Skip to content

ISO/IEC 27001 — integration with AI governance

ISO 27001 provides the security backbone. AI governance frameworks add system-specific governance — AI risk, AI impact, lifecycle controls, transparency, post-market monitoring. The shared Annex SL backbone means that the management-system processes (document control, internal audit, management review, corrective action) work the same way across ISO 27001, ISO 42001 and ISO 27701.

Quick decision

  • You already run ISO 27001 and need ISO 42001 → add OFF-10 to the existing organisation project; reuse the Clauses 4–10 processes; stand up the AI-specific additions (5.2 AI policy, 6.1.2/3/4 AI risk + impact, Annex A AI lifecycle controls).
  • You already run ISO 27001 and need EU AI Act conformity → add OFF-1 (EU AI Act — org) + MFF-1 (EU AI Act — app) to your project structure. Reuse ISO 27001 Annex A controls that map to EU AI Act Articles 12, 15(5), 25, 73.
  • You are building an Integrated Management System → add OFF-9 (27001) + OFF-10 (42001) + OFF-12 (27701) to one organisation project. Share Clauses 4–10 processes; keep standard-specific risk and control work explicit.
  • You want to know which controls reuse → see the mapping table below.

TL;DR

  • Shared Annex SL backbone — Clauses 4–10 work the same way across ISO 27001, ISO 42001 and ISO 27701.
  • ISO 27001 = security backbone. Annex A theme 8 (Technological) and theme 5 (Organizational) carry most of the AI-relevant content.
  • ISO 42001 = AI management system. Layers AI risk, impact and lifecycle controls on top of the shared backbone.
  • EU AI Act = binding regulation. ISO 42001 is one of the most efficient ways to produce the documented evidence regulators expect for high-risk AI.
  • Control reuse is the practical win. Implement a control once; link it to multiple requirements across frameworks.

Primary source

Integration is based on the shared Annex SL harmonized structure used by ISO/IEC 27001:2022, ISO/IEC 42001:2023, ISO/IEC 27701:2025, ISO 9001 and other ISO management-system standards. © ISO.

The shared backbone

The Annex SL Clauses 4–10 are identical in structure across the three standards:

ClauseCommon processWhat stays standard-specific
4 ContextScope statement, interested parties, MS descriptionThe scope is per-MS; 27001 = ISMS, 42001 = AIMS, 27701 = PIMS
5 LeadershipPolicy structure, roles, governance cadence27001 = info-sec policy; 42001 = AI policy; 27701 = privacy policy
6 PlanningRisk method, treatment, objectives, change planningRisk content: info-sec (27001), AI risk + impact (42001), privacy risk (27701)
7 SupportResources, competence, awareness, communication, documented informationSpecific competences (e.g., AI ethics for 42001; DPO for 27701)
8 OperationOperational planning + execution of controlsAnnex A content differs per standard
9 Performance evaluationMonitoring, internal audit, management reviewMetric content per standard; audit scope is the IMS as a whole
10 ImprovementNonconformity, corrective action, continual improvementSame

In Modulos these shared clauses are more than a structural parallel: the org-level Clause 4–10 controls are one shared set, written to read correctly under whichever management system applies — information security, privacy or AI. Implement a shared control once and it satisfies ISO 27001, ISO 42001 and ISO 27701; every ISO requirement panel names its exact clause reference and links to the matching requirement in the sibling standards ("Harmonized with"), so the reuse is explicit rather than implied.

Where one standard imposes work the others do not, that obligation is modelled as its own control mapped only to that standard, so it never appears in another framework's checklist. For example, climate-change relevance (Clause 4.1, added by the 2024 amendment) and communication methods (Clause 7.4) are shared by all three; information-security policy establishment (Clause 5.2) and the monitoring/measurement assignee determination (Clause 9.1) are ISO 27001-only; risk-owner identification (Clause 6.1.2) is shared by ISO 27001 and ISO 27701; and AI-policy alignment and AIMS documentation are ISO 42001-only.

