Back to Articles

Integrating ISO 27001 with Your Existing Quality Management System

ISO 27001

By Trenton Steadman

8 min read|
Integrating ISO 27001 with Your Existing Quality Management System

Manufacturers already certified to ISO 9001 can leverage existing systems when adding ISO 27001. Learn what carries over, what's new, and how to integrate.

By Trenton Steadman, Lead ISO Consultant

I was reviewing the management system documentation for a steel fabrication company already certified to ISO 9001 and ISO 14001 when their Quality Manager asked me, "We've got a new customer requiring information security certification. How much of what we've already built can we reuse for ISO 27001?"

The answer is more than most people expect. ISO's management system standards share a common high-level structure, which means your Document Control process, your Internal Audit program, your Management Review, your Corrective Action process, and your approach to competency and training all apply. You're not starting from zero. You're extending a framework you already have.

But that doesn't mean you just bolt information security onto your existing Quality Manual and call it done. ISO 27001 has unique requirements - particularly around information security risk assessment, the Statement of Applicability, and the Annex A controls - that require dedicated work. The art is knowing what to share, what to extend, and what to build from scratch.

I've worked with organizations that run combined systems across two, three, even four standards. Here's how the integration actually works in practice.

What You Already Have (and Can Leverage)

If you're certified to ISO 9001 or running a combined Quality and Environmental Management System under ISO 14001, you've already built infrastructure that ISO 27001 requires. The common high-level structure (sometimes called Annex SL or the Harmonized Structure) means these elements are shared across all three standards:

Context of the Organization (Clause 4) - You've already identified interested parties and determined the scope of your management system. For 27001, you'll expand this to include information security-specific stakeholders - customers with data protection requirements, regulators, IT service providers - but the framework for how you document and review context is already in place.

Leadership and Commitment (Clause 5) - Your management commitment, policy framework, and organizational roles and responsibilities carry over. You'll need an Information Security Policy alongside your Quality Policy (or Environmental Policy), but the structure for how policies are approved, communicated, and reviewed is the same.

Planning - Risk and Opportunities (Clause 6) - This is where things diverge, and I'll cover it separately below. Your existing risk-based thinking approach provides a foundation, but 27001 requires a specific information security Risk Assessment methodology that goes beyond what 9001 asks for.

Support (Clause 7) - Competency, awareness, communication, and documented information (Document Control). Your existing Document Control process works for 27001 documentation. Your training and competency framework extends to include information security awareness. You don't need separate systems for these.

Internal Audit (Clause 9.2) - Your Internal Audit program applies directly. You'll add information security scope to your Audit Schedule, and your auditors will need familiarity with 27001 requirements, but the process - planning, conducting, reporting, following up on findings - is identical.

Management Review (Clause 9.3) - Same process, expanded agenda. You'll add information security performance, risk treatment status, and Annex A control effectiveness to your Management Review inputs. A mid-size automotive supplier I worked with was already doing annual Management Reviews for their quality and environmental system. When they added 27001, they switched to every six months because the combined information volume was substantial. That's a practical consideration worth thinking about early.

Corrective Action and Improvement (Clause 10) - Your existing Corrective Action process and Continual Improvement Log work for information security Nonconformities too. A security incident that reveals a control gap follows the same Root Cause Analysis and Corrective Action cycle as a quality nonconformance.

Where ISO 27001 Requires Dedicated Work

The shared structure gets you maybe half the way there. The other half is unique to information security, and this is where the real implementation effort lives.

Information Security Risk Assessment (Clause 6.1.2)

This is the heart of ISO 27001, and it's fundamentally different from the risk-based thinking in ISO 9001. Where 9001 asks you to consider risks and opportunities broadly, 27001 requires a formal, repeatable Risk Assessment methodology that:

  • Identifies information security risks (what could go wrong with your information assets)
  • Analyzes those risks (likelihood and impact)
  • Evaluates them against defined acceptance criteria
  • Determines risk treatment (what you're going to do about each one)

There are different approaches to this. Some organizations take an asset-based approach - listing every information asset and assessing threats and vulnerabilities against each. Others use a scenario-based or process-based approach. I've found that for manufacturing organizations adding 27001 to an existing quality system, a simpler approach often works better. A straightforward three-by-three matrix (low/medium/high for likelihood and impact) with clear treatment criteria can be more practical and sustainable than a complex vulnerability-threat model.

The key is that whatever approach you choose, it needs to be documented, repeatable, and produce consistent results when different people use it.

Statement of Applicability (Clause 6.1.3d)

The Statement of Applicability (SoA) is unique to 27001. It's a document that lists all the controls from Annex A, states whether each one is applicable or not, provides justification for inclusions and exclusions, and confirms whether each applicable control is implemented.

