Internal Audit: Conducting ISO 9001, 14001, and 27001 in Combination
Those who operate ISO 9001, ISO 14001, and ISO/IEC 27001 in parallel can combine internal audits. This article shows what is normatively required, how an integrated audit plan is structured, and where companies commonly make mistakes.
DIN EN ISO 9001:2015, DIN EN ISO 14001:2015, and ISO/IEC 27001:2022 each require an internal audit programme – clause 9.2 in each of the three standards places the same fundamental requirement: the organisation must conduct internal audits at planned intervals to determine whether the management system meets its own requirements as well as the requirements of the standard and is being effectively implemented. Those who operate all three systems face the question of whether three separate audit programmes or an integrated approach makes more sense.
A combined internal audit saves resources but requires auditors to cover the relevant standard areas and that audit planning is documented in a comprehensible manner. This article describes the normative foundations, the structure of an integrated audit programme, the requirements for auditors, and the most common weaknesses that come to light during recertification.
Key Takeaways
- Clause 9.2 in ISO 9001, ISO 14001, and ISO/IEC 27001 each requires a planned audit programme – an integrated approach is normatively permissible and resource-efficient in practice.
- Combined audits require auditors with demonstrable competence in all management systems covered; a single weak standard competency undermines the audit conclusion.
- Audit reports must clearly separate standard-specific findings so that certification bodies and authorities can assign results accurately.
Normative Foundations: What Clause 9.2 Requires across Three Standards
Clause 9.2 is formulated in almost identical terms in ISO 9001:2015, ISO 14001:2015, and ISO/IEC 27001:2022. The standard requires that the organisation plans, establishes, and maintains an audit programme that encompasses frequency, methods, responsibilities, planning requirements, and reporting. In doing so, the scope of the management systems concerned, changes to the system, and the results of previous audits must be taken into account.
For ISO/IEC 27001:2022, the 93 controls of Annex A are additionally incorporated, anchored in the Statement of Applicability (SoA). The internal audit must verify whether the applicable controls are actually implemented and effective – an assessment step not found in this form in ISO 9001 and ISO 14001. This standard-specific depth of scrutiny is the main reason why combined audits require careful competency planning.
ISO 14001:2015 additionally places emphasis on the review of environmental aspects (cl. 6.1.2) and compliance obligations (cl. 9.1.2). Those who do not include environmental legal provisions or regulatory requirements in the audit scope risk a non-conformity during the external audit. DIN EN ISO 19011:2018 provides the methodological framework for all three systems and explicitly recommends combined auditing, provided the competence of the auditors is assured.
Those who commission an external supplier auditor through CIVAC receive an officer with documented competence in quality, environmental, and information security management who can build and conduct combined audit programmes in accordance with DIN EN ISO 19011:2018.
Integrated Audit Programme: Structure and Annual Planning
An integrated audit programme begins with the risk analysis of the areas to be audited. For each standard, the critical processes and system elements must be identified: for ISO 9001, these are typically the value-creating processes such as development, production, and supplier management. For ISO 14001, the focus is on environmental aspects with significant impact, such as energy consumption, waste streams, or emissions. For ISO/IEC 27001, these are information assets with high protection needs, access control concepts, and security event processes.
The annual plan specifies which standard areas are audited in which quarter. A proven structure provides for cross-standard topics such as leadership (cl. 5), planning (cl. 6), and management review (cl. 9.3) to be addressed in a combined audit block. Standard-specific in-depth reviews are scheduled separately to keep audit time realistic.
The audit programme itself must be documented. This includes the audit plan, audit criteria, audit scope, audit method, auditors, and scheduling logic. ISO 19011:2018 recommends reviewing the programme annually and adjusting it on the basis of the findings from previous years. Areas with repeated non-conformities or elevated risk receive a higher audit frequency.
The CIVAC workspace provides 490 ready-to-use audit templates that can be configured by standard. The five core steps – scope, uploads, queries, risks, and report – guide the audit team in a structured manner through each audit block, regardless of whether ISO 9001, ISO 14001, or ISO/IEC 27001 is in focus.
Auditor Competence: Requirements and Obligation to Demonstrate Evidence
ISO 19011:2018 devotes a dedicated chapter (cl. 7) to auditor competence. For combined audits this means: the auditor or audit team must collectively be able to cover all relevant standards. An auditor with only ISO 9001 qualification cannot conduct an effective combined audit across ISO 14001 and ISO/IEC 27001.
The standard distinguishes between personal attributes, general auditor knowledge, and standard-specific expertise. For ISO/IEC 27001:2022, the auditor is expected to know the 93 controls of Annex A, be able to read the SoA, and be able to contextualise risk assessments under ISO/IEC 27005. For ISO 14001, knowledge of the relevant environmental law in the applicable jurisdiction is required. For ISO 9001, process orientation and production knowledge count.
Competence must be demonstrated – typically through training records, lead auditor certificates, or documented experience. For the internal audit function, verbal confirmation is not sufficient. The certification body checks the qualification of internal auditors during the external audit. Missing evidence is a potential non-conformity.
Those who cannot fill the internal audit function themselves or prefer a neutral perspective can commission a supplier auditor as an external officer through CIVAC. CIVAC issues the letter of appointment, documents the qualification, and provides the audit workspace with all standard-specific templates.
Audit Report: Cleanly Separating Standard-Specific Findings
A common error in combined audits is the cross-standard omnibus report. Findings are listed without standard reference, so that neither the company nor the certification body can determine whether a non-conformity concerns quality management, the environmental management system, or the ISMS. This deficiency regularly triggers queries during recertification.
A normatively correct audit report consistently separates findings by standard and standard clause. For each non-conformity or observation, at minimum the following fields are documented: affected standard clause (e.g. ISO/IEC 27001:2022 cl. 9.1), type of finding (non-conformity, observation, improvement potential), audit evidence (which documents or interviews substantiate the finding), and corrective action with responsible party and due date.
ISO 19011:2018 cl. 6.5 specifies the minimum content of an audit report. In addition, the report should record which standard areas were not audited and for what reason – for example due to planned rotation. This transparency protects against the accusation of incomplete internal audit programmes during external audits.
In the CIVAC workspace, all findings are captured directly in the digital audit report and assigned to the relevant standard clause. The export format is immediately submittable to certification bodies. The inspector calls, the evidence is ready.
Auditor Independence: Requirements under ISO 19011
ISO 19011:2018 cl. 5.1 requires auditors to be impartial and to act free of conflicts of interest. For internal audits this does not necessarily mean an external person, but the auditor must not be responsible for the area being audited. Those who have built the quality management system cannot objectively audit it.
In small and medium-sized companies (50 to 500 employees), the separation of personnel is often difficult. The quality management officer or the CISO cannot simultaneously audit their own system. Two permissible approaches exist: first, an internal auditor from a different area who is qualified and commissioned for the audit task; second, an external auditor who is formally commissioned and has no other function in the company.
Auditor independence is particularly critical in combined audits because a single auditor covers three standards and a conflict of interest in one standard compromises the entire combined report. A documented conflict-of-interest declaration before each audit mandate is good practice and is expected by certification bodies.
CIVAC makes it possible to manage an independent external supplier auditor or internal officer in the workspace. Licence the workspace for your internal officers or appoint our officers – the independence requirement is structurally fulfilled in both models because appointment and subject-matter responsibility are clearly and separately documented.
Typical Non-Conformities: What Certification Bodies Most Frequently Challenge
Based on recertification reports, recurring non-conformity patterns can be identified for combined audits. The most common findings relate to the following areas:
- Incomplete audit programme: Not all standard clauses were covered in the audit programme over the past 12 months. Clause 9.2(a) of ISO 9001 requires the programme to encompass the entire scope of the management system.
- Missing auditor competence evidence: The qualification of internal auditors is not documented. ISO 19011:2018 cl. 7.2 requires traceable competence records.
- No separation of findings by standard: Collective findings without standard reference impede the follow-up of corrective actions.
- Corrective actions not completed: Open actions from previous audits without due dates or responsible parties are a classic issue and frequently lead to repeated non-conformities.
- Specific to ISO 14001: Environmental legal compliance obligations (cl. 9.1.2) were not audited, even though they must explicitly be within the audit scope.
- Specific to ISO/IEC 27001: The SoA was last reviewed but the actual control implementation was not verified. A SoA entry does not replace an audit of control effectiveness.
Those who know these patterns can proactively align their internal audit programme accordingly. The CIVAC audit templates systematically cover all the above check points and prevent standard gaps from only coming to light at the next certification.
Effort Estimate: How Much Time a Combined Audit Requires
A realistic effort estimate is a prerequisite for credible audit planning. Audits that are scheduled too briefly end in superficial assessments that certification bodies rate as inadequate. The following indicative values apply for a mid-sized company with 100 to 500 employees:
- Individual ISO 9001 audit: 1.5 to 2.5 days depending on process depth and number of sites.
- Individual ISO 14001 audit: 1 to 2 days, including an on-site walkthrough of relevant environmental aspects.
- ISO/IEC 27001 audit (Annex A): 2 to 3.5 days, depending on the number of applicable controls and system complexity.
- Combined audit of all three standards: 3 to 4.5 days with good preparation and a clearly structured audit programme.
The time saving through combination is typically between 30 and 45 per cent compared with three separate audits. The saving arises primarily from shared context discussions with senior management, shared document review, and cross-cutting audit topics such as internal communication, management review, and risk management.
The prerequisite for this efficiency is careful preparation: checklists per standard, documents provided in advance, and clear time blocks in the audit plan. Without preparation, combined audits emerge that are neither sufficient in depth nor breadth.
Standard Update ISO/IEC 27001:2022: Impact on Combined Audits
ISO/IEC 27001:2022 was published in October 2022 and superseded the 2013 edition. The transition period for certifications under the previous version ended in October 2025. For combined audits, this means: those who have been auditing against ISO/IEC 27001:2013 must migrate the audit programme to the new standard structure.
The most important structural changes for the internal audit programme relate to the control structure: the 114 controls from Annex A of the 2013 edition have been consolidated into 93 controls in four thematic areas (organisational, people, physical, technological). Eleven controls are new, including threat intelligence (5.7), information security for cloud services (5.23), and secure coding (8.28). These new controls must be assessed in the SoA and – where applicable – audited.
For combined audits with ISO 9001 and ISO 14001, the ISO 27001 revision has no direct impact on the other standards, but auditors must be familiar with the new control landscape. Training records for ISO/IEC 27001:2022 must be updated for all internal auditors who assess the ISMS.
The detailed transition roadmap is described in the CIVAC article ISO 27001:2022 Transition. In the CIVAC workspace, all 93 controls are already stored as audit templates in the updated version.
Next Steps: Building a Structured Combined Audit Programme
A combined internal audit programme for ISO 9001, ISO 14001, and ISO/IEC 27001 is not a mammoth project if approached in a structured manner. The starting point is an inventory of existing management systems: which standard clauses exist, which controls are marked as applicable in the SoA, which processes are relevant across standards?
On this basis, a consolidated audit programme is created with clear annual planning, standard-specific in-depth blocks, and a list of qualified auditors. The programme is presented to senior management, approved, and documented. Audit-ready, documented, and normatively compliant.
CIVAC provides two models for this setup. In the workspace licence model, your internal auditors gain access to 490 ready-to-use audit templates, structured report modules, and complete audit programme management. In the Officer-as-a-Service model, a certified CIVAC auditor assumes the internal auditor function in full, conducts the combined audit programme, and delivers normatively correct reports. Letter of appointment: signed, filed, demonstrable.
Licence the workspace for your internal officers or appoint our officers. Both routes lead to an audit-ready, documented audit programme that withstands the next recertification.
Turn reading into action. Send your audit programme inquiry to info@civac.de or use the contact form on civac.de.
FAQ
Is a combined internal audit for ISO 9001, ISO 14001, and ISO/IEC 27001 normatively permissible?
Yes. DIN EN ISO 19011:2018 explicitly recommends combined audits, provided the competence of the auditors for all standards concerned is assured. Clause 9.2 in all three standards prescribes an internal audit programme but does not stipulate that it must be conducted separately.
What competence must internal auditors demonstrate for a combined audit?
Auditors must demonstrate documented competence in each standard assessed in the combined audit under ISO 19011:2018 cl. 7.2. Training records, lead auditor certificates, or documented experience are typical forms of evidence. Sole ISO 9001 qualification is not sufficient for a combined audit covering ISO 14001 and ISO/IEC 27001.
How often must an internal audit under ISO 9001, ISO 14001, and ISO/IEC 27001 be conducted?
All three standards require an audit programme at planned intervals but do not specify a fixed frequency. In practice, a full audit is conducted annually, supplemented by risk-based follow-up audits in the event of significant changes or repeated non-conformities. The certification body expects all relevant standard clauses to be covered within the 12-month cycle.
Can the quality management officer simultaneously be an internal auditor?
No, where the QMR is responsible for the area being audited. ISO 19011:2018 cl. 5.1 requires impartiality and freedom from conflicts of interest. The QMR may audit in areas for which they bear no direct responsibility, but not within their own area of responsibility.
What happens if the internal audit programme is assessed as incomplete during certification?
An incomplete audit programme is a non-conformity against clause 9.2 of the relevant standard. Depending on severity, this can result in a minor non-conformity with a deadline for remediation, or in a major non-conformity requiring a repeat of the certification audit. For ISO/IEC 27001, an incomplete internal audit is regularly assessed as a major non-conformity.
How does CIVAC support the building of a combined internal audit programme?
CIVAC offers two approaches: in the workspace licence model, internal auditors gain access to 490 standard-specific audit templates and structured report modules. In the Officer-as-a-Service model, a certified CIVAC supplier auditor assumes the internal audit function in full, including audit programme, reporting, and corrective action tracking.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.