents, you will receive an integrated management manual according to ISO 27001 and GDPR. Many people literally believe that a management manual consists of just one file. The ISO 27001 standard as well as other bodies use the term management system. An information security management system consists of more than 50 documents (plus the company’s own evidence of an active ISMS). Accordingly, an integrated management system in accordance with IEC ISO 27001 and GDPR will contain approximately 80-110 files (plus attachments). An advantage of this combination is that only the ISO 27001 components are changed more frequently. This means that ongoing care expenditure is kept to a minimum.
The following video explains the different aspects of such a combined data protection and information security management system. The cost of care as well as the possible operating costs are also taken into account. The certification bodies only issue an ISO 27001 certificate. In the video you will learn how to obtain a certificate for the data protection component.
2. Integrated management system QM and ISMS
As already mentioned, a QM manual can be created and certified together with an information security manual. It is important to note that standards have different revision cycles. We currently have ISO 9001 standard revision 2015 and the recently updated ISO 27001 standard in revision 2022. An integrated management system for quality and information security will continue to experience changes, especially with these 2 standards. In individual cases, this leads to significant additional effort in maintaining the documentation. For IT companies, certification bodies may be able to offer an audit appointment more quickly. However, as soon as the company to be audited is located outside the IT industry, it becomes very difficult to find qualified audit personnel for the industry.
3. Integrated management system for ISO 9001 and ISO 14001
The introduction of an integrated quality management system (QMS) together with an environmental management system (EMS) is often important in areas with a potential risk to people and nature. This is why you see a QMS combined with an EMS much more often in the waste management, aviation, manufacturing and mechanical engineering industries. Nevertheless, such a set of rules can also be used in other niches. The following video explains these specific aspects for the manufacturing and aviation sectors.
4. Integrated management system for ISO 9001, ISO 14001 and ISO 45001
In some special cases it does make sense to combine 3 standards in an integrated management system. This creates an integrated quality management system (QMS) together with an integrated environmental management system (EMS) and an integrated occupational health and safety management system (OH&SMS). This is a very complex system that only comes into play in very specific areas.