What is an integrated ISO management system?
An Integrated Management System (IMS) combines all associated procedures and elements to meet the demands of several management system standards into a single, comprehensive system that is easier to administer and operate.
Integrated management systems make it simpler for organizations to manage the multiple management systems that they have in place. This saves organizations from having duplicate processes.
Before the harmonization of the ISO Standards by ISO’s Annex L, integration was more challenging.
How does Annex L help with the integrated audits?
An Annex L is the High-Level Structure (HLS) that offers the same structure, content, and common words and definitions for management system standards. Through this structure, it is possible for organizations to combine multiple management systems into one.
Our auditor, Orlando Olumide Odejide Ph.D., an MSECB certified auditor for ISO 9001, ISO 14001, ISO/IEC 20000, ISO 22301, ISO/IEC 27001, ISO/IEC 27701, and ISO 45001, explains:
Requirement-based ISO standards that have been developed since 2015 have followed the Annex SL format, now updated as Annex L (2019). Clauses 4 – 10 (except for clause 8) are mainly the same, with slight differences in some areas.
For example, all these standards have 4.1 – 4.4 and 5.1 – 5.3 clauses. However, ISO 45001 has 5.4, which is the Consultation and participation of workers. There is no other ISO standard that has this clause. Additionally, only ISO/IEC 20000-1 has clause 7.6, which is knowledge, and all the other key standards have only 7.1- 7.5. There are other subtle differences between clauses 4 to 10, but essentially, the clauses are the same. An integrated audit must take advantage of these similar clauses for review across multiple standards within an IMS audit.
However, auditors need to be aware and mindful of the uniqueness of clause 8 within the individual standards that might constitute the IMS for an organization. The key difference among the ISO standards is Clause 8. Clause 8 is the core operational clause across multiple standards; it represents the heart of each ISO standard. At the same time, auditors can take a broad and horizontal view of the clauses between 4 – 10. Auditors must dig deep and drill down into the specifics of how Clause 8 applies to each ISO standard in alignment with the business operations and processes of organizations being audited.
Planning an integrated management system audit
Organizations that undergo third-party audits of integrated management systems can save up to 20% in audit time over independent audits, according to IAF MD 11:2019. The audit time is calculated based on these three things:
- the degree of integration between the management system and its supporting documentation;
- the auditee’s capacity to react to inquiries regarding various management system standards;
- the accessibility of auditors qualified to audit numerous management system standards.
“To audit an IMS, auditors must first identify the management systems that make up the IMS they plan to audit. The next step is to develop a comprehensive plan that outlines how the IMS will be audited including sequence of clauses to be audited, auditee representatives needed, duration of the audit, the roles and responsibilities of the audit team, the resources required, and the timeframe for the audit.
The IMS audit should be designed to measure the overall performance of the management systems and, eventually, to ensure higher levels of maturity/capability for the constituent clauses and controls within the IMS,” Orlando adds.
Nevertheless, how productive the integrated audits is dependent on the organization’s in-depth knowledge of ISO management systems and their integration.
“It is essential that IMS auditors and audit teams have expertise and experience across the multiple standards they plan to audit. This enables an in-depth and thorough review of the clauses of the standards and the effectiveness of their operation within the context of the organization being audited,” Orlando further adds.
Thus, understanding the relationship of management systems with each other allows an audit to run smoothly.
On the other hand, the objectives, scope, and criteria of the audit must be suitable for each part of your organization when preparing for an integrated audit. While certain standards may only affect or be part of the scope for specific areas of your business, others may have a scope that can be implemented across your entire organization.
How can an integrated ISO management system audit help your business?
From the point of view of an auditor, Orlando states that having integrated audits is the most prudent, efficient, and cost-effective way for organizations that have implemented and integrated multiple standards and need to carry out their initial, surveillance and recertification audits.
Furthermore, he says that IMS audits enable intelligent audit reporting. An IMS audit report allows the organization to share audit conclusions appropriately. Rather than having multiple audit reports, a single report that compiles findings and exceptions into a single document allows for coordinated remediation actions and faster decision-making. With integrated audits, work documents are created by collecting similar evidence from several requirements/criteria and coordinating the content of relevant checklists to avoid duplication of audit tasks.
For example, take clauses and requirements like asset management, incident management, change management, and others that are captured in slightly different contexts across ISO/IEC 20000, ISO/IEC 27001, and ISO 22301 standards. However, an IMS audit will ensure that personnel are interviewed and documents and systems are reviewed only once rather than multiple times within the duration of the IMS audit.
Above all, an integrated audit typically takes less time to complete than several independent audits. Due to the Annex SL/L structure, there are common requirements across all standards, which do not have to be audited separately but rather collectively.
Get your integrated management system certified with MSECB!
Now that you know the advantages of integrated management systems, it is time to begin the integrated audit and certification process.
MSECB holds a reputation as a trusted organization that goes the extra mile to advance our customers’ success. Our auditors are well prepared and experienced in providing integrated audits at the highest level.
Furthermore, our audit and certification processes are among the easiest to follow and will enable you to operate with greater efficiency. Contact us to learn more or get started right away with a free quote.
About the contributor
Orlando Olumide Odejide PhD is the Managing Partner of A4S (Audit, Advisory, Assurance, and Assessment Services Limited). He is an ISO Management Systems Auditor, Governance, Risk and Compliance Auditor, PCIDSS Qualified Security Assessor (QSA), COBIT Assessor, Enterprise Architect, Programme Director and Trainer with over 20 years of experience in the field of Computing, Information Technology Delivery, Risk Management, Compliance Management and Management Consulting. Since 2016, Orlando has been successfully leading many ISO 9001, ISO 14001, ISO/IEC 20000-1, ISO 22301, ISO/IEC 27001, ISO/IEC 27701, and ISO 45001 audits on behalf of MSECB.
Orlando has worked to support over 600 clients across Africa and presently helps organizations adopt and adapt standards and best practices for business and IT.