Image showing an integrated management system

Integrated Management Systems (IMS) for Multiple ISO Standards

Integrated Systems in Brief

One document register, one risk register, one audit programme across all standards
High Level Structure makes integration much easier than it used to be
Workload reduces significantly compared to running separate systems

What is an Integrated Management System?

An Integrated Management System, usually shortened to IMS, is a single management system that covers the requirements of more than one ISO standard at the same time. It is not four separate manuals stapled together. It is one manual describing how the organisation runs, with the requirements of each ISO standard absorbed into the relevant operational sections.

A typical IMS might cover ISO 9001 for quality, ISO 14001 for environmental management, ISO 45001 for occupational health and safety, and ISO 27001 for information security. The same document control procedure serves all four. The same internal audit programme covers all four. Management review is one meeting, one agenda, one set of minutes - not four.

The alternative is running each ISO standard as its own management system, with its own manual, its own processes and its own audits. That approach creates duplication everywhere: almost-identical procedures for document control, risk management and corrective action repeated in four places, four separate management reviews, four sets of records saying essentially the same thing. It is more work to set up, more work to maintain, and more likely to get out of sync as the organisation evolves.

The Integrated Management System Approach

The core idea behind an integrated management system is that most of what each ISO standard asks for is the same - because ISO deliberately designed them that way. Every ISO management system standard requires the organisation to understand its context, set policies, plan objectives, manage resources, control operations, evaluate performance and drive improvement. The specific topic changes - quality, environment, safety, information security - but the structure does not.

An IMS takes advantage of that overlap. The organisation writes one manual describing how it operates, and each ISO standard's requirements are met by the same underlying processes. Context is reviewed once, not four times. Interested parties are logged in one register, not four. Risks and opportunities live in one opportunities and risks register that covers quality, environmental, safety and information security risks together. A single legal register captures all applicable legislation regardless of which standard each piece of legislation relates to.

The result is a management system that reflects how the organisation actually runs, rather than how each ISO standard is structured. Staff follow one process for managing non-conformities whether the non-conformity is a quality issue, an environmental incident, a near miss or a data breach. They use one induction, one training competency matrix, one appraisal process. The ISO requirements sit inside the business, not alongside it.

What Gets Integrated in an IMS

In practice, integration means the following things are shared across every ISO standard the organisation holds:

One management system manual - a single overview document describing how the organisation runs, with sections covering leadership, resources, operations, monitoring and improvement.
One set of policies - the quality, environmental, health and safety, information security and anti-bribery policies sit side by side and reinforce each other, rather than being siloed.
One document control procedure - all controlled documents are managed through the same F-IMS20 Document Register.
One interested parties register - F-IMS22 captures customers, regulators, suppliers, neighbours and other parties with an interest in the system, regardless of which ISO standard they fall under.
One opportunities and risks register - F-IMS23 logs strategic risks across the whole system, whether they are quality risks, environmental risks or information security risks.
One legal register - all relevant legislation is listed in one place, with responsibility for monitoring changes clearly assigned.
One management review - top management contribute to a single review covering all standards at once, not a separate review for each.
One internal audit programme - audits are planned against the whole system rather than running separate audits for each standard.
One improvement process - issues, non-conformities, corrective actions and improvement requests are tracked in one place regardless of which standard they relate to.

This is the practical test of whether a management system is genuinely integrated or just a collection of parallel systems with a shared cover page. If any of the items above exists in multiple versions - separate quality and environmental document registers, for example - the system is not really integrated.

Why the Annex SL Common Structure Matters

Integration works because of a deliberate ISO design decision. All modern ISO management system standards share a common high-level structure known as Annex SL, with the same top-level clauses in the same order:

Clause 4 - Context of the organisation
Clause 5 - Leadership
Clause 6 - Planning
Clause 7 - Support
Clause 8 - Operation
Clause 9 - Performance evaluation
Clause 10 - Improvement

This was introduced precisely so that organisations could integrate multiple standards without having to run parallel systems. An interested parties review carried out for ISO 9001 Clause 4.2 also satisfies the Clause 4.2 requirements of ISO 14001, ISO 45001 and the rest. A management review that covers all the topics required by ISO 9001 Clause 9.3 satisfies the Clause 9.3 requirements of every other standard. The scope-specific requirements - environmental aspects, OH&S hazards, information security controls - sit within this shared framework rather than replacing it.

