Integrated Management System 9001+14001+45001: how to unify

·

If your company already has — or is considering obtaining — more than one ISO certification, the inevitable question arrives sooner or later: does it make sense to maintain three separate systems with their own manuals, procedures, internal audits and management reviews? The answer, in most cases, is no. The integrated management system (IMS) was created precisely to avoid that triplication of effort, aligning under a single structure the requirements of ISO 9001 (quality), ISO 14001 (environment) and ISO 45001 (occupational health and safety). This article explains what an IMS is, which standards it can integrate, what real benefits it brings to an SME and what the logical path is to build one.

What is an integrated management system?

An integrated management system is a single documentary and operational framework that simultaneously meets the requirements of several ISO standards, eliminating duplication and creating synergies between the different management domains. Instead of having a quality manager with their own procedures, an environmental manager with theirs, and a health and safety technician with their own — each with their own audit cycle — the IMS merges them into a single policy, a single PDCA cycle and a unified review calendar.

The foundation that makes this integration possible is the High Level Structure (HLS, formerly known as «Annex SL») that ISO has imposed since 2015 on all its management system standards. Thanks to this common structure, ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 share the same chapter layout (from 4 to 10), the same concepts of organisational context, leadership, planning, support, operation, performance evaluation and improvement. A requirement that appears in all three standards — for example, risk management or document control — is addressed only once in the IMS.

The three standards that form the core of the most common IMS

Although an IMS can include many more standards (ISO 50001 for energy, ISO 27001 for information security, ISO 22000 for food safety…), the most widespread combination in Spanish industry and services is the triad 9001 + 14001 + 45001. Let us review what each one contributes.

ISO 9001:2015 — Quality management

This is the global reference standard for quality management systems. Published in its current version in September 2015 and currently under revision towards ISO 9001:2026, it requires the organisation to identify its context, understand the needs of interested parties, plan its processes with a risk-based approach and measure customer satisfaction. In Spain, companies holding ISO 9001 certification exceed 30,000 according to the latest ISO Survey data, placing the country among the top ten in the world by number of certificates. It is the most common entry point into the world of certification.

ISO 14001:2015 — Environmental management

It defines the requirements for identifying and controlling the significant environmental aspects of business activity: energy and water consumption, waste generation, atmospheric emissions, discharges. The standard requires the establishment of measurable environmental objectives and compliance with applicable legal requirements — which in Spain include Law 7/2022 on waste and contaminated soils for a circular economy, the REACH and CLP Regulations where chemical substances are handled, and sector-specific regional legislation. The current version is ISO 14001:2026, published in April 2026, and organisations have a 36-month transition period until April 2029 to update their certificates to the new edition.

ISO 45001:2018 — Occupational health and safety

Published in March 2018, ISO 45001 definitively replaced OHSAS 18001. It introduces the concept of the worker as an interested party with the capacity to actively participate in the system, reinforces the role of leadership and requires proactive management of occupational risks. In Spain it coexists with the legal obligation derived from the Law 31/1995 on Occupational Risk Prevention and its implementing regulations; obtaining ISO 45001 certification does not exempt companies from the mandatory Prevention Plan, but it constitutes a layer of continuous improvement above the minimum legal compliance.

High Level Structure: the key to integration

Before the HLS existed, integrating standards was an artisanal and laborious exercise. Today, the map of common requirements between the three standards is very broad. The following table shows the standard chapters and which standards share them:

HLS Chapter ISO 9001:2015 ISO 14001:2015 ISO 45001:2018 Integrable in IMS
4 · Organisational context Yes Yes Yes ✓ Single document
5 · Leadership Yes Yes Yes ✓ Single integrated policy
6 · Planning (risks and objectives) Yes Yes Yes ✓ Unified risk matrix
7 · Support (resources, competence, communication, documentation) Yes Yes Yes ✓ Single document system
8 · Operation Partial Partial Partial Partially integrable (standard-specific requirements)
9 · Performance evaluation (audits, management review) Yes Yes Yes ✓ Joint internal audit and review
10 · Improvement Yes Yes Yes ✓ Single nonconformity management

Chapter 8 is the only one with its own logic in each standard: product design and development requirements belong to ISO 9001, environmental emergency preparedness and response belongs to ISO 14001, and occupational safety operational controls belong to ISO 45001. Everything else integrates cleanly into a single documentary corpus.

Real benefits of an IMS for an SME

An integrated management system is not an end in itself; it is a means to operate more efficiently and with less risk. These are the benefits that materialise in practice:

How to unify: the step-by-step process

IMS implementation does not follow a single path, but experience in certification projects indicates that there is a logical itinerary that minimises the risk of overlaps and gaps. At Summum Calidad we structure it in four phases:

Phase 1 · Starting-point diagnosis

Before integrating it is essential to know what exists. A GAP analysis of each standard is carried out separately: which requirements are covered, which are partially covered and which are absent. If the company already has ISO 9001 and wants to add ISO 14001 and ISO 45001, the diagnosis identifies exactly what new work needs to be done and which existing documentation can be reused with minor adjustments.

Phase 2 · Design of the integrated documentary architecture

The documentary hierarchy of the IMS is defined: integrated policy, IMS manual (if the company considers it useful, although it has not been mandatory since the 2015 revision), operational procedures, technical instructions and records. Decisions are made about which procedures are common (nonconformity management, internal audits, communication) and which remain separate due to their specific nature (environmental emergency plan, safety data sheets, production process controls).

Phase 3 · Implementation, training and testing

The system is implemented progressively, involving process managers in the drafting and validation of procedures. An integrated internal audit is conducted to verify simultaneous compliance with all three standards, and the full management review cycle is launched. This phase typically takes between four and eight months in an SME with between 20 and 150 employees, depending on the maturity of the pre-existing systems.

Phase 4 · Joint certification audit

A certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, TÜV Rheinland, Lloyd's Register, among others) is selected and the phase 1 audit (documentary review) and phase 2 audit (on-site audit) are scheduled. The result, if passed, is the issuance of three certificates — one per standard — in the same process. The expiry date and the follow-up and renewal audit cycles are aligned, which simplifies long-term planning.

If your company is considering this path, at Summum Calidad we accompany the entire process from diagnosis to certificate issuance. You can learn about our ISO 9001 implementation and certification service, which is typically the anchor standard of the IMS, and from there extend the scope to environment and safety.

How many standards can be integrated?

The 9001+14001+45001 triad is the most widespread, but the IMS can be expanded with other standards that also follow the High Level Structure. The most common in the Spanish business fabric are:

Each additional standard represents a decreasing incremental cost: the common core is already built and what varies are the specific requirements of Chapter 8 and some aspects of Chapter 6 on planning.

Common mistakes when integrating an IMS

A poorly executed integration can create more problems than it solves. These are the errors we see most frequently:

Frequently asked questions

Is it mandatory to have all three standards to speak of an IMS?

No. Technically, an integrated management system is any combination of two or more standards managed in a unified way. The most common is the 9001+14001+45001 triad, but a company can integrate, for example, only ISO 9001 and ISO 14001 and already have a perfectly valid IMS. The number of integrated standards depends on the risk profile, market requirements and the strategy of each organisation.

How long does it take to implement an IMS from scratch?

In an SME of between 20 and 100 employees with no prior system, the full implementation of the 9001+14001+45001 triad typically requires between 9 and 18 months. If the company already has one certified standard, the extension period is considerably reduced — often to an additional 4-8 months — because the common documentary core is already built and validated. The main variable factor is the availability of internal team time.

Which body certifies the IMS?

Any certification body accredited by ENAC (National Accreditation Entity) can carry out the joint audit and issue the certificates. In Spain, AENOR, Bureau Veritas, SGS, TÜV Rheinland, Lloyd's Register, Applus+ and others operate. Summum Calidad is a consultancy, not a certification body: we accompany the implementation and preparation for the audit; the certificate is always issued by the accredited third-party body chosen by the company.

Does ISO 45001 certification replace the Prevention Plan mandatory under Law 31/1995?

No. The Law 31/1995 on Occupational Risk Prevention imposes public-order obligations that cannot be replaced by any voluntary certification. ISO 45001 is a management standard that goes beyond minimum legal compliance: it requires continuous improvement, active worker participation and a systematic approach to risks. In practice, a company certified to ISO 45001 more than adequately meets the requirements of the prevention law, but the Prevention Plan, risk assessment, health surveillance and mandatory training are legal duties that persist regardless of certification.