ISO 42001

5 min read

ISO 42001 vs ISO 27001: How AI Management Relates to Information Security

Organizations with existing ISO 27001 certifications are asking how the new ISO 42001 standard fits alongside their Information Security Management System. The good news: both standards share the Harmonized Structure, creating significant synergies. The important distinction: ISO 42001 addresses AI-specific risks that ISO 27001 was never designed to cover. This guide compares the two standards and provides a practical roadmap for integration.

Scope and Purpose Comparison

ISO 27001 focuses on preserving the confidentiality, integrity, and availability of information through a risk-based Information Security Management System (ISMS). Its scope is information security broadly. ISO 42001 focuses on the responsible development, provision, and use of AI systems through an AI Management System (AIMS). Its scope is AI governance specifically. While information security is a component of AI governance (AI systems process data that must be protected), ISO 42001 addresses dimensions that ISO 27001 does not: fairness and non-discrimination in AI outputs, transparency and explainability of AI decisions, societal and environmental impacts of AI systems, AI-specific data quality requirements for training and validation data, and human oversight of automated decision-making. An organization certified to ISO 27001 has addressed information security risks for its AI systems but has not addressed the AI-specific governance requirements that ISO 42001 introduces.

ISO 27001 scope is information security; ISO 42001 scope is AI governance
ISO 42001 adds fairness, transparency, societal impact, and human oversight dimensions
Information security is a component of AI governance but does not fully address it
ISO 27001 certification alone does not satisfy AI-specific governance requirements
Both standards use risk-based approaches but assess different categories of risk

Shared Harmonized Structure

Both ISO 27001 and ISO 42001 follow the ISO Harmonized Structure (formerly Annex SL), meaning their core management system clauses are nearly identical. Clauses 4 through 10 cover the same management system elements: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. This shared structure means organizations can operate a single integrated management system that satisfies both standards simultaneously. Processes for document control, internal audit, management review, competence management, corrective action, and continual improvement can be shared. The primary differences appear in the risk assessment approach (AI-specific risks versus information security risks), the Annex A controls (93 information security controls in ISO 27001 versus AI-specific controls in ISO 42001), and certain operational requirements unique to AI lifecycle management. Organizations pursuing both certifications should plan an Integrated Management System from the outset to avoid duplication.

Both standards follow the Harmonized Structure with nearly identical Clauses 4-10
Document control, internal audit, management review, and corrective action can be shared
Differences appear in risk assessment scope, Annex A controls, and operational requirements
An Integrated Management System avoids duplication and reduces audit burden
Organizations can pursue certification to both standards through a single integrated audit

Control Framework Differences

ISO 27001 Annex A contains 93 controls organized into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). These controls address information security risks like access control, cryptography, physical security, and operations security. ISO 42001 Annex A contains controls organized around AI-specific functional areas including AI policy and governance, organizational roles for AI, resources and competence specific to AI, AI impact assessment, AI system lifecycle management, data for AI systems, information for interested parties (transparency), use and monitoring of AI systems, and third-party relationships involving AI. There is some overlap: both standards address risk assessment, access control, and incident management. However, the AI-specific controls in ISO 42001 — particularly around impact assessment, bias testing, data quality, transparency, and human oversight — have no equivalent in ISO 27001. Organizations need both control sets to address the full spectrum of risks from AI systems.

ISO 27001 has 93 controls across Organizational, People, Physical, and Technological themes
ISO 42001 controls cover AI governance, impact assessment, lifecycle, data quality, and transparency
Some overlap exists in risk assessment, access control, and incident management
AI-specific controls around bias, fairness, and human oversight have no ISO 27001 equivalent
Both control sets are needed to fully address AI system risks

Certification and Audit Considerations

Organizations can pursue ISO 42001 certification independently or as part of an integrated audit with ISO 27001. Integrated audits are typically more efficient, as auditors can assess shared management system processes once rather than separately. Most accredited certification bodies that offer ISO 27001 audits are building competency for ISO 42001, though the pool of qualified auditors is still growing given the standard was only published in December 2023. When planning certification, organizations should consider auditor competency (AI governance requires auditors who understand AI systems, not just information security), scope definition (the AIMS scope may differ from the ISMS scope if AI activities span different boundaries), and evidence requirements (AI-specific evidence includes impact assessments, bias testing results, data quality metrics, and transparency documentation). Organizations should also budget for the additional audit time required for AI-specific controls, though this is offset by efficiency gains from shared management system assessment.