This doesn't exist in 9001 or ISO 14001. It's new work, and it requires going through the Annex A controls systematically. For a manufacturing company, some controls will be straightforward (physical security, access control), some will need careful thought (cryptography, supplier relationships), and some may not apply (certain cloud-specific controls if you don't use cloud services).

Annex A Controls

Annex A provides a reference set of information security controls organized into four themes: organizational, people, physical, and technological. Your Risk Assessment drives which controls you implement, but the SoA requires you to address each one.

Many of these overlap with things you're already doing - access control to your facility, visitor management, employment screening, backup procedures, supplier evaluation. The difference is that you need to look at them through an information security lens rather than a quality or environmental one. Your Approved Supplier List evaluation criteria, for example, might already assess delivery and quality performance. For 27001, you'll add consideration of how suppliers handle your information.

For manufacturers seeking to understand how ISO 27001 applies specifically to their environment, our detailed guide on ISO 27001 for manufacturing covers the manufacturing-specific considerations and control implementations.

The Integration Decision: Combined vs. Parallel

There are two basic approaches to running multiple management system standards, and I've seen both work:

Combined (Integrated) Management System - One manual, one set of procedures, one Internal Audit program, one Management Review. The system addresses quality, environmental, and information security requirements in a unified framework. This is generally more efficient and reduces duplication.

Parallel Systems - Separate documentation for each standard, with some shared elements (like Document Control and Corrective Action). This can make sense when different teams own different standards, or when the scopes are very different.

For most manufacturers, the combined approach is better. You're already managing quality. Your team already understands the management system concept. Adding information security to the existing framework is less disruptive than building a separate system and asking people to maintain two (or three) sets of procedures.

The practical question is how deeply you integrate. At minimum, you'll share the support processes (Document Control, Corrective Action, Internal Audit, Management Review). Beyond that, it depends on your organization. Some companies create a single Integrated Policy that covers quality, environmental, and information security. Others keep separate policies under a shared policy framework. Neither approach is wrong - the standard doesn't prescribe how you organize your documentation.

Practical Tips for the Integration

Start with what you have. Pull out your existing Quality Manual (or QEMS Manual) and map it against ISO 27001 requirements. You'll be surprised how much alignment already exists. The Gap Analysis is primarily about identifying what's new, not rebuilding what you've got.

Don't duplicate processes. If your Document Control process works for quality documents, it works for information security documents. Don't create a separate "ISMS Document Control" procedure. Extend the existing one to include information security documentation types and classification requirements.

Expand your Audit Schedule, don't create a new one. Add information security scope to your existing Internal Audit program. Train your auditors on 27001 requirements. You might need to add audit days, but you don't need a separate audit infrastructure.

Plan your Management Review carefully. Adding a third standard's worth of inputs to Management Review makes the meeting longer and more complex. Consider whether you need to increase frequency, split the review into focused sessions, or restructure the agenda. Whatever you decide, make sure information security gets adequate attention and isn't rushed through at the end.

Use your existing risk framework as a starting point. If you already have a risk register for quality or environmental risks, use the same format and expand it. The information security Risk Assessment needs additional specificity (assets, threats, vulnerabilities), but the overall risk management approach can be consistent across your management system.

Leverage your existing culture. If your team already understands why quality matters and why procedures exist, information security awareness is an extension of that mindset. The message is the same: we have responsibilities, we follow processes, and we improve when things go wrong. The subject matter changes, but the discipline doesn't.

If you're considering adding ISO 27001 to your existing management system and want to understand the scope of work involved, we offer a free initial consultation to help you assess where you stand and plan the integration.

Share this article:

LinkedInX-AppFacebook

Related Articles

iso-img
ISO 27001 for Manufacturing: Why Information Security Isn't Just for Tech Companies

Manufacturing faces unique ISO 27001 challenges - from production systems to ITAR data. A consultant shares what implementation actually looks like. Free consultation....

iso-img
Simplifying ISO 27001 Risk Assessment: A Practical Approach for Manufacturing

Complex risk matrices look impressive but nobody uses them. A simplified approach to ISO 27001 risk assessment that manufacturing teams can actually maintain....

iso-img
ITAR and CUI in Manufacturing: The Gap Between Policy and Practice

ITAR and CUI requirements in manufacturing often have a gap between policy and practice. Learn how to close it with practical controls aligned to ISO 27001....

Contact

Free initial consultation.

Phone

+1 833 I-GET-ISO+1 833 443 8476

Business Hours

Monday - Friday: 9:00 AM - 6:00 PM
Saturday: 10:00 AM - 2:00 PM
Sunday: Closed
(Central Time, UTC-6)