golden-admin

admin

26 May 2026 | 17 min Read
Integrate ISO 9001 and ISO 45001 into One IMS | Goldenpath PM
Integrated Management Systems · UK SME Guide

Integrate ISO 9001 and ISO 45001 into One IMS

Goldenpath PM 10 min read Quality & Safety Compliance

Running two separate management systems costs time, money, and headspace your team doesn't have. This step-by-step guide shows UK SMEs how to combine ISO 9001 and ISO 45001 into a single, audit-ready Integrated Management System — using process mapping, shared documents, and joined-up evidence.

Why Integrate Quality and Safety into One IMS?

Many UK SMEs arrive at ISO certification one standard at a time — often ISO 9001 first, then ISO 45001 later as contract requirements or legal obligations grow. The result is two parallel systems: separate manuals, duplicate risk registers, competing audit schedules, and two sets of management reviews to prepare for.

An integrated ISO management system (IMS) consolidates both standards under one framework. Rather than maintaining duplicate infrastructure, your team works with a single policy hierarchy, a unified set of procedures, and one internal audit cycle that satisfies both standards simultaneously.

The commercial case is straightforward:

  • Reduced documentation overhead and version-control risk
  • Lower certification costs — most bodies offer combined audits at a reduced day rate
  • Clearer accountability: one HSEQ lead rather than siloed quality and safety roles
  • Stronger tender submissions — clients increasingly expect ISO quality and safety integration as a single deliverable
  • Less disruption to operations during audit periods

For operations and HSEQ leaders in UK SMEs, integration is not just administratively sensible — it reflects how quality and safety actually interact on the ground. A nonconformity in a process is almost always both a quality failure and a potential safety event. A unified system captures that relationship.

The Shared Foundation: High Level Structure (HLS)

Integration is structurally enabled by the High Level Structure (previously known as Annex SL), the common framework that ISO mandates for all new and revised management system standards. ISO 9001:2015 and ISO 45001:2018 both use it.

This means both standards share identical clause numbers, identical core requirements language, and a compatible plan–do–check–act cycle. The ten clauses are the same across both:

Clause Title ISO 9001 ISO 45001
4Context of the organisation
5Leadership & commitment
6Planning (risk & opportunities)
7Support (resources, competence, awareness, communication)
8Operation
9Performance evaluation
10Improvement

This alignment means the effort of satisfying a clause requirement does not need to be duplicated — it can be addressed once, in one document, referencing both standards. The standard-specific content (for example, ISO 45001's hazard identification requirements under Clause 8, or ISO 9001's customer focus provisions under Clause 5) sits as discipline-specific annexes or sub-sections within a unified structure.

Which Documents Can Be Combined?

A practical IMS for a UK SME does not require a complete rewrite of your existing documentation. It requires consolidation where the standards converge and clear separation where they diverge. The table below identifies which documents are candidates for full integration, partial integration, or must remain standard-specific.

Document Integration approach
IMS PolicyFully combined — one top-level policy covering quality and OH&S commitments
Context of the Organisation (Cl. 4)Fully combined — one SWOT/PESTLE and interested parties register
Risk & Opportunity RegisterFully combined — unified register with quality and safety columns
Objectives & TargetsPartially combined — shared template, separate quality and OH&S KPIs
Internal Audit ProgrammeFully combined — one schedule auditing both standards per cycle
Management Review Agenda & RecordsFully combined — one meeting, one set of minutes
Nonconformity & Corrective Action LogFully combined — tag each NC as quality, safety, or both
Competency & Training RecordsFully combined — one HR-linked matrix
Hazard ID & Risk Assessment (HIRA)Standard-specific — ISO 45001 only (Cl. 6.1.2)
Legal RegisterPartially combined — shared format, separate quality and H&S legislation columns
Emergency Preparedness & ResponseStandard-specific — ISO 45001 only (Cl. 8.2)
Customer Satisfaction & Complaints ProcessStandard-specific — ISO 9001 only (Cl. 9.1.2)

Step-by-Step Integration Process

The following eight steps provide a structured sequence for UK SME HSEQ leaders building an integrated ISO management system from existing single-standard systems or from scratch.

01

Conduct a gap analysis against both standards simultaneously

Use a dual-column gap analysis matrix mapped to the HLS clauses. For each clause, record what evidence currently exists, what is missing for ISO 9001, and what is missing for ISO 45001. This baseline drives your integration project plan and prevents over-documentation.

02

Define your IMS scope and policy

Write a single IMS Scope Statement (Clause 4.3) that describes the boundaries and applicability for both standards in one document. Follow it with a combined IMS Policy signed by top management — this is a tangible demonstration of leadership commitment under both standards' Clause 5 requirements and is often the first document an auditor requests.