Integrated audits with ISO 27001 are more efficient than separate certifications
ISO 42001 auditor pool is still growing; verify certification body competency
AIMS scope may differ from ISMS scope depending on AI activity boundaries
AI-specific evidence includes impact assessments, bias testing, and data quality metrics
Additional audit time for AI controls is offset by shared management system efficiencies

Practical Roadmap for Integration

For organizations with existing ISO 27001 certification, the recommended integration path begins with a gap analysis mapping current ISMS processes and controls against ISO 42001 requirements. Typically, 40-60% of management system requirements are already satisfied. Next, extend the risk assessment methodology to include AI-specific risk categories (fairness, transparency, societal impact) alongside information security risks. Develop AI-specific documentation including an AI policy, impact assessment procedures, and AI system lifecycle procedures. Implement Annex A controls specific to AI that are not covered by existing ISO 27001 controls. Conduct an integrated internal audit covering both ISMS and AIMS requirements. Perform management review that addresses both information security and AI governance performance. Finally, engage a certification body for an integrated Stage 1 and Stage 2 audit. The timeline from gap analysis to certification typically ranges from 4 to 6 months for organizations with mature ISO 27001 implementations.

Start with a gap analysis mapping existing ISMS against ISO 42001 requirements
Extend risk assessment methodology to include AI-specific risk categories
Develop AI-specific documentation including AI policy and impact assessment procedures
Conduct integrated internal audits covering both ISMS and AIMS requirements
Timeline from gap analysis to certification is typically 4-6 months with existing ISO 27001

Key Takeaways

ISO 42001 and ISO 27001 share the Harmonized Structure, enabling efficient integration
ISO 42001 addresses AI-specific risks (fairness, transparency, societal impact) that ISO 27001 does not cover
Organizations with ISO 27001 typically find 40-60% of ISO 42001 requirements already met
Integrated audits are more efficient and reduce overall certification costs
Both standards are needed to address the full spectrum of AI system risks

Related Resources

iso42001 ai policy iso42001 impact assessment iso27001 isms policy iso 42001 iso 27001 isms ai governance risk assessment

Other Compliance Guides

ISO 42001

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

Can I get ISO 42001 and ISO 27001 certified at the same time?

Yes. Many certification bodies offer integrated audits that assess both management systems simultaneously. This is more efficient and cost-effective than separate audits. You will need to meet all requirements of both standards, but shared management system processes only need to be assessed once.

Does ISO 27001 certification satisfy ISO 42001 requirements?

No. ISO 27001 certification satisfies many of the management system requirements shared through the Harmonized Structure, but it does not address AI-specific requirements including impact assessments, AI lifecycle management, bias and fairness controls, transparency, and human oversight. A separate ISO 42001 certification or integrated audit is required.

Which certification should I pursue first?

If you have neither certification, ISO 27001 is typically the better starting point because it addresses foundational information security requirements that also benefit AI governance. Once ISO 27001 is established, adding ISO 42001 is a more focused effort. If you already have ISO 27001, you can move directly to ISO 42001 integration.

How much additional effort is ISO 42001 on top of ISO 27001?

For organizations with mature ISO 27001 implementations, ISO 42001 adds approximately 40-60% additional effort focused on AI-specific areas. The management system processes are largely reusable, so the effort concentrates on AI impact assessments, AI lifecycle procedures, data quality controls, transparency mechanisms, and AI-specific Annex A controls.

Do I need separate teams for ISO 27001 and ISO 42001?

Not necessarily. An integrated management system approach allows a single governance team to manage both standards. However, ISO 42001 requires competence in AI-specific areas (machine learning, data science, AI ethics) that may not exist in a traditional information security team. Consider augmenting your team with AI expertise or training existing team members.

Will my ISO 27001 auditor also audit ISO 42001?

Possibly, but ISO 42001 requires auditor competence in AI governance, which not all ISO 27001 auditors possess. Check with your certification body about auditor qualifications for ISO 42001. As the standard matures, more auditors will develop the necessary competence, but early adopters may need to work with specialized audit teams.

ISO 42001 Overview Requirements Guides Compliance Glossary Compare Frameworks

Generate ISO 42001 policies automatically

PoliWriter creates all the policies you need for ISO 42001 compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free