If your company already has — or is considering obtaining — more than one ISO certification, the inevitable question arrives sooner or later: does it make sense to maintain three separate systems with their own manuals, procedures, internal audits and management reviews? The answer, in most cases, is no. The integrated management system (IMS) was created precisely to avoid that triplication of effort, aligning under a single structure the requirements of ISO 9001 (quality), ISO 14001 (environment) and ISO 45001 (occupational health and safety). This article explains what an IMS is, which standards it can integrate, what real benefits it brings to an SME and what the logical path is to build one.
What is an integrated management system?
An integrated management system is a single documentary and operational framework that simultaneously meets the requirements of several ISO standards, eliminating duplication and creating synergies between the different management domains. Instead of having a quality manager with their own procedures, an environmental manager with theirs, and a health and safety technician with their own — each with their own audit cycle — the IMS merges them into a single policy, a single PDCA cycle and a unified review calendar.
The foundation that makes this integration possible is the High Level Structure (HLS, formerly known as «Annex SL») that ISO has imposed since 2015 on all its management system standards. Thanks to this common structure, ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 share the same chapter layout (from 4 to 10), the same concepts of organisational context, leadership, planning, support, operation, performance evaluation and improvement. A requirement that appears in all three standards — for example, risk management or document control — is addressed only once in the IMS.
The three standards that form the core of the most common IMS
Although an IMS can include many more standards (ISO 50001 for energy, ISO 27001 for information security, ISO 22000 for food safety…), the most widespread combination in Spanish industry and services is the triad 9001 + 14001 + 45001. Let us review what each one contributes.
ISO 9001:2015 — Quality management
This is the global reference standard for quality management systems. Published in its current version in September 2015 and currently under revision towards ISO 9001:2026, it requires the organisation to identify its context, understand the needs of interested parties, plan its processes with a risk-based approach and measure customer satisfaction. In Spain, companies holding ISO 9001 certification exceed 30,000 according to the latest ISO Survey data, placing the country among the top ten in the world by number of certificates. It is the most common entry point into the world of certification.
ISO 14001:2015 — Environmental management
It defines the requirements for identifying and controlling the significant environmental aspects of business activity: energy and water consumption, waste generation, atmospheric emissions, discharges. The standard requires the establishment of measurable environmental objectives and compliance with applicable legal requirements — which in Spain include Law 7/2022 on waste and contaminated soils for a circular economy, the REACH and CLP Regulations where chemical substances are handled, and sector-specific regional legislation. The current version is ISO 14001:2026, published in April 2026, and organisations have a 36-month transition period until April 2029 to update their certificates to the new edition.
ISO 45001:2018 — Occupational health and safety
Published in March 2018, ISO 45001 definitively replaced OHSAS 18001. It introduces the concept of the worker as an interested party with the capacity to actively participate in the system, reinforces the role of leadership and requires proactive management of occupational risks. In Spain it coexists with the legal obligation derived from the Law 31/1995 on Occupational Risk Prevention and its implementing regulations; obtaining ISO 45001 certification does not exempt companies from the mandatory Prevention Plan, but it constitutes a layer of continuous improvement above the minimum legal compliance.
High Level Structure: the key to integration
Before the HLS existed, integrating standards was an artisanal and laborious exercise. Today, the map of common requirements between the three standards is very broad. The following table shows the standard chapters and which standards share them:
| HLS Chapter | ISO 9001:2015 | ISO 14001:2015 | ISO 45001:2018 | Integrable in IMS |
|---|---|---|---|---|
| 4 · Organisational context | Yes | Yes | Yes | ✓ Single document |
| 5 · Leadership | Yes | Yes | Yes | ✓ Single integrated policy |
| 6 · Planning (risks and objectives) | Yes | Yes | Yes | ✓ Unified risk matrix |
| 7 · Support (resources, competence, communication, documentation) | Yes | Yes | Yes | ✓ Single document system |
| 8 · Operation | Partial | Partial | Partial | Partially integrable (standard-specific requirements) |
| 9 · Performance evaluation (audits, management review) | Yes | Yes | Yes | ✓ Joint internal audit and review |
| 10 · Improvement | Yes | Yes | Yes | ✓ Single nonconformity management |
Chapter 8 is the only one with its own logic in each standard: product design and development requirements belong to ISO 9001, environmental emergency preparedness and response belongs to ISO 14001, and occupational safety operational controls belong to ISO 45001. Everything else integrates cleanly into a single documentary corpus.
Real benefits of an IMS for an SME
An integrated management system is not an end in itself; it is a means to operate more efficiently and with less risk. These are the benefits that materialise in practice:
- Reduced certification cost. A joint certification audit for three standards typically costs significantly less than three independent audits. Certification bodies accredited by ENAC apply discounts for combined audit time, since the common chapters (context, leadership, planning, documentation, internal audit and management review) are audited only once.
- Lower documentary burden. Instead of three manuals, three policies and three nonconformity registers, the IMS works with a single document system. This simplifies maintenance, reduces the risk of inconsistencies and frees up time for the internal team.
- A single management review. Management reviews the performance of all three systems in a single annual (or biannual) session, with quality, environmental and safety indicators on the same dashboard.
- Better risk management. By cross-referencing the risk analyses from all three standards, the company discovers interdependencies that remain hidden when the systems are separate. A supplier failure can simultaneously be a quality risk, an environmental risk and an occupational safety risk.
- Greater credibility with clients and procurers. An increasing number of large companies and public bodies require their suppliers to hold certification in all three standards. Having them integrated facilitates participation in tenders and qualification questionnaires.
- Cross-cutting culture of continuous improvement. When quality, environment and safety share the same PDCA cycle and the same management team, improvements in one area transfer more naturally to the others.
How to unify: the step-by-step process
IMS implementation does not follow a single path, but experience in certification projects indicates that there is a logical itinerary that minimises the risk of overlaps and gaps. At Summum Calidad we structure it in four phases:
Phase 1 · Starting-point diagnosis
Before integrating it is essential to know what exists. A GAP analysis of each standard is carried out separately: which requirements are covered, which are partially covered and which are absent. If the company already has ISO 9001 and wants to add ISO 14001 and ISO 45001, the diagnosis identifies exactly what new work needs to be done and which existing documentation can be reused with minor adjustments.
Phase 2 · Design of the integrated documentary architecture
The documentary hierarchy of the IMS is defined: integrated policy, IMS manual (if the company considers it useful, although it has not been mandatory since the 2015 revision), operational procedures, technical instructions and records. Decisions are made about which procedures are common (nonconformity management, internal audits, communication) and which remain separate due to their specific nature (environmental emergency plan, safety data sheets, production process controls).
Phase 3 · Implementation, training and testing
The system is implemented progressively, involving process managers in the drafting and validation of procedures. An integrated internal audit is conducted to verify simultaneous compliance with all three standards, and the full management review cycle is launched. This phase typically takes between four and eight months in an SME with between 20 and 150 employees, depending on the maturity of the pre-existing systems.
Phase 4 · Joint certification audit
A certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, TÜV Rheinland, Lloyd's Register, among others) is selected and the phase 1 audit (documentary review) and phase 2 audit (on-site audit) are scheduled. The result, if passed, is the issuance of three certificates — one per standard — in the same process. The expiry date and the follow-up and renewal audit cycles are aligned, which simplifies long-term planning.
If your company is considering this path, at Summum Calidad we accompany the entire process from diagnosis to certificate issuance. You can learn about our ISO 9001 implementation and certification service, which is typically the anchor standard of the IMS, and from there extend the scope to environment and safety.
How many standards can be integrated?
The 9001+14001+45001 triad is the most widespread, but the IMS can be expanded with other standards that also follow the High Level Structure. The most common in the Spanish business fabric are:
- ISO 50001:2018 (energy management): particularly relevant since the 2022 energy crisis and the rise of corporate decarbonisation objectives.
- ISO 27001:2022 (information security): increasingly required in contracts with public administrations and large corporations.
- ISO 22000:2018 (food safety) or IFS/BRC: for companies in the food sector that need product quality certification alongside management systems.
- ISO 45003:2021 (management of psychosocial risks): a natural complement to ISO 45001 addressing mental wellbeing at work, with growing demand since 2024 following the increase in mental health-related sick leave.
Each additional standard represents a decreasing incremental cost: the common core is already built and what varies are the specific requirements of Chapter 8 and some aspects of Chapter 6 on planning.
Common mistakes when integrating an IMS
A poorly executed integration can create more problems than it solves. These are the errors we see most frequently:
- Integrating on paper but not in practice. The document says «integrated system» but the quality, environment and prevention teams continue working in silos without communication. The IMS requires real operational integration, not just documentary integration.
- Forcing integration of everything. Some procedures must remain separate for legal or technical specialisation reasons. The key is to integrate what is efficiently integrable and respect the specificities of each standard.
- Underestimating training. When staff move from knowing «their» system to having to understand three standards simultaneously, training is essential. A worker who does not understand why their role affects the environmental system will not actively participate in it.
- Not updating the system after certification. The IMS is not a project with an end date; it is a continuous cycle. Standards are periodically revised and the organisation must adapt its system to each new version within the transition periods established by ISO.
Frequently asked questions
Is it mandatory to have all three standards to speak of an IMS?
No. Technically, an integrated management system is any combination of two or more standards managed in a unified way. The most common is the 9001+14001+45001 triad, but a company can integrate, for example, only ISO 9001 and ISO 14001 and already have a perfectly valid IMS. The number of integrated standards depends on the risk profile, market requirements and the strategy of each organisation.
How long does it take to implement an IMS from scratch?
In an SME of between 20 and 100 employees with no prior system, the full implementation of the 9001+14001+45001 triad typically requires between 9 and 18 months. If the company already has one certified standard, the extension period is considerably reduced — often to an additional 4-8 months — because the common documentary core is already built and validated. The main variable factor is the availability of internal team time.
Which body certifies the IMS?
Any certification body accredited by ENAC (National Accreditation Entity) can carry out the joint audit and issue the certificates. In Spain, AENOR, Bureau Veritas, SGS, TÜV Rheinland, Lloyd's Register, Applus+ and others operate. Summum Calidad is a consultancy, not a certification body: we accompany the implementation and preparation for the audit; the certificate is always issued by the accredited third-party body chosen by the company.
Does ISO 45001 certification replace the Prevention Plan mandatory under Law 31/1995?
No. The Law 31/1995 on Occupational Risk Prevention imposes public-order obligations that cannot be replaced by any voluntary certification. ISO 45001 is a management standard that goes beyond minimum legal compliance: it requires continuous improvement, active worker participation and a systematic approach to risks. In practice, a company certified to ISO 45001 more than adequately meets the requirements of the prevention law, but the Prevention Plan, risk assessment, health surveillance and mandatory training are legal duties that persist regardless of certification.