03

Map your core processes using a unified turtle diagram approach

Identify your core operational processes and map each one using a turtle diagram that captures inputs, outputs, resources, competencies, and controls — annotating which elements are quality-critical, safety-critical, or both. This forms the backbone of your integrated process map and identifies where quality and safety controls intersect on the same activity.

04

Build a unified risk and opportunity register

Create a single risk register with columns for context (Cl. 4), quality risks (Cl. 6.1 ISO 9001), and OH&S hazards and risks (Cl. 6.1 ISO 45001). Include the standard-specific HIRA as a linked sub-document. A unified register means one review cycle and a single owner per risk rather than parallel, often contradictory, registers maintained by separate teams.

05

Consolidate your procedure library

Rewrite shared procedures (document control, internal audit, nonconformity and corrective action, management review, training and competency) as single documents referencing both standards. Retain standard-specific procedures where required but link them clearly to the shared framework. Use a consistent document numbering convention — for example, IMS-P-001 for integrated procedures, QMS-P-001 and OHS-P-001 for standard-specific ones.

06

Combine your internal audit programme

Design an annual audit schedule that audits each clause of both standards within one cycle. Train your internal auditors against both standards — many IRCA-approved UK providers offer combined ISO 9001/ISO 45001 internal auditor courses. Issue combined audit reports that reference findings against both sets of clause numbers, and manage all nonconformities in your unified NC log.

07

Run a single management review

Structure your management review agenda to cover the mandatory input items for both ISO 9001 (Cl. 9.3.2) and ISO 45001 (Cl. 9.3) in one meeting. Produce one set of minutes evidencing that all required inputs were considered and all outputs (resource decisions, objectives changes, IMS improvement actions) were agreed. This is a high-value efficiency gain — two standards, one meeting, one set of records.

08

Prepare for a combined certification audit

Brief your certification body on your integrated structure before the Stage 1 audit. Provide them with your IMS manual or documented information index showing how each clause of both standards is addressed. Most major UK certification bodies — including BSI, NQA, Lloyd's Register, and Bureau Veritas — offer combined ISO 9001/ISO 45001 audits, and scheduling them together typically reduces the total audit day requirement by 20–30%.

Already certified to one standard?

If you hold ISO 9001 and are adding ISO 45001 (or vice versa), steps 1–4 are significantly lighter. Your existing gap analysis, context, and risk documentation provides the starting point. In most UK SME engagements, Goldenpath PM achieves a certified IMS extension in 8–12 weeks from the initial gap assessment.

The most common barrier is not documentation — it is engaging workers in hazard identification (a specific ISO 45001 Clause 5.4 requirement) and building an effective internal audit capability across both disciplines.

Process Mapping Across Both Standards

Process mapping is the engine of an effective IMS. Both ISO 9001 (Cl. 4.4) and ISO 45001 (Cl. 4.4) require the organisation to determine its processes, their sequence and interaction, and the criteria and methods needed to ensure they are effective and controlled.

For an integrated system, the goal is a single process map that is annotated for both standards. A practical approach for UK SMEs:

1. Identify your process hierarchy

Divide processes into three tiers: management processes (planning, review, improvement), core operational processes (the value-creating activities that directly affect product/service quality and worker safety), and support processes (HR, procurement, maintenance, document control). This hierarchy is standard-agnostic and forms the backbone of your IMS.

2. Assign dual ownership

For each core process, name a single process owner who is accountable for both quality outputs and safety controls within that process. This eliminates the common SME problem of quality and safety being managed by different people who rarely communicate about the same activities.

3. Mark critical control points

On each process map, annotate where quality controls (inspection points, customer requirements, specifications) and safety controls (safe systems of work, permits to work, PPE requirements, COSHH considerations) apply. Processes where both types of control appear at the same point are your highest-integration-value processes — and the ones most likely to generate combined findings during audit.

4. Link to documented information

Each process map should reference the procedure, work instruction, or form that governs it. Using a consistent reference system means auditors can navigate your IMS efficiently — and your team can find the right document without hunting through two separate systems.

Building Audit-Ready Evidence

Certification auditors assess conformance through documented information (records and documents). An integrated IMS must demonstrate that both standards' requirements are met — and a well-structured evidence trail makes this straightforward rather than stressful.

Maintain a documented information index

Create and maintain a master list of all documents and records in your IMS, cross-referenced to the clause(s) of ISO 9001 and ISO 45001 they address. This index is one of the most useful tools you can hand to an auditor at Stage 1 — it demonstrates that your system is deliberate and complete.

Use consistent record formats

Design forms and record templates that capture both quality and safety data where relevant. A site inspection form, for example, can include sections for product quality checks alongside safety observations — generating one record that evidences conformance against both standards' operational planning clauses.

