The Case for Integrated Auditing
ISO 9001, ISO 27001, and ISO 20000 share a common high-level structure (Annex SL) that makes integration practical. Organizations pursuing all three standards can benefit from a combined certification and surveillance audit conducted by a single certification body. Integrated audits reduce total audit days, lower audit costs, improve governance coherence, and surface cross-standard issues that separate audits miss. Indonesian technology organizations increasingly pursue ISO 9001 + ISO 27001 + ISO 20000 integration as a competitive differentiator in government and enterprise procurement.
What Integration Enables
An Integrated Management System shares foundational elements across all three standards: a single context analysis documenting organizational and quality/security/service issues, a single risk register addressing quality, security, and service risks, a single internal audit program covering all standards simultaneously, a single management review addressing all management system inputs, and a single document control system satisfying all standards. This shared foundation eliminates redundancy and creates coherent governance. Standard-specific elements (like Clause 8 quality processes or Annex A security controls) remain distinct but are audited as part of the integrated system.
| IMS Element | ISO 9001 | ISO 27001 | ISO 20000 | Integrated Approach |
|---|---|---|---|---|
| Context Analysis | Clause 4.1, 4.2 | Clause 4.1, 4.2 | Clause 4.1, 4.2 | Single combined context document addressing all issues and interested parties |
| Risk Management | Clause 6.1 | Clause 6.1 | Clause 6.1 | Integrated risk register: quality risks, security risks, service risks, single assessment |
| Internal Audit | Clause 9.2 | Clause 9.2 | Clause 9.2 | Combined audit program covering all three standards simultaneously |
| Management Review | Clause 9.3 | Clause 9.3 | Clause 9.3 | Single management review with combined inputs and outputs |
| Document Control | Clause 7.5 | Clause 7.5 | Clause 7.5 | Single document management system with unified version control and approval |
| KEY IDEA | An Integrated Management System audited as a whole is more than the sum of its parts. Combined audits surface cross-standard issues — like a security incident response process that does not connect to the QMS nonconformity process — that separate audits miss entirely. Integration produces better governance, not just audit efficiency. |
Combined Certification Audit Structure
A combined certification audit for ISO 9001 + ISO 27001 + ISO 20000 is scheduled as a single audit with a multi-disciplinary auditor team. The lead auditor coordinates the overall audit and examines shared elements (context, risk register, management review, document control). Specialist auditors examine ISO 9001 operations (Clause 8 processes), ISMS operations (Annex A security controls), and SMS operations (service delivery and control processes). Audit days are calculated using IAF MD1 guidelines based on organization size and complexity, with integration efficiencies typically reducing combined audit days by 20–30 percent compared to three separate audits.
Internal Audit Program for IMS
An integrated internal audit program combines shared clause audits with standard-specific operational audits. Combined clause audits cover ISO 9001 Clauses 4–7 and 9–10, ISO 27001 Clauses 4–7 and 9–10, and ISO 20000 Clauses 4–7 and 9–10 in one audit cycle, examining shared elements. ISO 9001 operational audits cover Clause 8 (product/service realization) annually. ISO 27001 operational audits cover Annex A security controls annually, rotating through control families. ISO 20000 operational audits cover service delivery and service control processes annually. Risk register reviews covering all standards' risks occur at least annually.
| Audit Type | Coverage | Frequency | Auditor Requirement |
|---|---|---|---|
| Combined Clause Audit | Shared clauses (4–7, 9–10) across all standards | Annual or twice yearly | IMS-trained internal auditor with knowledge of all three standards |
| ISO 9001 Operational Audit | Clause 8 operations and Clause 8.5 control processes | Annual | QMS-competent auditor with product/service realization knowledge |
| ISO 27001 Operational Audit | Annex A security controls (A.5 through A.18) | Annual with rotation | ISMS-competent auditor with security management knowledge |
| ISO 20000 Operational Audit | Service delivery and service control processes | Annual | Service management-competent auditor with service delivery knowledge |
| Risk Register Review | All standards' risks and their management | Annual or twice yearly | Senior auditor with IMS perspective or quality/security/service management leadership |
Management Review Integration
A single management review addresses all three standards' mandatory inputs and outputs. The management review agenda includes: organizational context review (quality, security, service), risk register review across all standards, internal audit findings and trends for all standards, nonconformity and corrective action trends across all standards, customer satisfaction and stakeholder feedback, quality/security/service objective performance, information security incidents (for ISMS), service availability and performance (for SMS), compliance with applicable laws and regulations, adequacy of resources, effectiveness of changes made, recommendations for improvement from all management system areas. The management review record documents all inputs, decisions, and action items assigned across the integrated system.
Audit Efficiency Gains
Integrated auditing reduces redundancy significantly. Context analysis is conducted once instead of three times. Management review evidence is examined once with combined inputs rather than three separate reviews. Document control system is audited once covering all standards rather than three separate document audits. Corrective action review is conducted once across all standards' findings rather than separately. These efficiency gains typically result in 25–35 percent reduction in total audit days compared to three separate audits with three different CBs.
| Activity | Separate Audits (3 standards) | Integrated Audit | Time/Cost Saving |
|---|---|---|---|
| Context Analysis Review | 3 × 1 hour | 1 × 1.5 hours | 50% reduction |
| Management Review Evidence | 3 × 1 hour | 1 × 1.5 hours | 50% reduction |
| Document Control Audit | 3 × 1 hour | 1 × 1 hour | 67% reduction |
| Corrective Action Review | 3 × 1 hour | 1 × 1 hour | 67% reduction |
| Combined Audit Savings | 15–20 audit days | 10–14 audit days | 25–35% audit day reduction |
Transition to Integrated Auditing
Organizations that achieved ISO 9001, ISO 27001, and ISO 20000 certifications at different times must align their certification cycles to enable integrated auditing. The typical transition approach is to align all surveillance audits to a common schedule, using a transition audit when the second or third standard reaches its recertification date. The certification body schedules the transition to occur over 6–12 months, during which all standards are brought to a synchronized recertification date. The IMS policy suite is the governance foundation for integrated auditing and typically includes an integrated QMS + ISMS + SMS policy document and supporting integrated procedures.
| IMPORTANT | Combined certification audits require a CB with competence in all standards being audited. Verify that the CB's audit team has demonstrated competence in ISO 9001, ISO 27001, and ISO 20000 before contracting. A CB that assigns a generic lead auditor for a combined audit without specialist technical support will produce an inadequate audit. |
| BITLION INSIGHT | Indonesian technology organizations that certify ISO 9001, ISO 27001, and ISO 20000 together through an IMS approach achieve a significant commercial advantage: they present a single, coherent management system to government and enterprise procurement teams rather than three separate compliance programs. The combined certification demonstrates organizational maturity that is increasingly required for Tier 1 government ICT supplier qualification. |