Annex A control reuse

ISO 27001 Annex A controls that carry directly into AI governance work:

ISO 27001 control areaAnnex A referenceReuses across
Information classificationA.5.12–A.5.14ISO 27701 PIMS (data classification for personal data); GDPR Article 5
Supplier relationshipsA.5.19–A.5.22EU AI Act Article 25 value chain; ISO 42001 Annex A.10 third-party and customer relationships
Incident managementA.5.24–A.5.28EU AI Act Article 73 serious-incident reporting; GDPR Article 33 personal-data breach
Threat intelligence (new in 2022)A.5.7NIS2 Article 21(2); generic AI threat-modelling
Information security for cloud services use (new)A.5.23EU AI Act Article 25 cloud-AI value chain; ISO 42001 Annex A.10
Privacy and protection of PIIA.5.34ISO 27701 PIMS; GDPR
Awareness and trainingA.6.3EU AI Act Article 4 AI literacy; ISO 42001 Clause 7.3 awareness
Configuration management (new)A.8.9ISO 42001 Annex A.6 AI system lifecycle
Information deletion (new)A.8.10GDPR Article 17 right to erasure; ISO 27701
Data masking (new)A.8.11ISO 42001 Annex A.7 data for AI systems; GDPR data minimisation
Data leakage prevention (new)A.8.12EU AI Act Article 10 data governance; ISO 42001 Annex A.7
LoggingA.8.15EU AI Act Article 12 record-keeping; Article 26(6) deployer log retention
Monitoring activities (new)A.8.16EU AI Act Article 72 post-market monitoring; ISO 42001 Clause 9.1
CryptographyA.8.24EU AI Act Article 15(5) cybersecurity for high-risk AI; NIS2 Article 21(2)(h)
Secure developmentA.8.25–A.8.28ISO 42001 Annex A.6.2 AI system development controls; EU AI Act Article 15

How to operationalise ISO 27001 + AI governance in Modulos

Modulos records ISO 27001, ISO 42001, ISO 27701 and EU AI Act work as separate framework templates that can link shared evidence across one project structure:

FrameworkModulos templateMapped scope
ISO/IEC 27001:2022OFF-9 (org) + MFF-9 (app)ISMS spine + per-AI-system information-security overlap and the 93 Annex A controls
ISO/IEC 42001:2023OFF-10 (org) + MFF-10 (app)AIMS spine + per-AI-system lifecycle controls
ISO/IEC 27701:2025OFF-12 (org) + MFF-13 (app)PIMS spine + per-AI-system privacy overlap
EU AI ActOFF-1 (org) + MFF-1 (app)Org-side obligations + per-AI-system high-risk obligations

The integration pattern:

  1. Add the relevant OFF templates to a single organisation project (or sometimes a small set of organisation projects if the management systems have genuinely different scopes).
  2. Implement controls once for shared processes — internal audit, management review, document control, corrective action, incident response.
  3. Link controls to multiple requirements across frameworks. A single incident-response runbook can satisfy ISO 27001 A.5.24, ISO 42001 A.8.4, EU AI Act Article 73 and GDPR Article 33 simultaneously.
  4. Reuse evidence. Control-level evidence attached once becomes auditable against every linked requirement.

Cross-framework mapping (preview)

ISO 27001 elementAdjacent provision
Clause 4.3 ISMS scopeISO 42001 Clause 4.3 AIMS scope; ISO 27701 Clause 4.3 PIMS scope
Clause 6.1.3 d Statement of Applicability (mandatory documented information)EU AI Act Annex IV technical documentation; ISO 42001 SoA (informative)
Annex A.5 supplier relationshipsEU AI Act Article 25 value chain; ISO 42001 Annex A.10
Annex A.5 incident managementEU AI Act Article 73; GDPR Article 33
Annex A.8 loggingEU AI Act Article 12; Article 26(6)
Annex A.8 cryptographyEU AI Act Article 15(5); NIS2 Article 21(2)(h)
Annex A.8.9 configuration managementISO 42001 Annex A.6 AI system lifecycle
Annex A.8.28 secure codingISO 42001 Annex A.6.2 development controls

Source attribution

ISO/IEC 27001:2022, ISO/IEC 42001:2023 and ISO/IEC 27701:2025. © ISO/IEC. Available via the ISO Online Browsing Platform. EU AI Act: Regulation (EU) 2024/1689, EUR-Lex.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.