Is it permissible for an internal auditor to conduct audits for both ISO 27001 and ISO 9001 during the same audit session?

Conducting audits for both ISO 27001 (Information Security Management System) and ISO 9001 (Quality Management System) during the same audit session can be permissible under certain conditions. If the internal auditor is properly trained and proficient in both standards, they can effectively conduct a combined audit.

Audits often involve overlapping elements, such as risk management principles and document control processes, which can lead to efficiencies when auditing both standards simultaneously. However, it is critical to ensure that the auditor maintains objectivity and impartiality throughout the process. They must be able to keep distinct focus on both sets of requirements to avoid potential conflicts or oversight.

The successful integration of both audits depends on the auditor's ability to address and evaluate compliance with the specific requirements of each standard while also recognizing their interrelationships. If managed appropriately, this combined approach can streamline the audit process, reduce redundancy, and enhance the overall effectiveness of the audit function.