In many SMEs, a quality management system or at least practices based on ISO 9001 are already in place, but the information security management system is still built as a separate entity. The familiar result is two annual calendars, two internal audits, two risk registers, and management reviewing the same issues in different documents.
The good news is that this does not have to be the case. ISO 27001 and ISO 9001 can be combined into one management framework that reduces work and improves oversight. In this article, we go through what the standards have in common, what should be kept separate, and how to practically build one functioning system.
Why Combine ISO 27001 and ISO 9001?
Managing systems separately quickly leads to duplicated work. The organizational description is written twice, deviations are managed through different processes, and management reviews are scheduled separately.
Integration is especially worthwhile in companies with 20–250 employees, limited resources, and the need to demonstrate controlled quality and information security to customers. Practical benefits include:
- one common management model across the organization
- fewer overlapping documents and meetings
- clearer division of responsibilities for management, IT, and process owners
- easier internal audits by examining common principles together
- better visibility of how quality issues and security risks impact business
Think of it this way: if a customer complaint is caused by incorrect access rights or poor change management, is it a quality issue or a security one? Often both. That’s why oversight should be shared.
Note
ISO 27001 and ISO 9001 are largely based on the same management logic: define objectives, identify risks, direct activities, measure results, and continuously improve. This is what makes combining them practical.
What the Standards Have in Common in Practice
Both ISO 27001 and ISO 9001 are management system standards. This means they are not mere checklists but systematic ways to lead operations. Both emphasize the same core questions: what is the goal, who is responsible, how is activity documented, and how is improvement done.
Common structures are particularly found in these areas:
- understanding the organizational environment and stakeholders
- defining the scope of the system
- roles, responsibilities, and commitment of leadership
- assessment of risks and opportunities
- objectives, metrics, and monitoring
- ensuring competence and awareness among staff
- documented information such as guidelines, policies, and records
- internal audits
- management reviews
- handling nonconformities and continuous improvement
The table below helps illustrate where integration is usually easiest.
| Area | ISO 9001 Perspective | ISO 27001 Perspective | Integration Approach |
|---|---|---|---|
| Operating Environment | Customer requirements, processes, quality | Information assets, threats, compliance | Create one common environmental description |
| Risk Management | Quality and process risks | Security risks | Use one risk method, adapting criteria as needed |
| Documentation | Process descriptions, instructions, records | Policies, procedures, logs, registers | Manage all within one document structure |
| Internal Audit | Functionality of processes | Implementation of controls and requirements | Conduct one audit program annually |
| Management Review | Objectives, deviations, customer feedback | Risks, deviations, security performance | Hold one joint review 2–4 times per year |
| Improvement | Corrective actions | Handling deviations and improvements | Use one CAPA process for corrective actions |
In practice, the greatest benefit comes from building one framework and attaching standard-specific requirements underneath. This way, staff don’t need to learn two different management systems.
What Not to Forcefully Integrate?
Although there is much in common, not everything should be merged into one mass. ISO 27001 contains specific security requirements that ISO 9001 doesn’t cover in equal detail. If these get lost in general quality language, the system might look neat but won’t guide correct actions.
Keep at least these areas clearly identifiable, even within the same system:
- security risk assessments and acceptance criteria
- Statement of Applicability, justifying the selected controls
- access rights management
- handling of security incidents
- supplier security requirements
- preparedness, recovery, and log management
A good rule of thumb: integrate the management structure but don’t blur the special requirements of information security. For example, if access rights must be revoked within 24 hours of employment termination, this should be clearly documented as its own control, not just a general process note.
Warning
A common mistake is to build one combined risk register mixing quality, security, occupational safety, and project risks in the same table without classification. Important security risks easily get lost among other issues.
One System, Many Perspectives
A functional combination doesn’t mean one gigantic manual. A better approach is to build one management system with shared management practices and standard-specific sections where needed.
For example, a document structure could look like this:
- common policy level: management principles, responsibilities, objectives
- shared processes: risk management, handling nonconformities, audits, management reviews
- standard-specific procedures: security controls, quality deviation handling, supplier evaluations
- records and metrics: audit reports, risk registers, training records, incident logs
If you already have ISO 9001 in place, you don’t have to start from scratch. Often, you should first check these 3–5 key points:
- is the current risk management detailed enough for security risks?
- are security-related metrics included in management reviews?
