ISO/IEC 42001 vs ISO/IEC 27001
- Same High-Level Structure — Clauses 4 through 10 map across almost directly.
- 27001's ISMS supplies the management-system spine 42001 needs; most of it carries over.
- Genuinely new in 42001: AI-specific risk, AI system impact assessment, data governance, lifecycle controls.
- 27001-certified organisations typically certify to 42001 materially faster than starting cold.
- The two are separate certificates — one does not substitute for the other.
- General information, not legal advice. Current as of July 2026.
What carries over
The shared High-Level Structure means the management-system architecture is common. If your ISO 27001 programme already has a working policy suite, a documented risk method, defined roles, competence and training records, an internal audit programme, a management review cycle and a corrective-action process, all of that infrastructure serves ISO 42001 too. You are extending the scope of an existing management system, not building a second one alongside it.
What is genuinely new
The Annex A controls in ISO 42001 introduce concerns that ISO 27001 does not fully address:
- AI-specific risk — risks that arise from AI behaviour (drift, bias, hallucination, misuse) rather than confidentiality, integrity and availability alone.
- AI system impact assessment — a structured assessment of the impact an AI system has on individuals, groups and society, distinct from a DPIA.
- Data governance for AI — provenance, quality, representativeness and lifecycle of data used to train, validate and operate AI systems.
- Human oversight — controls that ensure a person can meaningfully intervene in or override AI decisions where consequences warrant it.
- AI system lifecycle — controls that treat the model itself as an artefact under change control, from design through decommissioning.
Why 27001 holders certify faster
Because the management-system spine already operates. Most of the audit day-count in a from-scratch certification goes on establishing the spine, not on the AI-specific work. If the spine is already sound and audited annually, the incremental work is the AI-specific controls, the AI system register and the impact-assessment discipline — a substantially smaller programme than starting cold.
Should we do 27001 first?
Only if information security is the more urgent commercial pressure. If the pressure is AI governance — enterprise buyers asking for it, EU market access, supervisory expectation — do ISO 42001 first. It is not necessary to hold ISO 27001 to certify to ISO 42001; the standards are peers, not a sequence.
One integrated management system
Where an organisation holds both, the right pattern is one integrated management system with a single policy suite, single risk register, single internal audit programme and single management review, scoped to cover both standards. Two parallel programmes create twice the paperwork and half the discipline.
Key terms
- ISMS
- Information Security Management System — the management system ISO 27001 specifies.
- AIMS
- AI Management System — the management system ISO 42001 specifies.
- Integrated management system
- One management system operated to satisfy multiple ISO standards simultaneously.