Certification for both 9001 and 27001

1- What are the common activities / interview meetings / deliverables?

After getting support for your project (through approval of the ISMS-QMS project plan) and approval of the Procedure for Document and Record Control, these are the common steps and deliverables:

1) defining ISMS-QMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;

2) performing people training and awareness;

3) performance monitoring and measurement;

4) performing internal audit;

5) performing management critical review; and

6) addressing nonconformities, corrective actions, and opportunities for improvement.

The definition and execution of the information security risk management process are specific to ISO 27001, while the planning and realization of products and services are specific to ISO 9001.

For further information, see how to implement integrated management systems.

2 - Can a department interview approach be taken?

I'm assuming your question refers to the standard's implementation.

Considering that, a department interview approach is possible, but you need to remember the ISO management standards are process-based, so in a department interview it will be easier for the project to also consider the processes performed by the department.

3 - Is the risk assessment and treatment plan common to both standards or only specific to 27001?

Please note that risk assessment for each standard has different purposes and different assessment criteria, so at the moment we do not see a practical way to combine risk assessment according to ISO 27001 and ISO 9001 in a single plan. It is better to do a separate risk assessment for ISMS and for QMS.

4 - How does the certification audit work in this case?

In this case, you need to contact your certification body to explain you wish to go for an integrated certification audit. The details on how this certification audit will be performed need to be aligned with the certification body.

5 - What does it take to undertake both projects at the same time ( in terms of additional time and resources)?

Since these standards have some requirements in common, you can save approximately 30% of time and resources during the implementation.

6 - Do you recommend to work on both 9001 and 27001 certification at the same time?

Implementing both standards at the same time is recommended when you have:

• a customer demand or legal requirements to fulfill
• additional resources to allocate in the implementation

If these are not you case, you can think about implementing one standard think the common requirements for both standards, and when you have more resources you may start implementing the remaining requirements.