Retain evidence of worker participation

ISO 45001 places particular emphasis on worker consultation and participation (Cl. 5.4). This is an area where UK SMEs sometimes under-evidence. Keep records of toolbox talks, safety committee meetings, hazard reporting, and worker involvement in risk assessments. These records also support ISO 9001's Clause 7.3 (awareness) and Clause 7.4 (communication) requirements.

Track objectives and performance data

Both standards require measurable objectives and evidence of monitoring performance against them (Cl. 6.2, 9.1). Maintain a live objectives tracker — updated at least quarterly — with current performance data for both quality KPIs (e.g., customer complaints, on-time delivery, first-pass yield) and safety KPIs (e.g., near-miss reporting rate, corrective action close-out time, training completion).

Common Pitfalls UK SMEs Should Avoid

Treating integration as a documentation exercise only

The most common failure mode is merging documents without changing how the business actually manages quality and safety. Integration must be operational — the same meetings, the same conversations, the same escalation routes — not just a change to folder structures.

Under-resourcing the hazard identification process

ISO 45001 requires ongoing hazard identification as a live process, not a one-off risk assessment at certification. UK SMEs that bolt ISO 45001 onto an existing ISO 9001 system sometimes treat the HIRA as a static document. Auditors will test this — expect questions on how new hazards are identified when processes change.

Forgetting legal and regulatory compliance obligations

Both standards require you to determine and have access to applicable legal requirements (Cl. 6.1.3 ISO 45001; Cl. 8.4 / general legal context for ISO 9001). In a UK context, this includes the Health and Safety at Work Act 1974, the Management of Health and Safety at Work Regulations 1999, sector-specific regulations, and product legislation relevant to your quality obligations. Your legal register must be reviewed and updated — typically annually as a minimum.

Neglecting competency against both standards

If your internal audit team is trained only on ISO 9001, your combined internal audit programme will produce incomplete findings. Invest in cross-training — or engage external support for the OH&S elements until internal capability is built.

Failing to engage top management genuinely

Both standards require demonstrable leadership and commitment — not just a signed policy. Auditors will interview senior leaders. If directors cannot articulate the IMS policy, the risk management approach, or the objectives being pursued, that is an area of concern regardless of how well the documentation is structured.

Frequently Asked Questions

Can ISO 9001 and ISO 45001 be integrated into one management system?
Yes. Both standards share the High Level Structure (HLS/Annex SL), meaning they use identical clause numbering, common terms, and compatible requirements. UK SMEs can combine them into one Integrated Management System using shared policies, a unified risk register, combined internal audits, and a single management review process. Integration reduces administrative duplication and is widely supported by UK certification bodies.
How long does it take to build an integrated ISO management system?
For a UK SME starting from scratch, a realistic timeline is 3–6 months for documentation and implementation, followed by a period of operation (typically 3 months minimum) before a certification audit. If you already hold one standard, integration can often be achieved in 6–12 weeks, depending on the maturity of your existing system and the availability of internal resource.
What documents are shared between ISO 9001 and ISO 45001?
Shared documents include: the top-level IMS policy, context of the organisation (Clause 4), risk and opportunity register, objectives and targets, internal audit programme, management review records, nonconformity and corrective action log, competency and training records, and document control procedures. Standard-specific documents include the ISO 45001 hazard identification and risk assessment (HIRA), emergency preparedness and response plan, and ISO 9001's customer satisfaction monitoring process.
Do we need separate audits for ISO 9001 and ISO 45001?
No. A combined internal audit programme can address both standards in a single audit cycle. Most major UK certification bodies — including BSI, NQA, Lloyd's Register, and Bureau Veritas — also offer combined external surveillance and recertification audits, which reduces disruption and overall cost.
Does ISO 45001 replace OHSAS 18001?
Yes. OHSAS 18001 was withdrawn in 2021. ISO 45001:2018 is the current international standard for occupational health and safety management systems and is the standard against which UK businesses are certified today. If your organisation was previously certified to OHSAS 18001, it will have transitioned to ISO 45001 or will need to do so before pursuing an integrated system.
How does ISO 45001 differ from ISO 9001 in terms of worker involvement?
ISO 45001 places a specific and distinct requirement on worker consultation and participation (Clause 5.4) that has no direct equivalent in ISO 9001. The standard requires organisations to establish, implement, and maintain processes for workers at all levels to participate in hazard identification, risk assessment, incident investigation, and OH&S management decisions. This is an area that requires dedicated evidence and is commonly tested by auditors.

Ready to build your integrated ISO management system?

Goldenpath PM provides hands-on integrated management system support for UK SMEs — combining ISO 9001 and ISO 45001 from initial gap analysis through to certification and beyond. We work alongside your team, not just hand over documents.

Talk to a Goldenpath PM Consultant

Related Posts

5.0
powered by Google