Integration of
ISO 27001:2022 ISMS into an existing ISO 14001 EMS

ISO integration (sometimes referred to as an “integrated management system”) occurs when an organization combines or merges components of multiple ISO standards.  This activity has become more common as the number of management systems and International Standards has risen.  Integration is also facilitated through the desire of organizations to improve performance across a wide range of business activities.

An organization integrating the ISMS and EMS standards will find that some requirements are identical, some are similar, and others are unique to each standard.  Requirements that are identical or similar can be integrated (or combined) to achieve efficiency. 

A common example is Management Review.  Both ISMS and EMS require Management Review.  Some of the mandatory inputs and outputs are identical or similar.  An organization could choose to write two separate procedures; one for ISMS Management Review and one for EMS Management Review.  However, by efficient integration, an organization writes only one procedure that captures ISMS and EMS Management Review requirements, including listing identical requirements only once.

Understanding the Two Management Systems

ISO 27001 is a set of requirements for an Information Security Management System (“ISMS”).  Likewise, ISO 14001 is a set of requirements for an Environmental Management System (“EMS”).  

When effectively implemented, an ISMS provides customers, employees, and key interested parties with assurance that data and information entrusted to an organization is safely managed.  Personal data (such as PII) will be encrypted and protected.  If data is transmitted, it will be moved by secured means to prevent access by hackers or data thieves.

When effectively implemented, an EMS provides customers, employees, and key interested parties with assurance that an organization is continuously monitoring and improving all of their processes and impacts as they relate to the environmental system that they have created as part of their ongoing operations.

Notable Differences in ISMS

Statement of Applicability – The Statement of Applicability (SoA) is a unique document.  It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments, and is required for ISO 27001:2022.

Other Key Processes

Below are several additional processes that are somewhat unique to ISO 27001. 

IS / IT Policy

P-602 (IS / IT Policy) provides standard Information Security (IS) and Information Technology (IT) policies and processes applicable to ISO 27001.  Many of the provisions in P-602 help fulfill and address controls in the Statement of Applicability (SoA). 

If your organization has an established IT department with existing processes, your IT professionals should review the IS / IT Policy document to ensure either (1) existing processes conform to the IS / IT Policy document, or (2) the IS / IT Policy document is amended to conform to your existing processes.  If you alter the IS / IT Policy document, consider possible impacts (including how you will respond to SoA requirements). 

Data Classification

Data Classification (P-801) establishes a system of classification for your electronic data and documentation.  If your organization has an established data classification process, review the Data Classification document and determine whether you need to amend the document to conform to your existing classification scheme.  If you alter the Data Classification document, consider possible impacts (including how you will respond to and fulfill SoA requirements). 

Measurement and Analysis

A Measurement and Analysis (M&A) procedure is provided (P-901).  Implementing the processes defined in the M&A procedure will ensure you meet and fulfill ISO 27001 requirements.  

It is highly likely that an existing EMS organization has M&A activities, measures, and reporting.  It is possible an existing EMS organization uses KPIs.  If so, integrate the ISMS KPIs into your existing EMS M&A program. 

An organization is free use P-901 and add measures to the KPI Template

Asset List

It is important to note that information may be considered a type of asset in ISO 27001.  If this is applicable to your organization, use F-600 to identify and track information assets.

ISMS requires tracking of information related assets.  An information related asset may vary from organization to organization.  Examples may include laptops, pads, phones (endpoint devices), servers, switches, etc.