ISO 27001:2022 ISMS into an existing ISO 45001 OHSMS
ISO integration (sometimes referred to as an “integrated management system”) occurs when an organization combines or merges components of multiple ISO standards. This activity has become more common as the number of management systems and International Standards has risen. Integration is also facilitated through the desire of organizations to improve performance across a wide range of business activities.
An organization integrating the ISMS and OHSMS standards will find that some requirements are identical, some are similar, and others are unique to each standard. Requirements that are identical or similar can be integrated (or combined) to achieve efficiency.
A common example is Management Review. Both ISMS and OHSMS require Management Review. Some of the mandatory inputs and outputs are identical or similar. An organization could choose to write two separate procedures; one for ISMS Management Review and one for OHSMS Management Review. However, by efficient integration, an organization writes only one procedure that captures ISMS and OHSMS Management Review requirements, including listing identical requirements only once.
Understanding the Two Management Systems
ISO 27001 is a set of requirements for an Information Security Management System (“ISMS”). Likewise, ISO 45001 is a set of requirements for an Occupational Health and Safety Management System (“OHSMS”). Other management systems, such as AS9100, AS9110, AS9120, ISO 13485, and IATF 16949, are based off the ISO 9001 QMS with additional requirements specific to the industry (“QMS9”).
When effectively implemented, an ISMS provides customers, employees, and key interested parties with assurance that data and information entrusted to an organization is safely managed. Personal data (such as PII) will be encrypted and protected. If data is transmitted, it will be moved by secured means to prevent access by hackers or data thieves.
When effectively implemented, an OHSMS helps an organization improve safety and health processes in order to improve safety performance and prevent injury. OHSMS processes provide employees, customers, and key interested parties with assurance that an organization is committed to providing a workplace where safety is a primary concern, and the risk of injury or illness is mitigated or eliminated.
Both ISO 27001 and ISO 45001 have transitioned to the current ISO International Standard layout, Annex L. Both standards have similar clauses which contain requirements which may be subject to audit in order to attain certification.
The common layout / clauses include:
Table 1 – Common Layout / Clauses
|1||Scope||Clause 1 is not subject to audit.|
|2||Normative References||Clause 2 is not subject to audit.|
|3||Terms and Definitions||Clause 3 is not subject to audit.|
|4||Context of the Organization||Clause 4 requirements are subject to audit.|
|5||Leadership||Clause 5 requirements are subject to audit.|
|6||Planning||Clause 6 requirements are subject to audit.|
|7||Support||Clause 7 requirements are subject to audit.|
|8||Operation||Clause 8 requirements are subject to audit.|
|9||Performance Evaluation||Clause 9 requirements are subject to audit.|
|10||Improvement||Clause 10 requirements are subject to audit.|
While the clauses and their titles are identical, the requirements in each clause may, or may not, be identical or similar.
Appendices (the Annex)
Both ISO 27001 and ISO 45001 systems have appendices, which are identified in ISO terminology as an “Annex.” Unlike the clauses, the annex of each standard is different. The two tables below identify the annex sections of each standard.
Table 2 – ISMS Annex
|A||Information Security Controls Reference||This annex is subject to audit.|
Table 3 – OHSMS Annex
|A||Guidance on the use of this document||This annex is not subject to audit.|
ISMS Annex A
As noted above, a critical distinction between ISMS and OHSMS is that ISMS Annex A contains requirements (controls) that are subject to audit. This is different from OHSMS. If you are an existing OHSMS organization that is integrating ISMS, ensure you do not overlook ISMS Annex A.
Notable Differences in ISMS
Statement of Applicability – The Statement of Applicability (SoA) is a unique document. It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments, and is required for ISO 27001:2022.
Risk Management – Risk management is a fundamental process required by ISO 27001. ISMS Section 6 addresses planning a risk management process (risks and opportunities, risk assessment, risk treatment, and information security risk management). ISMS Section 8 addresses implementation of risk management planning, including risk assessment activities, risk treatment, and risk reporting.
OHSMS is similar to ISMS by requiring risk planning in section 6 and risk management implementation in section 8. The key difference is that OHSMS requires:
- Implementation of processes for elimination or reduction of “OH&S risks,”
while ISMS requires:
- Implementation of an organizational process to fulfill ISMS clause 6 (risk planning) in addition to security risk assessments and risk treatment (clause 8).
The difference is subtle but important. An existing OHSMS risk management process can be used by an organization adding ISMS, but must be reviewed, analyzed, and improved to ensure the comprehensive ISMS approach is addressed, including risks associated with Annex A security controls.
Benefits of Integration
By integrating ISMS and OHSMS, organizations offer assurance to employees, customers, and key parties that efficient health practices and safety performance is integrated into processes, including the importance of securing data and information in an age of ever-growing cybersecurity concerns. Benefits of integration can include:
- Holistic management system approach, including integrated processes, streamlined use of resource, and reduced administrative burdens.
- Data and information security coupled with reassurance of a safe and healthy work environment, as evidenced by simultaneous certification of ISMS and OHSMS activities.
- Increased marketability, including confidence from existing and potential customers that your organization can protect data and maintain a safe work environment.
- Potential reduction of injuries and associated costs while simultaneously reducing the risk of data breach or information incursion.
An organization that properly implements this integration should be able to establish an effective, integrated ISMS-OHSMS system. However, this does not guarantee your organization will achieve OHSMS certification or ISMS certification. Certification depends upon multiple variables, including such essential activities as committed leadership, review (including Management Review), analysis (including possibly statistical analysis), continual improvement, and effective internal auditing.
Other Key Processes
Below are several additional processes that are somewhat unique to ISO 27001.
IS / IT Policy
P-602 (IS / IT Policy) provides standard Information Security (IS) and Information Technology (IT) policies and processes applicable to ISO 27001. Many of the provisions in P-602 help fulfill and address controls in the Statement of Applicability (SoA).
If your organization has an established IT department with existing processes, your IT professionals should review the IS / IT Policy document to ensure either (1) existing processes conform to the IS / IT Policy document, or (2) the IS / IT Policy document is amended to conform to your existing processes. If you alter the IS / IT Policy document, consider possible impacts (including how you will respond to SoA requirements).
Data Classification (P-801) establishes a system of classification for your electronic data and documentation. If your organization has an established data classification process, review the Data Classification document and determine whether you need to amend the document to conform to your existing classification scheme. If you alter the Data Classification document, consider possible impacts (including how you will respond to and fulfill SoA requirements).
Measurement and Analysis
A Measurement and Analysis (M&A) procedure is provided (P-901). Implementing the processes defined in the M&A procedure will ensure you meet and fulfill ISO 27001 requirements.
It is highly likely that an existing OHSMS organization has M&A activities, measures, and reporting. It is possible an existing OHSMS organization uses KPIs. If so, integrate the ISMS KPIs into your existing OHSMS M&A program.
An organization is free use P-901 and add measures to the KPI Template
It is important to note that information may be considered a type of asset in ISO 27001. If this is applicable to your organization, use F-600 to identify and track information assets.
OHSMS technically has no asset requirement, although many OHSMS certified organizations perform basic asset tracking, especially if they are also ISO 9001 (QMS) certified. In those instances, an organization typically tracks production assets (such as production equipment, parts in inventory, calibrated equipment, etc.), or safety assets. ISMS requires tracking of information related assets. An information related asset may vary from organization to organization. Examples may include laptops, pads, phones (endpoint devices), servers, switches, etc.
If your existing OHSMS (or QMS, if applicable) tracks assets, consider adding information related assets to your existing process. If not, implement asset tracking with the assistance of F-600.