- does internal audit cover security controls?
- is responsibility division between IT, HR, and business clearly assigned?
- are documents managed centrally or scattered across folders?
How to Proceed in Practice
Identify Existing Common Structures
Review your current ISO 9001 or other management system and list what can be used as is. Start with at least: risk management, nonconformity handling, internal audit, management review, and document control. This scoping usually takes 1–2 workshops totaling 2–4 hours.
Define a Common Framework and Separate Security Sections
Decide which parts are shared by all standards and which remain specific to ISO 27001. Practically, create one process map marking where detailed security controls are needed, such as access rights, backups, and supplier requirements.
Combine Metrics and Annual Calendar
Build one annual calendar rhythm where audits, risk reviews, trainings, and management reviews follow the same schedule. For example, risk reviews can be done quarterly, internal audits 1–2 times a year, and management reviews at least once a year, preferably more.
Assign Owners and Deadlines
A combined system only works if responsibilities are clear. Assign each process an owner, deputy, and target timeframes: e.g., record nonconformities within 48 hours, decide corrective actions within 14 days, and implement access changes within 24 hours.
Test Functionality with Internal Audit
Before certification or external assessment, verify that the combined model really works. Conduct an internal audit looking at the same process from both quality and security perspectives — for example, customer delivery, user management, or supplier onboarding. This helps identify gaps before they show to customers or auditors.
Metrics to Keep the Combined System Alive
A common problem is that integration happens only on paper, but daily work doesn’t change. Therefore, you need shared metrics that management regularly monitors. Metrics don’t need to be complex, as long as they direct and guide actions.
A functional SME metric set might include:
| Metric | Target Level | Monitoring Frequency | Why This Works |
|---|---|---|---|
| Number of security and quality incidents | decreasing trend or controlled level | monthly | Shows whether problems are increasing or decreasing |
| Corrective action cycle time | under 30 days | monthly | Indicates if detected issues are actually fixed |
| Speed of access revocation | within 24 hours | monthly | Reduces unnecessary access risks |
| Completion rate of mandatory trainings | 95–100 % | quarterly | Ensures competence and awareness |
| Closing internal audit findings | 90 % on time | quarterly | Keeps improvements ongoing |
| Customer deviations involving security or process impact | monitor case count | quarterly | Links quality and security to business impact |
Ask yourself: can management see the overall status at a glance? If not, simplify the metrics.
Tip
Keep one shared dashboard in management reviews with no more than 8 metrics. Too many metrics fragment discussion and prevent decisions.
Typical Mistakes in SMEs
Integration rarely fails due to conflicting standards. More often, it’s about practical implementation. Do any of these sound familiar?
- building the system around standards instead of daily processes
- combining documents but not responsibilities
- leaving security solely to IT when HR, management, and business should also be involved
- doing audits as checklists without assessing process effectiveness
- setting too many objectives without assigning owners
The fix is usually simple. Start with one shared process, such as nonconformity management or management review, then expand gradually. Often, a visible improvement in system functioning is seen within 30–60 days.
Where Does the Tool Help Most?
When ISO 27001 is integrated with ISO 9001, the biggest challenge is rarely understanding the requirements but managing the big picture. Where are the risks, who owns the actions, what has been audited, and what awaits management decisions? If information is scattered in emails, Excel files, and different folders, the combined system quickly falls apart.
This is where a centralized solution eases the workload. Tietoturvapankki helps implement ISO 27001 in practice so risks, controls, responsibilities, and monitoring stay in one place. If quality management tools like Laatupankki are already in use, building shared management practices becomes much more straightforward.
Softapankki Oy and QMClouds Oy have developed solutions so SMEs don’t have to build management systems relying solely on templates. The goal is not to create more documents but to establish a working model that withstands audits and functions in a busy daily environment.
Summary
- ISO 27001 and ISO 9001 should especially be combined in shared management practices: risks, audits, management reviews, and deviation handling.
- Don’t force everything together: keep information security’s special requirements, like controls and the Statement of Applicability, clearly identifiable.
- A functional model consists of one management system, one annual calendar, and clear division of responsibilities.
- Use concrete metrics, such as 24 h for access changes and under 30 days for corrective actions.
- Start with a current state assessment and test the combined model with internal audits before external evaluation.
Need help with information security management?
Our experts are here to assist you.