If your organisation is sitting on three separate ISO certificates and each one has its own document set, its own audit calendar, and its own management review meeting, you are quietly bleeding time and money. Most Australian businesses I work with do not realise this until I lay the three systems side by side and circle the eighty per cent that is identical.
That is the part nobody mentions upfront. Every modern ISO management standard published in the last decade is built on the same skeleton. They share the same structural requirements, the same risk-based thinking, the same approach to context analysis, the same internal audit logic, the same management review. The only differences live in the technical content itself. Quality outputs. Environmental aspects. Workplace hazards. Information security risks. The plumbing underneath is the same.
That shared skeleton is what makes an Integrated Management System (or IMS) possible. For most businesses holding two or more ISO certifications, it is the single biggest cost-and-effort saving available without changing scope.
This guide is what I would tell a client across the table, not a brochure. We will cover what the integrated approach actually involves, which standards combine well, what the cost difference looks like in real numbers, how to build a working system in practice, and the mistakes I see most often.
What an Integrated Management System actually is
The integrated approach takes one management system and uses it to satisfy the requirements of two or more standards at the same time. One scope statement. One context analysis. One risk register. One document control system. One internal audit programme. One management review. One set of corrective actions. The certificate at the end can list multiple standards, or you can choose to keep them visually separate. That is a marketing decision, not a system design one.
Now, what it is not. An IMS is not a single document called the IMS Manual with chapters for quality, environment and safety stitched together. That is the most common misunderstanding I see, and it is what gives integration a bad name. A Frankenstein manual is harder to maintain than three separate ones, because every change has to be cross-checked against every standard. Real integration happens at the process level. Documentation is the trailing artefact, not the leading edge.
It is also not the same thing as a combined audit. A combined audit is when a certification body sends auditors who can cover multiple standards on the same visit, but your underlying systems can still be three separate systems running in parallel. You save on travel time and audit days, but you do not save on the day-to-day cost of running three systems. Integration is the underlying structure. The combined audit is the way you choose to certify it.
Why Australian businesses are moving to this approach in 2026
A few patterns are converging this year. Construction firms are being asked for safety and environmental certifications on Tier-1 tenders, and many head contractors are now also asking subcontractors for quality certification. Three certifications used to be a nice-to-have. On government and Tier-1 panel work it is increasingly the floor.
At the same time, IT and SaaS companies that already hold information security certification are being pulled towards AI management certification because their customers are starting to ask AI-governance questions in vendor reviews. Consulting and professional services firms looking to expand internationally are realising the tender criteria in the UK, Singapore, and parts of South-East Asia look very similar.
The other driver is cost. Certification body day rates have crept up steadily over the last three years, and audit days are the most visible line item on a certification budget. Collapse three audits into one and you save audit days. Collapse three internal audit programmes into one and you save internal time. Collapse three sets of documentation into one and you save your quality manager’s hair.
Which standards combine well
Integration works best between standards that follow the same modern structure adopted by the International Organization for Standardization in 2012. The 2015 versions of quality and environmental management, the 2018 version of occupational health and safety, the 2022 version of information security, and the new 2023 standard for AI management all share this structure. They follow the same ten-section framework. They all require you to understand your organisation’s context, identify interested parties, define a scope, manage risks and opportunities, set objectives, and allocate resources. The structure diverges only in the technical content itself, and even there, the form of each requirement is similar even when the substance differs.
In Australia, four combinations come up most often.
The classic Quality, Health, Safety and Environment bundle (quality, environmental, and OH&S certifications combined) suits manufacturing, construction, logistics, mining services, and field services. This is the most common integrated system in the country and the easiest to build, because the three standards have very high overlap in operational planning, supplier management, internal audit and management review.
Quality plus information security suits IT services firms and consultancies. The shared parts are the management-system requirements around context, leadership, planning, support, performance evaluation, and improvement. What information security adds on top is the security layer itself: the Statement of Applicability, the controls register, the risk treatment plan. About sixty per cent of the system is shared infrastructure.
Information security plus AI management is the new combination for AI-driven companies. SaaS platforms with embedded ML models. Generative AI products. AI consultancies. The two standards explicitly reference each other and the AI standard is designed to slot in next to information security rather than replace it. If you are building anything that touches AI and you do not already have information security certification, the smart move is to scope both at the same time and run a single integrated implementation, rather than getting one first and bolting the other on later.
The full Quality, Health, Safety, Environment and Information Security stack suits larger SMEs that bid for federal government work, defence-adjacent contracts, or any panel that requires the full suite. This is heavier to maintain, but the integration savings here are the largest in absolute terms.
The general rule is that the more standards you add, the bigger the absolute saving but the smaller the relative one. Going from one standard to two saves you the most as a percentage. Going from three to four saves the most in dollars.
What the real cost saving looks like
Here are concrete numbers for the kind of mid-sized business I see often. Between fifty and one hundred and fifty employees, a couple of physical sites, moderate complexity.
Three standalone certifications run separately would typically involve about three audit days each per cycle for quality, environmental, and OH&S certifications, which is roughly nine audit days a year between the initial stages and surveillance. At Australian day rates that comes to somewhere between fourteen and eighteen thousand dollars in certification body fees alone, before consultant time. The same three standards as a combined audit might come down to five or six audit days, saving thirty to forty per cent on certification body fees over a three-year cycle.
The hidden saving is much larger. With three separate systems, you are running three internal audit programmes, three management reviews, three corrective action workflows, three risk registers, and three context analyses. Most quality managers I speak to estimate they spend twenty to thirty per cent more time on a multi-system organisation than on an integrated one of the same scope. For a mid-sized business, that is one or two days a week of someone’s time disappearing into duplicated work.
Add in the consultant fee saving on the initial implementation (one set of documentation rather than three, one gap analysis rather than three, one internal audit rather than three) and the total saving on the first three-year cycle is usually thirty to forty per cent of what three standalone certifications would have cost.
The structure that makes integration possible
If you take only one piece of technical knowledge from this guide, take this. The reason an integrated system works is that every modern ISO management standard now follows the same ten-section template.
The first three sections are administrative. The interesting ones are sections four through ten. Section four is about understanding the organisation and its context. Section five is leadership. Section six is planning, which includes risks, opportunities and objectives. Section seven covers support: resources, competence, awareness, communication, documented information. Section eight is operation, and this is the only section where the standards genuinely differ. Section nine is performance evaluation, including monitoring, internal audit, and management review. Section ten is improvement: nonconformity, corrective action, continual improvement.
When you build an integrated system, you build one set of context, leadership, planning, support, evaluation and improvement processes that serve every standard at once. You only build separate operational sub-processes for each standard. So one context analysis, one leadership engagement programme, one resource and competence framework, one internal audit programme, one management review, one corrective action process. But separate operational controls for quality outputs, environmental aspects, workplace hazards, and information security risks.
That is the structural insight. Once you see it, you cannot unsee it, and you start noticing how much waste lives in unintegrated systems.
How to actually build an integrated system
A typical build for a mid-sized Australian business takes ten to fourteen weeks if you are starting from scratch, or six to ten weeks if you already hold one of the standards and are adding others. The phases below are how QS2000 sequences the work, and roughly how any competent consultant should run it.
The first phase is scoping and gap analysis, usually one to two weeks. You define which standards you are pursuing, what the boundaries of the system are (sites, processes, functions), and what is excluded and why. You map your existing controls against each target standard’s requirements. The output is a gap register that shows what you already do, what you partially do, and what is missing.
The second phase is context, leadership and planning, two to three weeks. You document the context analysis once and use it for every standard. You define interested parties once, capturing quality, environmental, OH&S, customer security and any other relevant stakeholder lenses on the same map. You develop a unified policy that addresses every standard’s policy requirements in one document, signed off by top management once. You set up an integrated risk and opportunities register that has columns for each lens but a single workflow.
The third phase is operational design, three to five weeks, and this is where the standards diverge most. For quality, you are designing process controls and customer requirement reviews. For environmental, you are identifying environmental aspects and impacts and registering applicable legal requirements. For OH&S, you are running hazard identification and risk assessment and defining consultation processes. For information security, you are running a security risk assessment, building the Statement of Applicability, and selecting the right controls. The trick is to use the same forms and the same workflow software for all of these. Different content, identical infrastructure.
The fourth phase is implementation and training, two to three weeks. You roll out the system, train staff once on the integrated approach, capture evidence of operation. The temptation here is to over-train. Resist it. Most staff need to know what the system expects of them in their role, not what every part of every standard says.
The fifth phase is internal audit and management review, two weeks. You run a single internal audit programme that covers every standard, conducted by competent auditors against an integrated checklist. You hold one management review meeting with one agenda that covers every standard’s required inputs and outputs. The minutes are one document.
The sixth phase is the certification audit. Stage 1 is the documentation review. Stage 2 is the on-site assessment. Both are conducted as integrated audits if your certification body and lead auditor are competent in all the relevant standards.
After certification, your annual cycle becomes one internal audit programme, one management review, one set of surveillance audits. That is the saving in operation, not just at certification.
Common mistakes I see when building these systems
The first mistake is treating integration as a documentation exercise. Companies hire a consultant to merge their three manuals. The result is a Frankenstein document that nobody reads, that is harder to maintain than the originals, and that makes auditors suspicious. Real integration happens at the process level. Documentation follows.
The second mistake is rushing into integration before any of the standards are mature. If your quality system is a paper exercise, integrating it with environmental and OH&S just gives you three paper exercises wearing the same suit. Integrate from a position of strength when at least one of the systems is genuinely working, or build the integrated system from scratch as one cohesive whole from day one.
The third mistake is choosing a certification body that does not have lead auditors competent in all your target standards. You will end up with a combined audit in name only. Two separate audits scheduled in the same week, two separate audit reports, two separate sets of findings. Ask the certification body in writing whether they will assign a single lead auditor with competence across all your standards. If they cannot, find one that can.
The fourth mistake is skipping the integration of internal audit. Companies will integrate everything else and then keep three separate internal audit programmes because the auditors are different. Cross-train them, or rotate them, or use external internal auditors who can cover all three. One programme.
The fifth mistake is letting the management review meeting expand to four hours. An integrated review needs structure. Set the agenda from the input requirements of each standard, work through them in order, capture the outputs, finish in ninety minutes. If your meeting is running long, your data preparation is not tight enough.
When standalone certifications still make more sense
I want to be honest here, because I am not a fan of recommending integration to companies that do not need it. There are situations where keeping certifications separate is the right call.
If you only hold one ISO certification and have no plans to add another within the next two years, do not pre-build an integrated system. The integration overhead is wasted. If your standards apply to genuinely different parts of the business (for example, quality covering your professional services arm and environmental covering a separate manufacturing subsidiary with its own management) integration may not save anything, because the systems were never going to overlap. And if your business is going through major change, such as an acquisition, a restructure, or a system migration, defer the integration project. You want to be integrating into stability, not into chaos.
For everyone else, particularly businesses with multiple existing certifications or plans to add the second or third standard within twelve months, the integrated approach is almost always the better economic and operational choice.
The transition path if you already hold one or two certifications
If you already have one ISO certification and you are adding another, you have two options. Option one is to certify the new standard standalone, then integrate at your next major surveillance or recertification audit. Option two is to scope the integration up front, build the new standard as part of an integrated system, and have your certification body audit it as one from day one.
Option two saves more in the long run but requires more disciplined planning. Option one is lower risk and lets you treat integration as a future project. Most clients I work with end up doing option two, because the marginal cost of integrating during initial implementation is small, while retrofitting integration onto an established system is significantly more disruptive.
If you already hold two or more separate certifications and you are looking at integration, the transition is usually staged across one full audit cycle. You integrate the documentation at the next surveillance, integrate internal audit and management review by the surveillance after that, and at recertification the certification body audits it as a single integrated system. Done well, this is a twelve-to-eighteen month transition rather than a single project.
Frequently asked questions
What does IMS stand for?
IMS stands for Integrated Management System. It is one management system that simultaneously meets the requirements of two or more ISO management standards. Most commonly the combination is quality, environmental and OH&S, though any combination of modern ISO management standards can be integrated.
Will I get one certificate or several?
That depends on your certification body. Most issue a single integrated certificate listing all the covered standards. A few will issue separate certificates that share an audit cycle. Both options are valid. The underlying system is what matters, not the paper.
Is an integrated audit cheaper than separate audits?
Yes, typically thirty to forty per cent cheaper on certification body fees over a three-year cycle, plus much larger savings on internal time and consultant fees. The exact saving depends on your scope, the standards involved, and how integrated your system genuinely is.
Can I add a fourth or fifth standard later?
Yes. An integrated system built on the modern shared structure can absorb additional standards with relatively little structural change. The main effort goes into the operational content specific to each new standard. Information security and AI management are increasingly being added to existing quality, environmental and OH&S systems for tech-enabled businesses.
Do I need a single integrated manual?
No. The current versions of these standards do not require a quality manual at all, integrated or otherwise. You need documented information for specific items (scope, policy, objectives, and a defined list of records). How you organise it is up to you.
How long does it take to integrate two existing certifications?
Twelve to eighteen months across a normal audit cycle if you do it gradually, or four to six months if you do it as a focused project. Faster integrations are possible but tend to leave gaps that surface at the next surveillance.
Will my certification body accept an integrated system?
Yes. All major Australian certification bodies are familiar with integrated management systems and will conduct integrated audits, provided the lead auditor has competence in each of the standards involved. Confirm this in writing when you scope the audit.
Where to start
If you are already certified to one standard and considering a second, the cheapest hour you will spend is a planning conversation with someone who has built integrated systems before. We can map your existing system against your target standards, give you a realistic scope and cost, and tell you honestly whether integration makes sense for your business or whether you should keep them separate.
QS2000 has been building Australian management systems for over thirty years. If you want to talk through your situation, book a thirty-minute consult or run an instant pricing estimate against your scope.
