77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Building an integrated management system: From an ISO patchwork to a uniform compliance architecture
Platform & Strategy

Building an integrated management system: From an ISO patchwork to a uniform compliance architecture

25 June 202614 min readBy Dr. Henrik Bauer
CIVAC

Anyone who maintains multiple ISO standards knows the problem: duplicate audits, contradictory procedures, redundant documents. An integrated management system based on a high level structure bundles requirements, reporting obligations and audit trails. This guide shows the structure, sequence and tools.

An integrated management system, or IMS for short, combines several standards-based management systems in a common architecture. The basis is the High Level Structure according to Annex SL of the ISO/IEC Directives, Part 1, which has specified an identical chapter structure, identical terms and identical core requirements for all relevant ISO management system standards since 2026. This means that ISO 9001:2015 (quality), ISO 14001:2015 (environment), ISO 45001:2018 (occupational safety) and ISO/IEC 27001:2022 (information security) can be interlinked without redundancies. ISO 50001 (energy) and ISO 22301 (business continuity) can also be easily incorporated. In practice, anyone who maintains three or more standards saves 30 to 50 percent of audit effort per year.

Building an IMS is not a software project or a documentation marathon. It is a structured reorganization of responsibility, risk and evidence. This guide describes seven steps, the typical sequence of standard integration, the mandatory documents according to Appendix SL and the tools that support day-to-day business. Anyone who wants to take the path on their own responsibility will find concrete instructions and stages. If you prefer a platform approach with the CIVAC Compliance Platform and Officer-as-a-Service, you can see in the following sections where the licence model and external representative accelerate the setup and which standardised artifacts CIVAC provides out of the box.

Key Takeaways

  • The High Level Structure according to Appendix SL makes an IMS technically possible because all relevant ISO standards share an identical chapter structure.
  • Recommended order: ISO 9001 as a basis, then 14001 and 45001, then 27001:2022, because this properly practices risk and process thinking.
  • In practice, an IMS saves 30 to 50 percent of audit effort because internal audits, management reviews and risk analysis are combined.

What an integrated management system is and what is not

An IMS is not an additional management system, but rather a common bracket around existing systems. It uses the identical chapter structure of the standard requirements according to Annex SL and overlays common documentation, a common audit plan and a common management review. The term is not standardised; There is no ISO standard called IMS, but only the integration bracket around the individual standardised systems. Anyone who sets up an IMS does not certify the IMS itself, but rather the individual standards, ideally in a joint audit with a single accredited certification body.

The typical confusion is to equate IMS with a document management system. A DMS is part of the IMS, but not the IMS itself. An IMS includes responsibilities, risk inventory, context analysis according to Chapter 4 of the standards, stakeholder lists, goal definition, operational control, performance evaluation and continuous improvement. These building blocks are included in every ISO management system standard and are defined once in the IMS instead of being managed multiple times. Anyone who does not anchor the understanding of this difference internally will end up building a document-driven compliance theater instead of a living organisation.

The added value becomes visible as soon as three or more standards are maintained. A classic industrial company with ISO 9001, 14001 and 45001 saves around 30 to 50 percent of audit effort through integration because internal audits, management reviews, training and risk analysis are combined. Anyone who also introduces ISO/IEC 27001:2022 benefits particularly because the 93 controls from Appendix A are incorporated into the common risk management process. An IMS is therefore less a savings program than a consolidation of the compliance architecture, which typically becomes necessary after three to five years of uncontrolled growth as soon as the number of Excel lists and SharePoint libraries maintained in parallel exceeds any sensible maintenance.

The High Level Structure: Why integration is technically possible

The High Level Structure according to Annex SL of the ISO/IEC Directives was introduced in 2012 and has been mandatory in all revised management system standards since 2015. It defines ten chapters: scope, normative references, terms, organisational context, leadership, planning, support, operations, performance evaluation and improvement. Each of these chapters contains identical or nearly identical subsections, such as context analysis, interested parties, risk and opportunity assessment, and internal audit. This structural identity is the foundation of every IMS integration and not a downstream artifice.

The integration is therefore more than an organisational wish: it is technically prepared by identical requirement texts. Anyone who creates a list of interested parties in accordance with Chapter 4.2 can use it for all standards as long as each relevant stakeholder group is identified for each standard. The same applies to the risk and opportunity analysis according to Chapter 6.1, to the documented information according to Chapter 7.5 and to the internal audit according to Chapter 9.2. The standard-specific features are concentrated in Chapter 8 (Operation), where product implementation, environmental aspects, risk assessment or information security controls each have their own requirements.

The practical structure does not follow the order of the individual standards, but rather the order of the ten chapters. First the common framework is defined (Chapters 4 to 5), then the common planning and support mechanisms (Chapters 6 and 7). The standard-specific operating requirements are then presented in Chapter 8, such as production control according to ISO 9001:8.5 or risk treatment plan according to ISO 27001:6.1.3. Finally, evaluation and improvement follow in Chapters 9 and 10. This vertical processing order according to HLS chapters instead of horizontally according to standards is the most important efficiency lever in the IMS structure and reduces the number of documents in a typical medium-sized company from 200 to 300 to 80 to 120. This only makes maintenance economically viable in the following year.

Sequence of standard integration: From quality thinking to information security

The recommended construction sequence is not based on the system that was created first, but rather on the lowest hurdle to the next. The following sequence has proven successful in practice: ISO 9001:2015 as the basis first, because it establishes process thinking and document control. Then ISO 14001:2015 because it integrates environmental and material flows and expands risk thinking beyond your own company. Third, ISO 45001:2018 because it formalizes employee involvement and risk assessment. These three standards share a similar level of maturity and can be developed in two steps of around six months each, provided a basic understanding of process management is already present.

Only after these three basic systems is it recommended to move to ISO/IEC 27001:2022. The information security standard requires a higher level of maturity in risk thinking because risks not only have to be identified, but also treated according to Appendix A with 93 controls. Anyone who already knows the risk vocabulary from 9001 and 45001 has a measurable starting advantage here. The ISO 27001:2022 transition until October 2026 can also be mapped in a much more controlled manner in an IMS framework because Annex A controls are incorporated into the common risk matrix and do not have to be maintained in parallel in a separate table.

Special standards are added for regulated industries: ISO 13485 for medical devices, IATF 16949 for automotive, EN 9100 for aerospace or ISO 22000 for food safety. Some of these standards do not follow the pure HLS, but can be appended to the HLS chapters and integrated via mapping tables. ISO 50001:2018 (Energy) and ISO 22301:2019 (Business Continuity) are pure HLS standards and integrate easily into the existing IMS framework. Anyone planning more than three standards should extend the development over twelve to 18 months, otherwise the organisation will be overwhelmed and the IMS will ultimately only exist on paper. A realistic phase plan is the prerequisite for a later joint certification in a combined audit with a single certification body, which usually only requires a single on-site audit trip.

Seven steps: From the stakeholder directory to the management review

The structure of an IMS can be divided into seven successive steps. Step one is the context analysis according to Chapter 4 of the HLS: Which internal and external issues influence the company, which interested parties have which requirements, and which scope of application is defined? Step two is the leadership and responsibility matrix according to Chapter 5: Who is top management, who has standard-specific responsibility, who is the representative for each standard, and who has the reporting line to management. This clarification is the prerequisite for all further steps and should be signed in writing by the management.

Step three is the joint risk and opportunity analysis according to Chapter 6.1, supplemented by target definition according to 6.2 and change planning according to 6.3. Step four is the Chapter 7 support infrastructure: resources, competence, awareness, communication and documented information. This is where joint document management is set up, which has a significant influence on the later effort. Step five is the standard-specific operational control according to Chapter 8, in which the differences between quality, environment, occupational safety and information security become visible for the first time and where most of the detailed technical work occurs.

Step six is ​​the evaluation of performance according to Chapter 9: joint monitoring, joint internal audit according to 9.2 and joint management review according to 9.3, in which all standards are considered in one meeting every six months or year. Step seven is continuous improvement according to Chapter 10 with action management, corrective actions and lessons learned. These seven steps typically result in an 80 to 120 document set, which is built in 12 to 18 months using a platform like CIVAC and 490 prepared audit templates. Experience shows that without a platform and templates, the setup is extended to 24 to 36 months, with significantly higher internal coordination effort, more inconsistencies and higher follow-up costs in the monitoring audits from year two.

Documentation, key figures and audit trail: What really needs to be central

The HLS requires documented information in accordance with Chapter 7.5, but deliberately leaves open what form it takes. Mandatory are the scope, policy, objectives, risks and opportunities, audit program, management review results, evidence of competence, records of compliance and measures for improvement. Anyone who manages these nine categories centrally, in a versioned manner and with search capability has the audit trail. Anyone who keeps them in Outlook mailboxes, personal drives and uncontrolled SharePoint libraries will fail in the first internal sample and at the same time provide the external auditor with a long list of secondary findings.

Key figures are the second central lever. There should be at least three measurable indicators per standard: for ISO 9001, for example, complaint rate, first-pass yield and supplier quality; for ISO 14001 energy consumption per product unit, waste rate and approval status; for ISO 45001 accident rate, near misses and training penetration; for ISO 27001:2022 incident rate, availability of critical systems and number of Annex A risks addressed. These indicators are consolidated in the IMS in a common cockpit, which is presented to management on a monthly or at least quarterly basis. Trend lines over twelve months are significantly more meaningful in the audit than key date values.

