Integration of
ISO 27001:2022 ISMS into an existing ISO 14001 EMS

ISO integration (sometimes referred to as an “integrated management system”) occurs when an organization combines or merges components of multiple ISO standards.  This activity has become more common as the number of management systems and International Standards has risen.  Integration is also facilitated through the desire of organizations to improve performance across a wide range of business activities.

An organization integrating the ISMS and EMS standards will find that some requirements are identical, some are similar, and others are unique to each standard.  Requirements that are identical or similar can be integrated (or combined) to achieve efficiency. 

A common example is Management Review.  Both ISMS and EMS require Management Review.  Some of the mandatory inputs and outputs are identical or similar.  An organization could choose to write two separate procedures; one for ISMS Management Review and one for EMS Management Review.  However, by efficient integration, an organization writes only one procedure that captures ISMS and EMS Management Review requirements, including listing identical requirements only once.

Product: Our ISO 27001:2022 ISMS for Existing EMS provides all of the tools you need to implement your ISMS.

Understanding the Two Management Systems

ISO 27001 is a set of requirements for an Information Security Management System (“ISMS”).  Likewise, ISO 14001 is a set of requirements for an Environmental Management System (“EMS”).  Other management systems, such as AS9100, AS9110, AS9120, ISO 13485, and IATF 16949, are based off of the ISO 9001 QMS with additional requirements specific to the industry (“QMS9”).  

When effectively implemented, an ISMS provides customers, employees, and key interested parties with assurance that data and information entrusted to an organization is safely managed.  Personal data (such as PII) will be encrypted and protected.  If data is transmitted, it will be moved by secured means to prevent access by hackers or data thieves.

When effectively implemented, an EMS helps an organization improve their environmental performance.  EMS processes provide customers, employees, and key interested parties with assurance that an organization is making efficient use of resources, reducing waste, and gaining competitive advantage without compromising our environment or critical environmental issues.  EMS practices encourage better environmental performance by integrating environmental factors into the organization’s business systems and processes.

Common Layout

Both ISO 27001 and ISO 14001 have transitioned to the current ISO International Standard layout, Annex L.  Both standards have similar clauses which contain requirements which may be subject to audit in order to attain certification. 

The common layout / clauses include:

Table 1 – Common Layout / Clauses 

Clause Title Notes
1 Scope Clause 1 is not subject to audit.
2 Normative References Clause 2 is not subject to audit.
3 Terms and Definitions Clause 3 is not subject to audit.
4 Context of the Organization Clause 4 requirements are subject to audit.
5 Leadership Clause 5 requirements are subject to audit.
6 Planning Clause 6 requirements are subject to audit.
7 Support Clause 7 requirements are subject to audit.
8 Operation Clause 8 requirements are subject to audit.
9 Performance Evaluation Clause 9 requirements are subject to audit.
10 Improvement Clause 10 requirements are subject to audit.

While the clauses and their titles are identical, the requirements in each clause may, or may not, be identical or similar. 

Appendices (the Annex)

Both ISO 27001 and ISO 14001 systems have appendices, which are identified in ISO terminology as an “Annex.”  Unlike the clauses, the annex of each standard is different.  The two tables below identify the annex sections of each standard.

Table 2 – ISMS Annex

Annex Title Notes
A Information Security Controls Reference This annex is subject to audit.

 

Table 3 – EMS Annex

Annex Title Notes
A Guidance on the use of this International Standard This annex is not subject to audit.
B Correspondence between ISO.DIS 14001:2014 and ISO 14001:2004 This annex is not subject to audit.
C Alphabetic index of terms in Clause 3 This annex is not subject to audit.

ISMS Annex A

As noted above, a critical distinction between ISMS and EMS is that ISMS Annex A contains requirements (controls) that are subject to audit.  This is different from EMS.  If you are an existing EMS organization that is integrating ISMS, ensure you do not overlook ISMS Annex A.

p

Notable Differences in ISMS

Statement of Applicability – The Statement of Applicability (SoA) is a unique document.  It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments, and is required for ISO 27001:2022.

