Docs

Appearance

ISO 42001 vs ISO 27001

ISO/IEC 42001:2023 (the AI Management System standard) and ISO/IEC 27001:2022 (the Information Security Management System standard) are the two ISO/IEC management-system standards most often paired in AI-mature organisations. They are complementary, not competing: ISO 42001 is designed to integrate with the existing ISO/IEC information-security management family via the shared Annex SL management-system shell.

This page compares the two and shows how to integrate them in practice.

Quick decision

  • Have an ISO 27001 program already, building AI systems → add ISO 42001 on top. The two share Clauses 4–10, so most of the management-system work is reusable.
  • AI is core to your business and the dominant risk is AI-specific → ISO 42001 as the primary AIMS. Don't substitute ISO 27001 for AI governance work that 42001 is scoped to address.
  • Information security is the bigger risk than AI-specific issues → ISO 27001 first as the ISMS shell; layer ISO 42001 once 27001 is in place.
  • Building a multi-standard integrated management system (ISO 27001 + ISO/IEC 27701:2025 + ISO/IEC 42001) → all share the same Clauses 4–10 management-system structure; treat them as one integrated MS with three Annex A control sets in scope.

TL;DR

  • ISO/IEC 27001:2022 is an Information Security Management System (ISMS) standard. ISO/IEC 27001 is in its third edition, published in October 2022, with Amendment 1 published in 2024 (ISO/IEC 27001:2022/Amd 1:2024). It scopes the management of information-security risks to information assets.
  • ISO/IEC 42001:2023 is an AI Management System (AIMS) standard published on 18 December 2023 — the first AI-specific ISO management-system standard. It scopes the governance of AI systems across their lifecycle.
  • Both are certifiable: ISO does not certify organisations; certification is carried out by independent certification bodies, which may be accredited by national accreditation bodies (e.g., ANAB, UKAS). Accreditation availability varies by market.
  • The two are not equivalent and not substitutes. ISO 27001 protects information assets; ISO 42001 governs AI systems. The standards explicitly integrate via the shared Annex SL Clauses 4–10 structure.
  • Consequence: mature programs typically operate both as an integrated management system, with one shared management-system shell and two distinct Annex A control sets in scope.

Side-by-side comparison

DimensionISO/IEC 27001:2022ISO/IEC 42001:2023
PublisherISO/IEC (joint)ISO/IEC (joint)
YearOctober 2022 (third edition)18 December 2023
TypeManagement system standard (ISMS)Management system standard (AIMS)
ObjectInformation assetsAI systems and AI lifecycle
Legal statusVoluntary; certifiableVoluntary; certifiable
StructureClauses 4–10 (Annex SL) + Annex A reference controlsClauses 4–10 (Annex SL) + Annex A reference controls
Annex A control themesFour control themes introduced in the 2022 third edition (organisational, people, physical, technological)AI-system-specific control themes covering AI policy, AI risk and impact assessment, AI lifecycle, data, third-party AI, and information for interested parties (referenced from public ISO summary; full title-by-title list paywalled)
Risk approachInformation-security risk assessment + risk treatmentAI risk assessment + AI system impact assessment + risk treatment
Certification pathAccredited certification body, third-party auditAccredited certification body, third-party audit
Accreditation availabilityMature globally (years of ANAB / UKAS / national bodies)Newer — programmes opened 2024 (ANAB), first UKAS accreditation January 2026
Integrates withISO/IEC 27701 (privacy), ISO/IEC 22301 (continuity), and other ISO management-system standards via Annex SLIntegrates with the broader ISO/IEC information-security management family (notably ISO/IEC 27001) and ISO/IEC 23894 (AI risk guidance) via the shared management-system shell
Best forinformation-security assurance, vendor trust, customer / regulator signalAI governance assurance, AI vendor trust, multi-AI-system portfolio oversight

How ISO 42001 and ISO 27001 map onto each other

Both standards share the Annex SL high-level structure for Clauses 4–10. The shared clauses cover the same management-system functions even when the underlying risk objects differ:

Management-system areaISO/IEC 27001:2022 homeISO/IEC 42001:2023 homeWhat's shared
Context + leadershipClauses 4–5Clauses 4–5scope, interested parties, top-management commitment, policy
PlanningClause 6 (information-security risk assessment + risk treatment)Clause 6 (AI risk assessment + AI system impact assessment + risk treatment)risk-and-opportunity planning, risk treatment, change planning
SupportClause 7 (resources, competence, awareness, communication, documented information)Clause 7 (same)competence, awareness, communication, documentation
OperationClause 8 (operational planning + control; ISMS-specific operation)Clause 8 (operational planning + control; AIMS-specific operation)operational control of the management system
Performance evaluationClause 9 (monitoring, measurement, analysis, evaluation; internal audit; management review)Clause 9 (same)monitoring, internal audit, management review
ImprovementClause 10 (nonconformity, corrective action, continual improvement)Clause 10 (same)continual improvement loop