The audit path consists of three components: firstly, the audit program with dates, auditors and area; secondly, the audit reports with findings and corrective actions; thirdly, proof of the effectiveness of the measures. Anyone who manages these three components in a workspace can present the status to every supervisory authority, every certifier and every management within an hour. The auditor calls, the evidence is ready. CIVAC provides this audit path as standard, with 490 audit templates and a reporting line that is viable without further customization. This reduces the preparation time for a joint audit from typically six to two weeks and the stress of the weeks before the audit date to a minimum because all artifacts are already available in their current version.

Representative structure in the IMS: One reporting line, several roles

An IMS does not solve the question of the representative structure by itself. However, it does force the responsibility to be clearly defined per standard. The typical setup in medium-sized companies includes a quality management officer (QMB), an environmental officer, an occupational safety specialist (SiFa), an information security officer (ISB) and, depending on the industry, a fire protection officer, a hazardous materials officer or a waste officer. Each of these roles has its own legal or normative background that must not be included in the IMS. The SiFa, for example, results from the ASiG, the fire protection officer from the ASR A2.2, the hazardous substances officer from TRGS 526.

The integration consists in the fact that all officers have a common reporting line to the management and appear in a joint management review. Operationally, they continue to work in their specialist areas, but document in a central workspace. This reduces duplication of effort and provides management with a consolidated picture instead of five separate reports. A sensible practice is to introduce an IMS coordinator who organises the synchronization of the representatives without taking on their professional responsibility. This role is not standardised, but in practice it is critical to success and can certainly be taken over by a management department.

If there is a shortage of staff, some of the representative roles can be filled externally. CIVAC offers 25 officer roles as Officer-as-a-Service, from ISB and QMB to GSB and BSB to SiFa. Licence the workspace for your internal representatives, or have our representatives order it. This dual option is particularly useful if a company wants to manage three or more standards but cannot create a separate position for each role. More details about the individual roles can be found on the CIVAC role overview pages. The reporting line remains unchanged regardless of the licence model, as does the audit trail and the documentation structure. This makes a later change in the line-up organizationally possible without endangering the structure.

ISO 27001:2022 in the IMS: The transition as a reason for integration

ISO/IEC 27001:2022 is the last standard that is still kept separately in many companies. With the 2022 revision, it reduced the number of controls in Appendix A from 114 to 93 and regrouped them into four subject areas (organisational, personnel, physical, technical). The transition from 27001:2013 to 27001:2022 is binding until October 2026, which forces many companies to think about integration into an IMS in parallel with recertification. The opportunity is good because the HLS structure needs to be revised anyway and the Statement of Applicability needs to be converted to the new 93 controls.

Integrating the 93 controls into common risk management is by far the most important step. Instead of a separate 27001 risk matrix, the existing IMS risk matrix will be expanded. Each risk entry has a column with the applicable Appendix A controls. The Statement of Applicability remains as a separate document because it is a 27001-specific mandatory artifact. However, the effectiveness assessment of the controls is included in the joint management review, so that the management evaluates information security in the same breath as quality, environment and occupational safety. This makes information security a management task instead of an IT-internal specialist discipline.

The NIS 2 background reinforces this trend. According to the German NIS 2 implementation law, which affects around 29,500 people, many companies are now obliged to set up an ISMS that functionally corresponds to a 27001 architecture. Anyone who is required to comply with NIS 2 cannot avoid an ISMS, and anyone who sets up an ISMS should integrate it into the IMS. CIVAC offers a preconfigured workspace for this with the 24-hour early warning and 72-hour follow-up reporting path according to NIS-2 as well as the complete mapping table between Annex A of 27001:2022, the NIS-2 obligations and the HLS chapters. Experience has shown that this mapping table is one of the largest sources of effort in the classic Excel workflow and is not necessary with a platform-supported solution. Fines for NIS-2 significantly range up to 10 million euros or 2 percent of group sales according to Section 60 BSIG, which further increases the pressure for integration.

Common mistakes when setting up IMS and how to avoid them

Three errors occur particularly frequently when setting up an IMS. First: start too early with software instead of architecture. Anyone who purchases IMS software before the context analysis, the responsibility matrix and the risk approach have been defined will end up with an empty shell. Software supports a mature IMS structure, but does not replace it. The order makes sense: first clarify the architecture, then choose templates, then use the platform, then establish normative conformity with details. If you reverse this order, you pay twice: once for the software and once for the advice that makes it useful.