The practical effect is that extending a management system from one standard to another is an extension, not a rebuild. An organisation with a working ISO 9001 system already has most of what it needs for ISO 14001. Adding the environmental-specific elements - aspects and impacts, environmental legal register entries, environmental objectives - is the new work. The core of the system stays as it is.

Building an Integrated Management System with IMS1

IMS1 is the integrated management system manual that sits at the heart of the alphaZ toolkits. It is organised around how a business actually operates - leadership and planning, resources and support, operational processes, monitoring and improvement - and covers the requirements of ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301 and ISO 37001 in a single document.

Alongside the manual, each of the supported ISO standards has its own correlation document that maps each clause of the standard to the relevant section of IMS1. So when an external auditor asks where Clause 8.5.1 is addressed, the organisation can show them the correlation table and take them straight to the right section. The operational manual stays clean. The clause mapping lives alongside, ready when it is needed.

For organisations needing business continuity management, IMS1 is extended with the PP-1-05 Business Continuity Policy. The BCMS consists of the IMS1 manual plus that policy, together with the Business Continuity Register (F-IMS21) and the Business Continuity Risk Register. There is no separate BCMS manual - the continuity requirements are met through the same integrated system, with the policy adding the continuity-specific content.

The Anti-Bribery Management System works the same way. IMS1 plus the PP-1-19 Anti-Bribery Policy forms a complete ISO 37001-compatible ABMS, with the Anti-Bribery Compliance Register, Business Associates Register and bribery risk assessments providing the supporting records. The ABMS is a layer on top of the core IMS rather than a separate system.

Adding More Standards to an Existing IMS

One of the practical benefits of a well-built IMS is how easily it extends. Organisations rarely start with every ISO standard they will eventually hold. A manufacturer might start with ISO 9001, add ISO 14001 two years later when a customer starts asking, add ISO 45001 when the insurer gives a good reason, and eventually add ISO 27001 when they start handling more sensitive customer data.

Done properly, each extension is a matter of adding the standard-specific content to the existing system rather than building a new system. The common core - context, leadership, planning, support, operation, performance evaluation, improvement - stays as it is. What gets added is:

Standard-specific content within the main manual (environmental arrangements, OH&S arrangements, information security arrangements)
Additional policies specific to the new standard
Additional items on the legal register
Additional risks or opportunities on the existing F-IMS23 register
A correlation document mapping the new standard's clauses to the relevant sections of the manual

The internal audit programme expands to cover the new standard. The management review agenda picks up the new standard's requirements. The document register adds any new controlled documents. But the shape of the system does not change.

Common Integration Mistakes

Three mistakes come up regularly when organisations try to integrate management systems, and each undermines the benefits of an IMS.

The first is maintaining separate manuals with a shared cover sheet. Some organisations claim to have an integrated system but keep a Quality Manual and an Environmental Manual as distinct documents that are only loosely linked. This preserves most of the duplication an IMS is meant to eliminate. A genuine IMS is one manual describing one system.

The second is keeping clause-based sections inside an otherwise operational manual. An organisation might write a Section 4 Context, a Section 5 Leadership and a Section 6 Planning that mirror the ISO clause numbering, even though the rest of the manual is organised operationally. This creates a hybrid that reads oddly, trains badly and still has to be rewritten when a standard is revised. Better to commit fully to operational organisation and use correlation documents for the clause mapping.

The third is duplicating registers. An organisation ends up with a quality risk register, an environmental aspects register, an OH&S hazard register and an information security risk register - all recording essentially the same kinds of information in slightly different formats. A single opportunities and risks register at the strategic level, with separate operational risk assessments for specific hazards, is simpler and gives management a clearer picture.

We started with ISO 9001 about five years ago, added ISO 14001 eighteen months later, then ISO 45001 after that. Each time we added a standard we made the mistake at first of building a new little system alongside the old one, and each time we ended up having to pull it back into the main IMS because the duplication was killing us.

Now we have one manual, one document register, one set of policies on the wall, one management review a year and one internal audit programme. Three standards, one system. When the auditor comes in we pull out the correlation tables and they work through them in sequence. Saves us weeks over the course of a year compared to running three separate systems.

The thing people miss about Annex SL is that ISO genuinely made the standards compatible on purpose. The clauses are in the same order across 9001, 14001, 45001, 27001, 22301, 37001 - it is not a coincidence. You review your context once, not six times. You set policies once, not six times. Integration is what the standards were designed for.

