Hael
Sign inRequest a demo
ISO/IEC 42001 · Buyer intent

ISO/IEC 42001 vs ISO/IEC 27001

Updated 12 July 2026 · 6 min read
Key takeaway
ISO/IEC 42001 and ISO/IEC 27001 share ISO's High-Level Structure, so most of the management-system machinery — Clauses 4 through 10 — carries over almost intact. An organisation already certified to 27001 has the policy engine, the risk method, the internal audit function, the management review and the corrective-action loop it needs. What is genuinely new is AI-specific: the requirement to assess AI-system impact on individuals and society, data governance for training and inputs, human-oversight controls, and lifecycle controls that treat the model itself as a governed artefact. 27001 holders typically certify to 42001 substantially faster than organisations starting from scratch.
  • Same High-Level Structure — Clauses 4 through 10 map across almost directly.
  • 27001's ISMS supplies the management-system spine 42001 needs; most of it carries over.
  • Genuinely new in 42001: AI-specific risk, AI system impact assessment, data governance, lifecycle controls.
  • 27001-certified organisations typically certify to 42001 materially faster than starting cold.
  • The two are separate certificates — one does not substitute for the other.
  • General information, not legal advice. Current as of July 2026.

What carries over

The shared High-Level Structure means the management-system architecture is common. If your ISO 27001 programme already has a working policy suite, a documented risk method, defined roles, competence and training records, an internal audit programme, a management review cycle and a corrective-action process, all of that infrastructure serves ISO 42001 too. You are extending the scope of an existing management system, not building a second one alongside it.

What is genuinely new

The Annex A controls in ISO 42001 introduce concerns that ISO 27001 does not fully address:

  • AI-specific risk — risks that arise from AI behaviour (drift, bias, hallucination, misuse) rather than confidentiality, integrity and availability alone.
  • AI system impact assessment — a structured assessment of the impact an AI system has on individuals, groups and society, distinct from a DPIA.
  • Data governance for AI — provenance, quality, representativeness and lifecycle of data used to train, validate and operate AI systems.
  • Human oversight — controls that ensure a person can meaningfully intervene in or override AI decisions where consequences warrant it.
  • AI system lifecycle — controls that treat the model itself as an artefact under change control, from design through decommissioning.

Why 27001 holders certify faster

Because the management-system spine already operates. Most of the audit day-count in a from-scratch certification goes on establishing the spine, not on the AI-specific work. If the spine is already sound and audited annually, the incremental work is the AI-specific controls, the AI system register and the impact-assessment discipline — a substantially smaller programme than starting cold.

Should we do 27001 first?

Only if information security is the more urgent commercial pressure. If the pressure is AI governance — enterprise buyers asking for it, EU market access, supervisory expectation — do ISO 42001 first. It is not necessary to hold ISO 27001 to certify to ISO 42001; the standards are peers, not a sequence.

One integrated management system

Where an organisation holds both, the right pattern is one integrated management system with a single policy suite, single risk register, single internal audit programme and single management review, scoped to cover both standards. Two parallel programmes create twice the paperwork and half the discipline.

Key terms

ISMS
Information Security Management System — the management system ISO 27001 specifies.
AIMS
AI Management System — the management system ISO 42001 specifies.
Integrated management system
One management system operated to satisfy multiple ISO standards simultaneously.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE