Log InStart Free
← Back to BlogProduct Updates

One Portal, Every Standard: Comply Now Supports QMS, ISMS, AI MS, and More

June 10, 2026By Tom Foster
One Portal, Every Standard: Comply Now Supports QMS, ISMS, AI MS, and More

Our compliance manager came to us with a spreadsheet.

It tracked seven separate things: their ISO 9001 certification dates, their ISO 27001 controls, a privacy compliance checklist for the Australian Privacy Act, their OHS register, and three other regulatory frameworks their industry required.

Each one lived in a different place. Different folders, different templates, different people responsible, different audit cycles.

"The problem," she said, "isn't that we don't know what standards we need to meet. The problem is that maintaining seven different compliance systems is itself a full-time job. And half the work is duplicated — we're writing the same document control procedures five times over because each standard has its own folder."

This is where most compliance tools stop. They pick one standard — usually ISO 27001 — and build a great portal for that. But the reality for almost every organisation over fifty people is that you don't have one standard. You have several.

And until now, Comply only helped you with one of them.

The Multi-Standard Reality

Most compliance professionals already know this, but for context: modern organisations don't face a single compliance obligation. They face a stack of them.

A typical mid-market company in 2026 might need:

  • ISO 9001 (Quality Management) — required by most enterprise procurement and supply chain contracts
  • ISO 27001 (Information Security) — required by enterprise clients, insurers, and government procurement
  • ISO 42001 (AI Management System) — new in 2023, increasingly required for organisations building or deploying AI
  • ISO 45001 (Occupational Health & Safety) — mandated or strongly expected in manufacturing, construction, healthcare
  • Privacy compliance — Australian Privacy Principles, GDPR for EU-facing organisations
  • ISO 22301 (Business Continuity) — required in financial services, critical infrastructure

That's six standards. Each has its own:

  • Clause structure (different section numbers, different terminology)
  • Required documented procedures
  • Evidence requirements for audits
  • Review and update cycles
  • Responsible roles

Managing them in separate systems — or worse, separate SharePoint folders — means:

Duplicated work: Your document control procedure is fundamentally the same for ISO 9001 and ISO 27001. But if they live in different systems, you're maintaining two versions. Same problem for competence and training records, internal audit procedures, and management review documentation.

Audit chaos: When your ISO 9001 auditor asks for documented procedures and your ISO 27001 auditor asks for the same thing two months later, you should be producing evidence from the same system. Instead, most organisations scramble twice.

Context collapse: A security incident response procedure needs to reference your ISO 27001 controls AND your ISO 9001 corrective action process AND potentially your business continuity plan. When those three things live in separate systems, no one connects the dots.

Certification fatigue: Maintaining compliance feels overwhelming when it requires three dashboards, four spreadsheets, and a part-time coordinator to keep in sync.

What We've Built

Comply now supports multiple management system standards in a single portal.

You can run your Quality Management System, Information Security Management System, AI Management System, and any other standard simultaneously — with shared infrastructure where standards overlap, and standard-specific controls where they diverge.

Here's what that looks like in practice.

Shared Foundation

Every standard you enable in Comply shares the same core infrastructure:

Document control — One policy library, one approval workflow engine, one version control system. A document control procedure you write for ISO 9001 compliance can also satisfy the same requirement in ISO 27001. Write it once. Comply surfaces it wherever it's needed.

Competence and training records — Both ISO 9001 and ISO 27001 require you to demonstrate staff competence in relevant areas. Your records are in one place. One audit, one set of evidence.

Internal audit management — Your internal audit programme can now cover multiple standards in a single cycle. Schedule an audit that assesses ISO 9001 Section 7.5 (documented information) and ISO 27001 Annex A.5 (information policies) in the same session. Auditors see all findings in one place.

Management review — The management review requirement exists in every ISO management system standard. Run one review that covers quality objectives, information security performance, AI risk posture, and safety indicators — and generate one set of documented minutes that satisfies all of them.

Corrective action and nonconformance — Whether a nonconformance originates from a quality inspection, a security incident, or a near-miss in safety, it goes into the same corrective action log. One process. One audit trail.

Standard-Specific Controls

Where standards diverge, Comply keeps them separate.

ISMS (ISO 27001) — The Statement of Applicability, Annex A controls, risk assessment, risk treatment plan. These are specific to information security and live in the ISMS section.

QMS (ISO 9001) — Quality objectives, customer satisfaction measurement, product/service conformity records, calibration records, and the process approach requirements specific to quality management.

AI MS (ISO 42001) — AI risk assessment, AI system inventory, transparency and explainability documentation, human oversight records, and the emerging controls specific to responsible AI deployment. This is the new standard with the most momentum right now — if your organisation is building or using AI products, this is the one to get ahead of.

OHS (ISO 45001) — Hazard identification and risk assessment, emergency preparedness records, health surveillance, contractor management, and the safety-specific competence requirements.

Each standard gets its own dedicated section in Comply. The controls, clauses, and evidence requirements are mapped to the specific standard. Your ISMS risk register doesn't mix with your quality objectives. But they share the same underlying document control, the same approval workflows, and the same people.

The Integrated Management System View

The most powerful feature is the cross-standard dashboard.

Compliance professionals who manage multiple standards have long maintained what's called an Integrated Management System (IMS) — the idea that your various standards share enough common structure that you can manage them as one programme.

