Summary: Integrating international standards such as ISO 27001, ISO 22301, and ISO 42001 improves organisational efficiency. By leveraging shared management structures, merging documentation, and aligning governance, you can reduce resource duplication and simplify compliance.
Leveraging an existing management system, such as ISO 27001, provides a solid foundation that makes aligning with other international standards, like ISO 22301 (Business Continuity), ISO 42001 (Artificial Intelligence), significantly more efficient.
How can you build upon your existing management system?
Management standards often share a similar high level structure, allowing organisations to integrate core processes effectively.
Let’s take ISO 27001 and ISO 42001 as an example. They both follow the same core management processes with clauses 4 through to 10 (Context, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement), but the differences are the focus of the standards. ISO 27001 is a risk management standard focused on protecting confidentiality, integrity and availability, whereas ISO 42001 focuses on the ethics, fairness, transparency and data quality of the AI lifecycle.
Instead of creating separate management systems for each standard, you can leverage your existing frameworks for critical activities such as risk management, document control, and internal auditing. This approach ensures consistency across your management system and reduces the amount of resources you need to allocate to aligning to a newly adopted standard.
How can you integrate documentation and processes?
Many requirements overlap across different standards, providing opportunity to merge documentation. For example, update your existing Statement of Applicability (SoA), communication plans and competency matrices to incorporate new controls or scope requirements, rather than creating entirely new versions from scratch. By consolidating, you not only save time but in the long run will simplify your upkeep and maintenance of the management systems.
Use existing governance structures
Governance processes can be streamlined by using existing roles, responsibilities, and management review forums. If an established structure for decision making and accountability is already in place, the scope of the committee should be extended to address and report on the requirements of the new standard.
Can you use the same risk register across multiple ISO standards?
Existing risk criteria and methodology can be adapted, starting from your current risk assessment processes. Consistent oversight of risks can be maintained by expanding your current risk register to include risks relevant to the new standard. Often in practice this can be using identifiers or tags e.g. IS, AI or BC, to state whether a risk is related to information security, artificial intelligence or business continuity, whilst following the same methodology for assessing and treating risks.
Why is a single source of truth important for an integrated management system?
Integrating ISO standards helps organisations reduce duplication, improve consistency and simplify compliance activities. By leveraging existing governance structures, risk management processes, documentation and audit activities, organisations can achieve compliance more efficiently while maintaining a manageable and auditable management system.
For organisations already certified to ISO 27001, adopting standards such as ISO 42001 or ISO 22301 becomes significantly easier when approached as an extension of the existing management system rather than a completely separate initiative.
Tim Orchard
Penny Yap
Andrei Draghiciu