One of our clients in the USA is already ISO 9001 certified, and we are supposed to assist them in the implementation of ISO 27001. I want to get your opinion on the documentation approach that we should follow. Should we work on integrating ISO 9001 and ISO 27001 by combining some documents, or is creating a separate set of documentation a better approach? What is usually followed by other organizations when they are already ISO 9001 certified and moving forward with ISO 27001 implementation? I have downloaded your document that clarifies about the matrix between ISO 9001 and ISO 27001 but it does not give me enough clarity on what documentation approach should be followed while drafting in this scenario when the company is already ISO 9001 certified and all documentations are in place.
Looking forward to hearing from you for the necessary clarification and suggest if there is any integrated toolkit approach for ISO 9001 and ISO 27001 is available.
Unless your client has specific legal requirements (e.g., laws, regulations, or contracts) demanding a separated set of documentation, integrating common documents of both ISO 9001 and ISO 27001 is recommended, to avoid unnecessary duplicated documents (e.g., a procedure for document and record control, internal audit, etc.).
Regarding the integrated toolkit for ISO 9001 and ISO 27001, this one is not available, but you can use the documents referred to in the paper you downloaded as guidance.
These articles will provide you a further explanation about integrated systems: