Implementation of ISO 27001 already having a QMS (ISO 13485) in the company
Dear Dejan,
I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support).
In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.
*** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.
Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS. Our doubt is to know if you recommend us to maintain two totally separate systems or to unify them into one. What would be more recommendable for the company now and in the long term?
My question is focused on the fact that you provide us, for example, with a procedure for internal audits, documentation control, management review, which are similar to the ones we already have but with quite different approaches. So, we don't know if it would make more sense to have the ISMS totally separate from the QMS and have these procedures totally separate, each with its own Scope, or to try to unify to have a single procedure for internal audits, management review, document control...
What would you recommend in this situation?
Thank you very much in advance.
All the best.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Unless you have specific legal requirements (e.g., laws, regulations, or contracts) demanding a separate set of documentation, integrating common documents of both ISO 13485 and ISO 27001 is recommended, to avoid unnecessary duplicated documents and processes (e.g., a procedure for document and record control, internal audit, etc.).
These articles will provide you with a further explanation about integrated systems (since ISO 13485 is similar to ISO 9001, all of these materials are relevant also for ISO 13485):
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/
This material will also help you regarding ISO 27001 and ISO 9001:
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
I agree with Rhand.
Most clients I've dealt with usually combine their management systems such as ISO27001 together with other management standards such as ISO9001 and ISO14001.
Comment as guest or Sign in
Aug 23, 2022