Australian companies need to defend themselves, not only in cybersecurity, but also in workplace health and safety. ISO 27001 and ISO 45001 are seen as two separate domains, one being information security and the other being occupational health and safety. However, when it comes to internal audits, there is a great opportunity to identify the synergy between the two.
Moving Beyond the Checklist Mentality
Internal audits are seen as a tick for the box exercise. With ISO 27001 it is about access control, encryption and risk registers. With ISO 45001 it is about the identification of hazards, the reporting of incidents, and the safety management system(s). But this siloed approach is outdated in Australia’s evolving regulatory and risk environment.
Cybersecurity breaches come with direct safety repercussions, and workplace incidents can lead to exposure to sensitive information. Internal audits that do not identify these issues are missing the point. The fresh perspective is this: internal audit 27001 and internal audit ISO 45001 should be viewed as synergistic, not antagonistic.
The Australian Context: Rising Expectations
Australian regulators are raising their expectations when it comes to workplace safety and digital resilience. With the Office of the Australian Information Commissioner (OAIC) tightening its response to data breaches, and Safe Work Australia starting to broaden its response to psychosocial risk, it becomes necessary for organizations to consider the implications of data breaches and psychosocial risk exposure concerning their data breach response and psychosocial risk exposure framework.
It also means that during internal audits, there is more focus on integrated resilience, as opposed to merely obtaining passing grades for purposes of certification.
The integration of ISO 27001 and ISO 45001 directly speaks to the transparency of sustaining resilience along the continuum of information security and employee psychosocial risk exposure in the workplace, which is a key factor sustaining the confidence of investors, employees and regulators.
The integration of ISO 27001 and ISO 45001 directly speaks to the transparency of sustaining resilience along the continuum of information security and employee psychosocial risk exposure in the workplace, which is a key factor sustaining the confidence of investors, employees and regulators.
Juggling the Human Factors of Safety and Security
One of the most overlooked connections between ISO 27001 and ISO 45001 is the human factor. With human error being the primary cause for breaches in cybersecurity (consider weak passwords or phishing mistakes and the mishandling of sensitive data), human behavior is equally critical to workplace safety. Fatigue, stress, and lack of training can lead to workplace incidents.
It is the integration of ISO 27001 and ISO 45001 that allows for the most in-depth analysis of the unique human dimensions in audit systems to be able to identify systemic risk.
This is the type of insight integrated ISO audits can provide. And this is the type of insight siloed audits cannot provide. Because of these limitations, the insight that the integration of ISO 27001 and ISO 45001 provides is the most neglected type of information in the auditing of integrated management systems.
Systems that are siloed in self-contained compliance systems are the audit systems that are the least likely to be capable of being integrated, and as a result, these systems provide the least differentiated service.
The integrated management systems that identify the human dimensions of systemic risk are the systems that have the most to do with employee psychosocial risk exposure. These are the systems that define the most advanced systems of integrated compliance.
The result is that these systems place the most significant limits on scope concerning what employee psychosocial risk exposure entails. Audit systems that prioritize the integration of ISO 27001 and ISO 45001 are systems for which Australian organizations are actively developing to counterbalance employee psychosocial risk exposure.
Audit systems that do not focus on retaining the integration of ISO 27001 and ISO 45001 are meant to be constructed on the most minimal systems of integrated compliance. Culture does. Internal audit 27001 and internal audit 45001 can measure and influence culture.
Culture is about auditing comments and feedback. Instead of focusing on technical controls and hazard registers, audits can look to see if employees feel empowered to report a risk, if leaders show accountability in a way, and if training programs change attitudes and behaviour. Such a cultural lens on internal audits means they can move from box-ticking exercises to becoming purposeful internal audits of resilient culture.
Integrated Reporting: The Next Frontier
Integrated Reporting is a developing discipline in Australia and globally. Integrated reporting stakeholders want to see how organisations manage their risks in a holistic manner and not in fragmented silos. Internal audits assimilating findings of ISO 27001 and ISO 45001 can contribute to integrated reports portraying both digital and physical resilience.
This method also meets Australia’s ESG requirements. Cybersecurity and workplace safety are increasingly viewed by investors as part of the “social” and “governance” aspects of sustainability. Internal audits that integrate these standards can elevate organisations to the forefront of responsible business.
Practical Implications for Australian Organisations
- Effectiveness: Joint internal audits increase efficiency by eliminating duplication of effort and audit fatigue.
- Risk Visibility: Integrated audits reveal cross-domain risks that siloed audits are likely to miss.
- Trust: Demonstrating resilience across both information security and safety strengthens trust with regulators and stakeholders.
- Future-readiness: Integrated audits assist organisations in developing deeper compliance expectations as holistic audits become more regular in Australia.
Conclusion: A Call for Integration
Internal audits ISO 27001 and internal audits ISO 45001 in Australia are seen as separate compliance exercises. However, it is then that valuable integration is lost. By understanding the interplay of human factors and cultural, and stakeholder expectations, organisations can elevate internal audits from tactical exercises to strategically focused instruments for organisational resilience.
Australia’s future will require organisations to be both digitally safe and physically safe. Compliance with ISO 27001 and ISO 45001 in internal audits is more than a compliance obligation; it is a differentiating factor.