ISO 27001:2022 ISMS into an existing ISO 14001 EMS
ISO integration (sometimes referred to as an “integrated management system”) occurs when an organization combines or merges components of multiple ISO standards. This activity has become more common as the number of management systems and International Standards has risen. Integration is also facilitated through the desire of organizations to improve performance across a wide range of business activities.
An organization integrating the ISMS and EMS standards will find that some requirements are identical, some are similar, and others are unique to each standard. Requirements that are identical or similar can be integrated (or combined) to achieve efficiency.
A common example is Management Review. Both ISMS and EMS require Management Review. Some of the mandatory inputs and outputs are identical or similar. An organization could choose to write two separate procedures; one for ISMS Management Review and one for EMS Management Review. However, by efficient integration, an organization writes only one procedure that captures ISMS and EMS Management Review requirements, including listing identical requirements only once.
Understanding the Two Management Systems
ISO 27001 is a set of requirements for an Information Security Management System (“ISMS”). Likewise, ISO 14001 is a set of requirements for an Environmental Management System (“EMS”). Other management systems, such as AS9100, AS9110, AS9120, ISO 13485, and IATF 16949, are based off of the ISO 9001 QMS with additional requirements specific to the industry (“QMS9”).
When effectively implemented, an ISMS provides customers, employees, and key interested parties with assurance that data and information entrusted to an organization is safely managed. Personal data (such as PII) will be encrypted and protected. If data is transmitted, it will be moved by secured means to prevent access by hackers or data thieves.
When effectively implemented, an EMS helps an organization improve their environmental performance. EMS processes provide customers, employees, and key interested parties with assurance that an organization is making efficient use of resources, reducing waste, and gaining competitive advantage without compromising our environment or critical environmental issues. EMS practices encourage better environmental performance by integrating environmental factors into the organization’s business systems and processes.
Both ISO 27001 and ISO 14001 have transitioned to the current ISO International Standard layout, Annex L. Both standards have similar clauses which contain requirements which may be subject to audit in order to attain certification.
The common layout / clauses include:
Table 1 – Common Layout / Clauses
|1||Scope||Clause 1 is not subject to audit.|
|2||Normative References||Clause 2 is not subject to audit.|
|3||Terms and Definitions||Clause 3 is not subject to audit.|
|4||Context of the Organization||Clause 4 requirements are subject to audit.|
|5||Leadership||Clause 5 requirements are subject to audit.|
|6||Planning||Clause 6 requirements are subject to audit.|
|7||Support||Clause 7 requirements are subject to audit.|
|8||Operation||Clause 8 requirements are subject to audit.|
|9||Performance Evaluation||Clause 9 requirements are subject to audit.|
|10||Improvement||Clause 10 requirements are subject to audit.|
While the clauses and their titles are identical, the requirements in each clause may, or may not, be identical or similar.
Appendices (the Annex)
Both ISO 27001 and ISO 14001 systems have appendices, which are identified in ISO terminology as an “Annex.” Unlike the clauses, the annex of each standard is different. The two tables below identify the annex sections of each standard.
Table 2 – ISMS Annex
|A||Information Security Controls Reference||This annex is subject to audit.|
Table 3 – EMS Annex
|A||Guidance on the use of this International Standard||This annex is not subject to audit.|
|B||Correspondence between ISO.DIS 14001:2014 and ISO 14001:2004||This annex is not subject to audit.|
|C||Alphabetic index of terms in Clause 3||This annex is not subject to audit.|
ISMS Annex A
As noted above, a critical distinction between ISMS and EMS is that ISMS Annex A contains requirements (controls) that are subject to audit. This is different from EMS. If you are an existing EMS organization that is integrating ISMS, ensure you do not overlook ISMS Annex A.
Notable Differences in ISMS
Statement of Applicability – The Statement of Applicability (SoA) is a unique document. It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments, and is required for ISO 27001:2022.
Risk Management – Risk management is a fundamental process required by ISO 27001. ISMS Section 6 addresses planning a risk management process (risks and opportunities, risk assessment, risk treatment, and information security risk management). ISMS Section 8 addresses implementation of risk management planning, including risk assessment activities, risk treatment, and risk reporting.
Risk planning is addressed in EMS systems. However, it is only addressed in EMS Section 6, not in Section 8. For an EMS, an organization only needs to consider risk issues when planning its EMS. There is no requirement for execution of risk assessment, risk treatment, risk reporting, etc.
Benefits of Integration
By integrating ISMS and EMS, organizations offer assurance to customers and key parties that environmental practices and efficient environmental performance is integrated into processes, including the importance of securing data and information in an age of ever-growing cybersecurity concerns. Benefits of integration can include:
- Holistic management system approach, including integrated processes, streamlined use of resource, and reduced administrative burdens.
- Security, quality, and environmental performance are evidenced by simultaneous certification of security management and environmental management activities.
- Increased marketability, including confidence from existing and potential customers that your organization can protect data and the environment, while reducing risks in the delivery of products and services.
An organization that properly implements this integration should be able to establish an effective, integrated ISMS-EMS system. However, this does not guarantee your organization will achieve EMS certification or ISMS certification. Certification depends upon multiple variables, including such essential activities as committed leadership, review (including Management Review), analysis (including possibly statistical analysis), continual improvement, and effective internal auditing.
Other Key Processes
Below are several additional processes that are somewhat unique to ISO 27001.
IS / IT Policy
P-602 (IS / IT Policy) provides standard Information Security (IS) and Information Technology (IT) policies and processes applicable to ISO 27001. Many of the provisions in P-602 help fulfill and address controls in the Statement of Applicability (SoA).
If your organization has an established IT department with existing processes, your IT professionals should review the IS / IT Policy document to ensure either (1) existing processes conform to the IS / IT Policy document, or (2) the IS / IT Policy document is amended to conform to your existing processes. If you alter the IS / IT Policy document, consider possible impacts (including how you will respond to SoA requirements).
Data Classification (P-801) establishes a system of classification for your electronic data and documentation. If your organization has an established data classification process, review the Data Classification document and determine whether you need to amend the document to conform to your existing classification scheme. If you alter the Data Classification document, consider possible impacts (including how you will respond to and fulfill SoA requirements).
Measurement and Analysis
A Measurement and Analysis (M&A) procedure is provided (P-901). Implementing the processes defined in the M&A procedure will ensure you meet and fulfill ISO 27001 requirements.
It is highly likely that an existing EMS organization has M&A activities, measures, and reporting. It is possible an existing EMS organization uses KPIs. If so, integrate the ISMS KPIs into your existing EMS M&A program.
An organization is free use P-901 and add measures to the KPI Template
It is important to note that information may be considered a type of asset in ISO 27001. If this is applicable to your organization, use F-600 to identify and track information assets.
EMS organizations will sometimes track assets, especially if they are also ISO 9001 (QMS) certified. In those instances, an organization typically tracks production assets (such as production equipment, parts in inventory, calibrated equipment, etc.), or environmental impact assets. ISMS requires tracking of information related assets. An information related asset may vary from organization to organization. Examples may include laptops, pads, phones (endpoint devices), servers, switches, etc.
If your existing EMS (or QMS, if applicable) tracks assets, consider adding information related assets to your existing process. If not, implement asset tracking with the assistance of F-600.