Organizations working with multiple ISO standards know the problem: each standard requires its own audits, documentation, and management reviews. A healthcare institution with ISO 27001 and NEN 7510, an IT service provider with ISO 27001 and ISO 9001, or an AI company with ISO 27001 and ISO 42001. The overlap is significant, but audits are often conducted separately. That means double the time, double the cost, and double the administration.
An integrated audit combines multiple standards in a single audit engagement. This article describes how it works, which standards combine well, and where the pitfalls lie.
Why integrate?
All ISO management system standards are based on the same High Level Structure (HLS). Clauses 4 through 10 are identical in structure across every standard: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. The specific content differs, but the framework is the same.
This means much documentation, processes, and controls can be shared. A risk assessment process, an internal audit procedure, a management review, an incident management process: these are required for all standards and can be implemented as shared processes. The standard-specific requirements are then layered on top.
The benefits are concrete. An integrated audit typically costs 25 to 40 percent less time than separate audits. The documentation burden decreases because you maintain one integrated management system instead of separate systems. And the coherence between standards becomes visible: information security, quality management, and AI governance reinforce each other when assessed together.
Which combinations work well?
The most common combinations we see in practice include ISO 27001 with NEN 7510 for healthcare organizations and their IT providers. NEN 7510 is specifically based on ISO 27001, with additional requirements for the healthcare sector. The overlap is very large, making integration logical.
ISO 27001 with ISO 42001 is a rapidly growing combination. Organizations that deploy AI and want to ensure both information security and AI governance combine these standards. The HLS clauses are shared, and the standard-specific controls (Annex A of ISO 27001 and Annex A of ISO 42001) are assessed separately.
ISO 27001 with ISO 9001 is classic for IT service providers wanting to certify both information security and quality management. ISO 27001 with ISO 22301 combines information security with business continuity management.
For cloud providers, we see combinations of ISO 27001 with ISO 27017 and ISO 27018, where cloud-specific security and privacy requirements are audited as extensions of the base ISMS.
How does an integrated audit work?
In an integrated audit, the auditor assesses the shared HLS clauses once and then reviews the standard-specific controls per standard. In practice, the auditor starts with context, policy, risk assessment, and management review, assessing these against all standards simultaneously. Then the specific controls per standard are reviewed.
An ISO 27001 plus ISO 42001 audit might look as follows. Day one covers the HLS clauses: policy, scope, risk assessment, competencies, internal audit, and management review. Day two covers the ISO 27001 Annex A controls. Day three covers the ISO 42001 Annex A controls, including AI-specific topics such as AI impact analysis, data management, and responsible AI use.
The result is a combined audit report with findings per standard. The certification body issues separate certificates for each standard, but the engagement is integrated.
Pitfalls in integration
The first pitfall is integrating too early. Organizations just starting their first ISO certification are better off establishing one standard solidly before adding a second. A shaky foundation does not become stronger by adding another floor.
The second pitfall is underestimating standard-specific requirements. The HLS structure is shared, but the substantive requirements per standard differ significantly. AI governance is not the same as information security management. Both deserve specific attention and expertise.
Secure Audit specializes in integrated audits. Our platform supports the assessment of multiple standards in an integrated work program, with the ability to link each control assessment to one or more standards. Contact us to discuss the possibilities for an integrated audit.
About the author
Partner | IT Auditor