Risk Management – Risk management is a fundamental process required by ISO 27001.  ISMS Section 6 addresses planning a risk management process (risks and opportunities, risk assessment, risk treatment, and information security risk management).  ISMS Section 8 addresses implementation of risk management planning, including risk assessment activities, risk treatment, and risk reporting. 

Risk planning is addressed in EMS systems.  However, it is only addressed in EMS Section 6, not in Section 8.  For an EMS, an organization only needs to consider risk issues when planning its EMS.  There is no requirement for execution of risk assessment, risk treatment, risk reporting, etc. 

Benefits of Integration

By integrating ISMS and EMS, organizations offer assurance to customers and key parties that environmental practices and efficient environmental performance is integrated into processes, including the importance of securing data and information in an age of ever-growing cybersecurity concerns.  Benefits of integration can include:

  • Holistic management system approach, including integrated processes, streamlined use of resource, and reduced administrative burdens.
  • Security, quality, and environmental performance are evidenced by simultaneous certification of security management and environmental management activities.
  • Increased marketability, including confidence from existing and potential customers that your organization can protect data and the environment, while reducing risks in the delivery of products and services.

Certification

An organization that properly implements this integration should be able to establish an effective, integrated ISMS-EMS system.  However, this does not guarantee your organization will achieve EMS certification or ISMS certification.  Certification depends upon multiple variables, including such essential activities as committed leadership, review (including Management Review), analysis (including possibly statistical analysis), continual improvement, and effective internal auditing.  

Other Key Processes

Below are several additional processes that are somewhat unique to ISO 27001. 

IS / IT Policy

P-602 (IS / IT Policy) provides standard Information Security (IS) and Information Technology (IT) policies and processes applicable to ISO 27001.  Many of the provisions in P-602 help fulfill and address controls in the Statement of Applicability (SoA). 

If your organization has an established IT department with existing processes, your IT professionals should review the IS / IT Policy document to ensure either (1) existing processes conform to the IS / IT Policy document, or (2) the IS / IT Policy document is amended to conform to your existing processes.  If you alter the IS / IT Policy document, consider possible impacts (including how you will respond to SoA requirements). 

Data Classification

Data Classification (P-801) establishes a system of classification for your electronic data and documentation.  If your organization has an established data classification process, review the Data Classification document and determine whether you need to amend the document to conform to your existing classification scheme.  If you alter the Data Classification document, consider possible impacts (including how you will respond to and fulfill SoA requirements). 

Measurement and Analysis

A Measurement and Analysis (M&A) procedure is provided (P-901).  Implementing the processes defined in the M&A procedure will ensure you meet and fulfill ISO 27001 requirements.  

It is highly likely that an existing EMS organization has M&A activities, measures, and reporting.  It is possible an existing EMS organization uses KPIs.  If so, integrate the ISMS KPIs into your existing EMS M&A program. 

An organization is free use P-901 and add measures to the KPI Template

Asset List

It is important to note that information may be considered a type of asset in ISO 27001.  If this is applicable to your organization, use F-600 to identify and track information assets.

EMS organizations will sometimes track assets, especially if they are also ISO 9001 (QMS) certified.  In those instances, an organization typically tracks production assets (such as production equipment, parts in inventory, calibrated equipment, etc.), or environmental impact assets.  ISMS requires tracking of information related assets.  An information related asset may vary from organization to organization.  Examples may include laptops, pads, phones (endpoint devices), servers, switches, etc.  

If your existing EMS (or QMS, if applicable) tracks assets, consider adding information related assets to your existing process.  If not, implement asset tracking with the assistance of F-600. 

Product: Our ISO 27001:2022 ISMS for Existing EMS provides all of the tools you need to implement your ISMS.

MAKE ISO 27001 CERTIFICATION SIMPLE AND FOOLPROOF!


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022