Secondly: too many standards at the same time. Anyone who introduces ISO 9001, 14001, 45001 and 27001:2022 in parallel within twelve months risks overloading the line organisation. The standard is formally adhered to, but the content is not lived. The result is numerous incidental findings in the first surveillance audit and an erosion effect in subsequent years because the organisation does not maintain documentation. A realistic sequence with a gap of three to six months between the standards saves considerable costs and protects against the IMS being classified as a failure after 18 months and a second attempt with double the budget following.

Third: separation of IMS and operational work. An IMS that is only used in audits is dead. It only comes to life when document control, risk analysis and action management are embedded in everyday work. This works if the platform displays the tasks where the employees work, for example as a task in the workspace, as a reminder of the training or as an escalation in the event of a delayed incident. CIVAC maps this operational relationship by placing audit templates, reporting lines and escalation paths in one system. Others run compliance like a filing cabinet. We run it like software. The difference is noticeable in the third year after certification because the organisation actively uses the system instead of just maintaining it, and because employees perceive the platform as a help and not a burden.

From the construction plan to the order: Next steps with CIVAC

An IMS project begins with three clarifications. First, what standards do you maintain today and what do you plan to do in the next 24 months? Second, which agent roles exist and which are vacant or double-filled? Third: Which documentation is audit-proof today, and which consists of Excel tables, email folders or grown SharePoint structures? These three clarifications result in the effort, the sequence and the appropriate licence model. An honest inventory usually takes two weeks and is the prerequisite for a reliable phase plan and a realistic budget.

CIVAC accompanies IMS structures in two variants. Licence the workspace for your internal representatives, or have our representatives order it. In the first model, your representatives receive access to the platform with 490 ready-to-use audit templates, the HLS-compliant document structure, a risk and opportunity matrix and the consolidated management review template. In the second model, CIVAC provides external representatives for individual standards in addition to the platform, such as an external ISB or QMB. Both models use EU data residency and can be combined so that internal and external responsibility converge in one audit trail and the reporting line remains unchanged regardless of the licensing model.

Turn reading into a mandate. Send a short email to info@civac.de with the standards you apply today, the number of employees and an appointment for a 30-minute conversation. You will receive a proposal with the sequence, effort and licence model within two working days. If you want to read more beforehand, you can find the most important key figures about the platform, templates and SLA in the CIVAC Facts, and answers to typical introductory questions in the FAQ section. An integrated management system is not an end in itself, but an investment in audit robustness, speed of management and reduction of redundant work. The appointment certificate, signed, filed, verifiable, is just the beginning of a compliance architecture that does not interfere with day-to-day business and supports the audit.

FAQ

What is the difference between a QM system and an integrated management system?

A QM system according to ISO 9001:2015 only covers quality. An IMS combines multiple management systems such as 9001, 14001, 45001 and 27001:2022 in a common architecture. It uses the High Level Structure according to Appendix SL to combine documentation, audit and management review. An IMS itself is not certified, but rather the individual standards within it, ideally in a combined audit.

How long does it take to set up an IMS for three standards?

With a platform, templates and defined representative roles, an IMS for three standards can be set up in twelve to 18 months. Without a platform and without external support, the effort often extends to 24 to 36 months. What is crucial is a realistic sequence with a gap of three to six months between the standards and a clear phase plan with binding milestones per quarter.

Which norm should I introduce first when rebooting?

ISO 9001:2015 as a basis because it practices process thinking and document control. This is followed by ISO 14001:2015 and ISO 45001:2018 depending on the industry, and only then ISO/IEC 27001:2022 with Annex A and its 93 controls. Anyone who comes from a regulated IT environment can also start directly with 27001:2022, but has higher learning curves with the risk approach and the context analysis according to Chapter 4.

Do I need an external auditor for the joint audit?

For the initial certification and the annual surveillance audits, yes, the auditor must come from an accredited certification body. For the internal audits according to Chapter 9.2, an appropriately qualified internal person with documented independence from the area being audited is sufficient. CIVAC provides external auditors for internal audits upon request, for example via the officer-as-a-service role of supplier auditor.

How can ISO 27001:2022 be neatly integrated into an existing IMS?

The 93 controls from Appendix A are incorporated into the existing risk and opportunity matrix according to Chapter 6.1. The Statement of Applicability remains as a 27001-specific document. The management review is expanded to include information security, so that management evaluates all standards in one meeting. CIVAC provides a mapping table between Appendix A, HLS chapters and NIS 2 obligations.

How much does the CIVAC platform cost for an IMS setup?

The licence for the workspace is based on the number of employees and the number of integrated representative roles. In a typical medium-sized company it is between 800 and 2,500 euros per month. Officer-as-a-Service roles are billed separately. You will receive a concrete classification within two working days after a short email to info@civac.de with the industry, number of employees and the planned standards.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles