Is it permissible for an internal auditor to conduct audits for both ISO 27001 and ISO 9001 during the same audit session?

Conducting audits for both ISO 27001 and ISO 9001 during the same audit session is indeed permissible, as long as the internal auditor is competent in both standards. This is because the two standards can be integrated into a single audit framework, especially since both share common principles such as a focus on continual improvement, meeting customer requirements, and risk management.

Moreover, organizations often pursue multiple certifications, and audit efficiencies can be gained by combining audits. However, it is essential that the auditor possesses the necessary understanding and expertise in both ISO 27001, which focuses on information security management systems, and ISO 9001, which emphasizes quality management systems. Proper preparation and planning are critical to ensure that both standards are thoroughly evaluated, and their respective requirements are addressed appropriately during the audit.

It’s important to ensure that these separate standards’ unique aspects are still considered and that any conflicts of interest or bias in the assessment of one standard over the other are avoided.