Comply now makes this automatic.

The IMS dashboard shows:

  • Certification status for each active standard
  • Upcoming review cycles across all standards (not buried in separate calendars)
  • Open nonconformances and their originating standards
  • Documents that satisfy requirements in multiple standards simultaneously
  • Outstanding corrective actions regardless of which standard triggered them

When your ISO 9001 certification body visits in April and your ISO 27001 auditor visits in September, you're pulling evidence from the same organised system — not scrambling to reconstruct two separate documentation sets.

Why ISO 42001 Matters Right Now

A note on the AI Management System standard specifically, because it's generating enormous interest and we want to be honest about why.

ISO 42001 was published in late 2023. It's the first international standard for AI management systems — covering how organisations govern, risk-assess, document, and oversee AI systems they build or deploy.

Adoption is accelerating rapidly for two reasons.

First, enterprise procurement teams are starting to require it. If you're selling AI products to large organisations, expect to be asked: "What's your AI governance framework?" and "Are you certified or working toward ISO 42001?" within the next 12-18 months. The same trajectory ISO 27001 followed in the 2010s.

Second, regulation is pointing at it. The EU AI Act and emerging equivalents in other jurisdictions reference management system frameworks. Organisations that have an AI MS in place when regulation lands will have a significant head start.

The controls in ISO 42001 aren't radically different from ISO 27001 in structure — they require you to identify AI systems, assess their risks, document your governance processes, demonstrate human oversight, and maintain records. If you've already built your ISMS in Comply, adding the AI MS is straightforward: your document control is already in place, your management review already covers governance processes, and your internal audit programme can be extended to cover AI systems.

We've mapped ISO 42001's clause structure into Comply so the work you've already done carries over.

Real-World Example: The Professional Services Firm

A professional services firm with 200 staff. ISO 9001 certified (required by their largest clients). Recently started ISO 27001 implementation (required to retain a government contract). Now facing requests from two clients for ISO 42001 evidence because they're using AI tools in client engagements.

Before Comply's multi-standard support:

  • ISO 9001 documentation in SharePoint (messy, as discussed in our previous post)
  • ISO 27001 in a separate specialist compliance platform (expensive, isolated)
  • ISO 42001 not started — "we don't have capacity"
  • Three separate annual audit cycles, three separate documentation scrambles
  • Quality manager spending 60% of her time maintaining compliance records

With Comply's multi-standard portal:

  • All three standards in one portal
  • Document control, approvals, and version history shared across standards
  • One management review covers all three
  • Internal audit programme covers all three standards in a single annual cycle
  • ISO 42001 implementation was 70% complete on day one because the document control infrastructure was already in place
  • Quality manager spends 20% of her time on compliance administration (the other 40% freed for actual improvement work)

The Standards We Currently Support

Comply's multi-standard portal currently supports:

  • ISO 9001:2015 — Quality Management Systems
  • ISO 27001:2022 — Information Security Management Systems
  • ISO 42001:2023 — Artificial Intelligence Management Systems
  • ISO 45001:2018 — Occupational Health & Safety Management Systems
  • ISO 27701:2019 — Privacy Information Management (extension to ISO 27001)

On the roadmap:

  • ISO 22301:2019 — Business Continuity Management Systems
  • ISO 14001:2015 — Environmental Management Systems
  • SOC 2 compliance documentation framework
  • Custom frameworks (for industry-specific or internal governance programmes)

If your organisation has a specific standard or regulatory framework you're working toward and it's not listed above, let us know. We're adding standards based on what our users actually need.

The Atlas Integration: Ask Your Compliance Questions Naturally

One thing that changes significantly when all your standards are in one portal: your corporate AI chatbot (Atlas) can search across all of them.

When an employee asks Atlas: "What are our data handling requirements for client projects?" — Atlas now searches across your ISO 27001 information security policies AND your ISO 9001 customer-related processes AND your privacy procedures simultaneously. It surfaces the most relevant answer from whichever standard it lives in, with a direct link to the policy.

When a manager asks: "What do I need to document before we deploy a new AI tool?" — Atlas pulls from your ISO 42001 AI system inventory requirements, your ISO 27001 change management procedure, and any relevant procurement policies.

A single AI assistant. All your standards. No more guessing which folder to search.

Getting Started with Multiple Standards

If you're already using Comply for ISO 27001 or ISO 9001, adding a new standard takes about 20 minutes to configure and a few weeks to populate with your existing documentation.

If you're starting from scratch, we recommend:

  1. Start with the standard your clients are asking for — usually ISO 9001 or ISO 27001
  2. Use the shared foundation — get document control, internal audits, and management review working well first
  3. Add the second standard — your infrastructure is already in place, so you're adding the standard-specific controls only
  4. Build toward your IMS — by your third standard, you'll see the compounding benefit of the integrated approach

Because the document control infrastructure carries over between standards, each new standard you add is faster to implement than the last.

One portal for every standard your organisation needs. Comply centralises your Quality Management System, Information Security Management System, AI Management System, and more — with shared document control, unified approval workflows, and a single audit trail that satisfies every standard.

Learn more about ComplyContact us about multi-standard implementation

Tom Foster is the founder of Avoidable Apps, a suite of productivity tools designed to eliminate the busy work that fragments modern knowledge workers' attention.

← Back to All Posts