ISO 9001 and ISO 27001: Achieving Organization-Wide Compliance with ECLIPSE
12 Jan, 2026
Organizations need to comply with many rules and regulations. The need to comply can originate from a variety of sources, including but not limited to: national legislation, customer needs and internal procedure following from company policy.
The Complexity of Compliance
Regulations can apply to businesses in general, but they may also concern specific business aspects. For every organization, it is important to know:
- What regulations do we need to comply with?
- How will we accomplish compliance specifically within our organization?
- How can we trust that we comply? How can we prove or demonstrate this?
Answering these questions can be complex. Compliance needs to be demonstrated up and down the supply chain. New regulations are introduced, and existing regulations can be changed. Many stakeholders may be involved, both internal and external.
Why Separate Management Systems Don’t Scale
When a new regulation comes up, it is tempting to implement a management system for it, because this way we can use the momentum to focus on the matter at hand and reach our goal quickly.
However, eventually, this approach is not efficient. Most regulations do not exist in isolation – they often overlap. Also, they affect the same business processes, each from their own perspective. This complexity increases progressively with the number of applicable regulations. In the end, even when making a minor change to a business process, we will have to consult all related management systems to assess the impact.
The Case for an Integrated Management System
Therefore, often there is a strong business case to realize an integrated management system. An integrated management system, or IMS, covers implementation of all applicable regulations ‘under one roof’.
The ECLIPSE software suite is a good fit to implement an IMS, as it contains a wide variety of functionalities that integrate with each other. Below is an example of an IMS in ECLIPSE to support certification for the ISO 9001 and ISO 27001 certification.
ISO 9001 and ISO 27001 in ECLIPSE Software Suite
The table below illustrates how ECLIPSE supports the combined implementation of ISO 9001 and ISO 27001 within a single IMS. For each card, the ISO columns describe what the standards require at a conceptual level, while the ECLIPSE column shows how these requirements can be implemented and supported.
The following ECLIPSE modules are used in the example below to support the implementation of an integrated management system:
- RISK (Risk Management) – Enables identification, assessment, monitoring, and resolution of risks, including full risk history and reporting.
- RVM (Requirements and Verification Management) – Provides a structured, traceable environment to capture, manage, review, and track requirements across the lifecycle.
- DCCM (Document Configuration and Change Management) – Manages controlled creation, review, approval, versioning, and secure access to documents throughout their lifecycle.
- DAB (Database Application Builder) – Enables creation of custom, collaborative database applications to manage structured data and processes within ECLIPSE.
- NCTS (Non-Conformance Tracking System) – Supports recording, tracking, and closure of non-conformances, including access control, review boards, and reporting.
- AIM (Action & Improvement Management) – Used to register, track, and manage actions, improvements, and follow-up activities.
- DASH (Database Application Builder) – Provides spreadsheet-based dashboards and reports for visualizing KPIs and data across ECLIPSE modules.
Uses a risk-based approach, calling for the identification and management of quality threats and opportunities. Risks need to be re-assessed periodically.
Risk-based approach is central: the identification and subsequent management of information security threats is the starting point of implementation. Risks need to be re-assessed periodically.
Manage threats in the eRISK module. eRISK supports periodic re-assessment, enabling evaluation and risk trend analysis. Manage opportunities in a DAB application. DAB enables users to create custom applications to record and manage information within the shell of ECLIPSE.
The chapters/paragraphs of the standard contain the requirements of the standard.
The controls of Annex A are the mitigation measures of information security threats. The chapters/paragraphs of the standard contain the requirements of the standard.
For ECLIPSE, the chapters/paragraphs of the standard, as well as the controls of Annex A, can be regarded as requirements. These can be managed with the RVM module. They can be organized in a tree structure.
The requirements of the standard describe what the organization needs to do, but not how. How – the implementation – is typically captured in policy documents, processes, and dynamic registrations.
Policy documents and processes can be managed with DCCM, the document management module of ECLIPSE. This includes version control and review/approval cycles. Dynamic registrations (for example: access control lists, supplier lists, etc) can be supported with DAB applications.
There is a requirement to conduct internal audits according to an audit plan. Periodically, an external auditor needs to come by to conduct an external audit. This is to extend the validity of the organization’s certification for the standard.
Audit plans and reports can be managed as documents in DCCM. Non-conformities found during audits can be managed with the module eNCTS. eNCTS contains a process to escalate decision making about non-conformities to different levels in the organization.
There is a requirement to periodically conduct management reviews, and to implement continual improvement.
Management reviews can be managed as documents in DCCM. The module AIM can be used to record, track, and manage any follow-up action.
How ECLIPSE Supports an Integrated Management System
Furthermore, ECLIPSE contains functionalities that support an IMS:
- It is easy to switch between perspectives: look at the whole, by examining all data in the ECLIPSE project; or focus on a specific regulation by filtering on custom metadata;
- Related items provide the ability to follow an audit trail; for example, from an improvement opportunity (action item in AIM) to a policy document that needs to be updated (document in DCCM) and a high-level activity (record in a DAB application) to inform all employees about the change;
- ECLIPSE itself allows for a high level of customization. For example, if data processing registers or a privacy management system need to be included, this can be accomplished with DAB applications. Or, to do ‘lightweight’ non-conformity management, use AIM. Or, to do dynamic registrations use DCCM with documents that remain unlocked throughout the lifecycle;
- Visualization is supported by Excel-based Dashboards.
Benefits of an Integrated Management System
Choosing to implement an IMS Implementation presents a bigger initial investment in time, but often this approach pays itself back quickly. There is a basis for communication between the different disciplines involved in all regulations, which is necessary to deal with the overlaps. It introduces a predictable and repeatable way to implement new or changed regulations. And finally, it answers questions about how specific (or all) regulations affect the business.
Raising Compliance to Organization Level
With an integrated management system, organizations move from managing individual regulations to achieving organization-wide compliance. An IMS reduces duplication, makes overlaps visible, and provides a consistent way to respond to new or changing requirements.
ECLIPSE supports this approach by linking risks, requirements, documentation, audits, and improvement actions within a single platform. This enables better oversight, clearer accountability, and more efficient demonstration of compliance. To get started with the ECLIPSE Software Suite, contact us.