When I audit an integrated management system the first thing I check is whether it is genuinely integrated or whether it is a set of parallel systems sharing a cover. I ask to see the document register. If there are separate quality, environmental and safety registers, that is usually a sign the integration is cosmetic. One register across the whole system is what I expect to find.

The correlation document is what I use to navigate. A well-built IMS has a clear table mapping each clause of each standard to the section of the manual where it is addressed. That lets me work through my audit checklist without demanding the organisation restructure its documentation to suit me.

Management review is another good test. One review meeting covering every standard is a sign of integration. Four reviews a year, one per standard, is a sign the system is really four systems in a trench coat.

Practical Compliance Guidance

The IMS1 manual provides the foundation of an integrated management system and covers the requirements of six ISO management system standards in one operations-driven document. Its structure deliberately mirrors how a business actually runs, with ISO correlation documents handling the clause-by-clause mapping separately.

The alphaZ toolkits package IMS1 together with the policies, procedures, registers and forms needed to build a working IMS. The right toolkit depends on which combination of standards applies to the organisation.

alphaZ document	How to use it
ISO 9001, 14001, 45001 IMS Toolkit	The most common IMS combination, covering quality, environmental and health and safety in one system. Starting point for manufacturing, construction and service organisations pursuing the three core standards together.
ISO 9001, 14001, 45001, 27001 IMS Toolkit	Extends the three-standard IMS to include information security. Suited to organisations that handle sensitive customer data alongside physical operations.
Full Six-Standard IMS Toolkit	The complete integrated toolkit covering quality, environmental, health and safety, information security, anti-bribery and business continuity in one system, built around the IMS1 manual.
F-IMS20 Document Register	Central register for every controlled document in the integrated system. One register, not one per standard.
F-IMS22 Interested Parties Register	Logs all interested parties and their requirements in one place across every standard the system covers.
F-IMS23 Opportunities and Risks Register	Strategic-level register of risks and opportunities across the whole management system, with controls and residual risk ratings. Reviewed at each management review.
F-Q3 Management Review	Single management review template covering the review requirements of every standard in the IMS. Contributors from across the organisation feed into one review rather than several.
PP-1-05 Business Continuity Policy	Added to IMS1 to form a complete ISO 22301-compatible Business Continuity Management System. No separate BCMS manual needed.
PP-1-19 Anti-Bribery Policy	Added to IMS1 to form a complete ISO 37001-compatible Anti-Bribery Management System, supported by the bribery risk assessments and compliance registers in the toolkit.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Can an integrated management system be certified to multiple ISO standards at the same time?

Yes, and most certification bodies will conduct a combined audit covering every standard the IMS is certified against. One audit visit, one team of auditors, one certification cycle. Certification bodies charge less for combined audits than for the same standards audited separately, and the organisation only has to free up staff time once rather than repeatedly through the year.

What is Annex SL and why does it matter for integration?

Annex SL is the ISO document that defines the common high-level structure for all modern management system standards. It specifies that every such standard will use the same ten top-level clauses in the same order, from Clause 4 Context of the organisation through to Clause 10 Improvement. It matters for integration because it is the reason an interested parties review, a risk assessment or a management review conducted for one standard also meets the equivalent requirement in another standard.

We already have separate management systems for each standard. Can we integrate them later?

Yes, and most organisations that run separate systems eventually do, because the duplication becomes too expensive to maintain. Integrating an existing set of separate systems usually means adopting a single integrated manual, consolidating the registers and policies, unifying the document control procedure, and replacing multiple management reviews with one. The certification bodies are used to this and will support the transition through the next surveillance audit cycle.

Does an IMS need a correlation document, and is it part of the certification audit?

The correlation document is not a mandatory requirement of any ISO standard, but it is standard practice in an operations-driven IMS because it saves significant time during external audit. Auditors work through the standard clause by clause and use the correlation table to locate the relevant section of the manual. Without one, the auditor has to work out for themselves where each requirement is addressed, which slows the audit and increases the risk of findings being raised because the evidence was not found rather than because it is missing.

UK Legislation

No UK legislation specifically requires an integrated management system, but the same UK laws that apply to each constituent standard apply together when those standards are integrated. Organisations running an IMS covering health and safety, environmental and information security obligations meet those legal requirements through the integrated system rather than through separate arrangements.

Further Resources