The Annex A control sets overlap on shared themes — supplier / third-party risk, change management, incident management, monitoring, access — but each standard has its own list. ISO 27001's Annex A is organised around information-security themes; ISO 42001's around AI-system governance themes. Treat them as two distinct control sets that share an integration surface, not as one combined list.

When to choose which

Choose ISO 27001 first when you need…

  • to certify an Information Security Management System for information-asset protection, especially in regulated sectors (financial services, healthcare, public sector)
  • a foundation for ISO/IEC 27701 (privacy information management) or ISO/IEC 22301 (business continuity)
  • an audit signal to customers, insurers, or regulators that references ISO 27001 specifically

Choose ISO 42001 first when you need…

  • to certify an AI Management System for an AI-centric business or a multi-AI-system portfolio
  • alignment with emerging AI governance expectations from customers, regulators, or partners
  • a structured wrapper for AI risk and AI system impact assessment work

Do both when you…

  • operate an AI-mature program in a regulated sector — the two standards together give both information-security assurance and AI governance assurance
  • want one integrated management system with shared Clauses 4–10 audit anchor and distinct Annex A control sets per standard
  • need to satisfy enterprise customers asking for both AIMS and ISMS certifications

Where they overlap

ISO 42001 and ISO 27001 share most of the management-system structure (Clauses 4–10) and several Annex A control themes:

  • Risk-based planning. Both expect a risk assessment in Clause 6 and risk treatment with a documented control selection. ISO 42001 adds an AI system impact assessment to the planning work.
  • Documented information. Both require Clause 7.5 documented information. The same documentation infrastructure (version control, retention, retrievability) serves both standards.
  • Internal audit + management review. Both expect a Clause 9 internal audit and management review. An integrated audit program can cover both standards in one cycle, with separate scope checklists per Annex A control set.
  • Continual improvement. Both expect the Clause 10 nonconformity / corrective-action loop. The same corrective-action process serves both.
  • Annex A thematic overlap. Supplier / third-party risk, change management, incident management, access control, and monitoring themes appear in both Annex A sets — though each standard scopes them to its object. An organisation operating both can satisfy several Annex A obligations from a single control implementation.

Where they do not overlap:

  • ISO 27001 does not address AI-specific governance — AI risk classification, AI system impact assessment, AI lifecycle controls.
  • ISO 42001 is not an information-security standard — it relies on a separate ISMS (typically ISO 27001) for information-asset protection of the AI system's data and infrastructure.

What this looks like in Modulos

Modulos is designed around cross-framework mapping: you implement a control once and it satisfies requirements from both ISO 27001 and ISO 42001 where they overlap.

A typical setup for an integrated AIMS + ISMS:

  1. Organization project — operates the shared management-system shell (Clauses 4–10): context, leadership, support, performance evaluation, improvement. Both standards run off this shell.
  2. AI system projects — apply ISO 42001 Annex A controls per AI system, with AI risk and AI system impact assessment work captured per project.
  3. Information-system scope — apply ISO 27001 Annex A controls to the information-asset boundary, including the data and infrastructure that the AI systems depend on.
  4. Runtime Inspection — evaluations that feed both ISO 42001 AI system performance evidence and ISO 27001 information-security monitoring.

For broader cross-framework operations, see Operationalizing NIST AI RMF in Modulos (the same cross-framework engine applies).

ISO/IEC 42001 guide

AI Management System, clauses 4–10, Annex A, certification

ISO/IEC 27001 guide

Information Security Management System, clauses 4–10, Annex A controls

ISO 42001 vs NIST AI RMF

The other ISO 42001 pairing — certification vs operating-model lens

NIST AI RMF vs EU AI Act

Voluntary US framework vs binding EU regulation

AI governance frameworks comparison

Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA

Disclaimer

This page is for general informational purposes and does not constitute legal advice. References to ISO/IEC 42001:2023 and ISO/IEC 27001:2022 reflect publicly available metadata at the time of writing; the standard texts themselves are paywalled and not quoted here. Consult the official ISO sources and qualified legal counsel for binding interpretation in your jurisdiction.