Integrated management systems: what genuinely integrates, what doesn't, and how to tell what you actually have
Ask three consultants to define an integrated management system and you will get three answers. The most common one is documentation-based, and it is worth almost nothing. A practical walk-through of what real integration looks like, when it makes sense, and how auditors distinguish integrated systems from stapled ones.
Ask three consultants to define an integrated management system and you will get three answers. The most common one is documentation-based: a shared quality manual, a shared policy set, a shared risk register. The second is process-based: shared procedures for internal audit, management review, corrective action, and document control across every standard. The third is genuinely operational: a single management system that runs the organisation, with each standard’s obligations satisfied as byproducts.
Only the third is worth the effort. The first two are filing systems.
This piece explains what an integrated management system (IMS) actually integrates, what it does not, and how to tell whether the system your organisation has is the genuine version or a very tidy filing cabinet.
Key takeaways
- ISO 9001, 14001, 45001, 27001, 22301, 27701, and 42001 all share the same top-level clause structure (the Harmonised Structure, previously Annex SL). That is what makes integration possible.
- Integration is easiest at the management-system layer (context, leadership, planning, performance evaluation, improvement) and hardest at the technical control layer.
- The claimed benefits are real, but only materialise if the integration is operational, not just documentary.
- The most common failure is producing an “integrated manual” while running four disconnected programmes underneath. Certification body auditors see through it quickly.
- Integration is not always the right answer. Small organisations with only one management system have nothing to integrate. Organisations with wildly different scopes across standards may find integration harder than running the standards separately.
What actually integrates
All modern ISO management-system standards follow the same Harmonised Structure. That means every one of them has clauses 4 through 10 with the same top-level headings: context, leadership, planning, support, operation, performance evaluation, improvement. Every one of them runs on the Plan-Do-Check-Act cycle.
The clauses that live at the management-system layer (4, 5, 6, 7, 9, 10) are highly integratable. If you have identified your interested parties for ISO 27001, the same list mostly serves ISO 22301. If you have a management review process that covers information security performance, it can cover business continuity and quality performance in the same forum. If you have a corrective action process that closes ISO 27001 nonconformities, it can close ISO 22301 nonconformities without changes.
The clauses at the operational layer (Clause 8, and each standard’s specific technical requirements) integrate less well. ISO 27001’s Annex A information security controls do not map cleanly onto ISO 45001’s occupational health hazards, and neither maps onto ISO 22301’s Business Impact Analysis. Trying to force operational-layer integration usually produces documents that satisfy nobody.
Where the benefits actually come from
If integration happens at the management-system layer, the following genuinely improve:
- Management review efficiency. One meeting reviews performance across multiple standards. Executives engage with the full picture rather than several disconnected slide decks.
- Internal audit efficiency. One integrated audit programme covers common clauses across multiple standards in a single cycle. Auditors probe general management-system health once, then focus their specialist time on the standard-specific technical controls.
- Documentation coherence. One policy set, one risk framework (with standard-specific registers where needed), one training programme. Employees stop asking which policy applies to which situation.
- Certification cost. Registrars typically offer combined audits for integrated systems, reducing on-site days and travel.
- Executive engagement. Boards understand “risk to the business” better than “ISO 27001 residual risk.” An integrated system reports outcomes rather than clauses.
None of these materialise if the integration is documentary rather than operational. A shared cover page on four separate management systems does not reduce management review time. It adds a table of contents.
What integration costs
Honest treatment: integration has costs, and they are often understated in consultancy pitches.
- Slower initial implementation. Building an integrated system from scratch takes longer than implementing one standard, because the integration itself is design work. It pays back over multiple certification cycles, not the first one.
- Higher process discipline required. An integrated system depends on shared processes. If shared internal audit, management review, or corrective-action processes break, they break everywhere at once.
- Scope mismatches surface. ISO 27001 is often scoped to a specific service or department. ISO 45001 is usually organisation-wide. Integration forces the organisation to reconcile scope decisions that were previously invisible.
- Documentation refactoring. Existing standards with separate procedures need to be refactored, not merely stapled together. That is real work.
- Certification body coordination. Not every certification body handles combined audits equally well. Choosing one that does becomes part of the integration decision.
When integration makes sense
- The organisation has two or more management systems already, or is planning to implement them within eighteen months.
- The systems will share substantial scope: largely the same people, sites, and processes.
- Senior management is willing to consolidate performance reporting into a single management review.
- There is a named individual with responsibility for the integrated system as a whole, not just individual standards.
When it does not
- Only one standard is in scope, or the second standard is small and stable.
- The standards have wildly different scopes (an organisation-wide QMS with a very narrow 27001 SoA, for example).
- Different standards are owned by different parts of the organisation who cannot yet coordinate day to day.
- The organisation is unstable or growing very fast, and any integrated system would be under constant refactoring.
Integration is a tool. If it produces coherence, use it. If it produces overhead, do not.
What auditors look for
Certification body auditors distinguish between integrated systems and stapled systems within the first hour of a stage 2 audit. The signals they use:
- Traceability across standards. A risk identified in ISO 27001 that also has a business continuity implication should appear in both risk registers, or in a single register with both dimensions coded. Auditors check whether the connections exist.
- Management review substance. An integrated management review that spends five minutes on each of four standards and calls the meeting done is stapled. One that discusses cross-cutting risks (a supplier failure that affects operations, security, and safety simultaneously) is integrated.
- Internal audit realism. Integrated internal audit programmes should probe common clauses in a way that reveals whether the integration is real. A finding in one standard’s Clause 7.2 (competence) should trigger review of that clause across the other standards.
- CAPA linkage. Corrective actions should reference every standard they touch. A single finding closed under only one standard when it affected two or three is a sign the integration is documentary.
Where an auditor identifies an integrated system as stapled rather than integrated, the finding is usually an OFI rather than a nonconformity. The OFI trajectory over successive audit cycles becomes uncomfortable if not addressed.
How the Axlio Method applies
The six steps of the Axlio Method apply to an IMS engagement in exactly the same way they apply to a single-standard implementation. What varies is the scope of Understand and Assess, which is broader, and the depth of Prioritise, which becomes more complex.
- Understand. Not just what the business does, but which standards actually matter to it now and in the next three years. Some organisations pursue integration prematurely.
- Assess. Existing management systems, their maturity, their operational reality, and where they already overlap or duplicate.
- Prioritise. Which integration decisions produce durable value and which produce documentation.
- Implement. Refactor common processes first. Reconcile standard-specific requirements second.
- Assure. Test the integration by running the common processes and seeing whether they actually cover every standard, rather than just referencing them.
- Improve. Track integration health as a management-system metric, not just certification status.
Getting started
If you already have one certified management system and are considering adding another, the decision is often when to integrate, not whether. Adding a second standard as a separate system, then integrating at the next recertification cycle, is a common and sensible pattern. Trying to integrate at the point of first certification for the second standard usually adds unnecessary risk to the certification event.
For organisations with existing multiple standards operating as separate programmes, integration should typically be timed around a recertification cycle, so the refactored system can be audited as integrated from the start of the new cycle.
Closing
An integrated management system is worth building when the integration is operational: shared processes that genuinely reduce duplication, shared reporting that genuinely engages executives, and shared assurance that genuinely probes the whole system at once. It is not worth building when the integration is only documentary: a shared manual over four disconnected programmes.
The difference is easy to spot from inside the organisation, harder to spot from outside, and easy to mistake as long as certification bodies keep issuing certificates against systems that look integrated on paper.
For support building or reviewing an integrated management system across ISO 27001, ISO 22301, ISO 27701, ISO 42001, or ISO 9001, get in touch. Every engagement follows the Axlio Method.
