ISO 420018 min read

ISO 42001 and ISO 27001 Integration

ISO 42001 (AI Management) and ISO 27001 (Information Security) share the same high-level structure, making integration natural and efficient. This guide explains how to align both standards and maximize synergies.

Key Takeaways

Point Summary
Shared structure Both use ISO High-Level Structure (HLS), clauses 4-10 align
Control overlap Significant overlap in organizational, people, and technological controls
Complementary focus ISO 27001 = information security; ISO 42001 = AI-specific risks
Integration benefits Single management system, combined audits, reduced effort
Recommended approach Extend existing ISMS to include AI management requirements

Quick Answer: ISO 42001 and ISO 27001 share the same clause structure (4-10), making integration straightforward. Organizations with existing ISO 27001 certification can extend their ISMS to include AI management, reducing implementation effort by 30-50% and enabling combined audits.

Why Integrate?

The Case for Integration

Benefit Impact
Unified management system Single framework for security and AI
Reduced documentation Shared policies, procedures, records
Combined audits Lower certification costs, less disruption
Consistent governance Aligned risk management and controls
Simplified operation One system to maintain

When to Integrate

Integrate if:

  • You have existing ISO 27001 certification
  • AI systems process information assets
  • Same teams manage security and AI
  • Seeking efficiency in compliance

Consider separate systems if:

  • Very different organizational units manage security vs. AI
  • AI scope is significantly different from ISMS scope
  • Phased implementation preferred

Structural Alignment

Shared Clause Structure

Both standards follow ISO High-Level Structure (Annex SL):

Clause ISO 27001 ISO 42001 Integration Opportunity
4 Context Context Single context analysis
5 Leadership Leadership Unified policy, combined roles
6 Planning Planning Integrated risk assessment
7 Support Support Shared resources, documentation
8 Operation Operation Aligned operational controls
9 Performance evaluation Performance evaluation Combined monitoring, audit
10 Improvement Improvement Single improvement process

Integration by Clause

Clause 4: Context of the Organization

Element ISO 27001 ISO 42001 Integrated Approach
External issues Security regulations, threats AI regulations, AI ethics Combined environmental analysis
Internal issues Security culture, capabilities AI capabilities, AI maturity Single internal analysis
Interested parties Customers, regulators (security) Customers, regulators (AI), AI subjects Unified stakeholder register
Scope ISMS scope AIMS scope Clear boundaries, potential overlap

Integration example:

"The integrated management system covers information security and AI management for [Organization Name]. The scope includes all information assets supporting business operations and all AI systems developed and deployed by the organization."

Clause 5: Leadership

Element Integration Approach
Leadership commitment Single executive commitment to both
Policy Integrated policy or separate but aligned policies
Roles Combined ISMS/AIMS owner or clear relationship

Policy integration options:

Option Description
Single integrated policy One policy covering security and AI
Umbrella + sub-policies High-level policy with security and AI specifics
Aligned separate policies Distinct policies with cross-references

Clause 6: Planning

Element Integration Approach
Risk assessment Extended methodology for AI risks
Risk treatment Combined risk treatment plan
Objectives Security and AI objectives in single framework

Risk assessment integration:

Text 
Integrated Risk Assessment
────────────────────────────────────────────────────

Information Security Risks (ISO 27001):
├── Confidentiality risks
├── Integrity risks
└── Availability risks

AI-Specific Risks (ISO 42001):
├── Bias and fairness risks
├── Transparency risks
├── Data quality risks
├── Human oversight risks
└── AI subject impact risks

Shared/Overlapping Risks:
├── AI system security risks
├── Training data security
├── Model integrity risks
└── AI availability risks

Clause 7: Support

Element Integration Approach
Resources Combined resource planning
Competence Unified competence framework
Awareness Joint security and AI awareness
Communication Single communication plan
Documentation Integrated documentation system

Documentation structure:

Text 
Integrated Documentation
────────────────────────────────────────────────────

Level 1: Integrated Management Policy
         └── Security and AI commitments

Level 2: Core Procedures
         ├── Risk assessment (security + AI)
         ├── Incident management (security + AI)
         ├── AI impact assessment
         └── Change management

Level 3: Standards
         ├── Security standards
         ├── AI development standards
         └── Data quality standards

Level 4: Records
         ├── Risk registers (security + AI)
         ├── Impact assessments
         └── Audit records

Clause 8: Operation

Element Integration Approach
Operational planning Combined operational procedures
Risk assessment Integrated security and AI risk reviews
Risk treatment Unified risk treatment implementation
AI impact assessment Linked to security considerations

Clause 9: Performance Evaluation

Element Integration Approach
Monitoring Combined security and AI metrics
Internal audit Integrated audit program
Management review Single review covering both

Integrated audit approach:

Audit Type Coverage
Combined audit Security and AI in single audit cycle
Rotating focus Alternate deep-dives, always cover both
Risk-based Focus based on risk and change

Clause 10: Improvement

Element Integration Approach
Continual improvement Single improvement process
Nonconformity Combined NCR process
Corrective action Unified corrective action system

Control Mapping

Overlapping Controls

ISO 27001 ISO 42001 Integration
A.5.1 Policies A.2.2 AI Policy Extend security policy for AI
A.5.2-5.6 Organization A.3 Internal organization Add AI-specific roles
A.5.15-5.18 Access control A.9 Use of AI systems Extend for AI access
A.5.19-5.22 Supplier A.10 Third-party Add AI supplier requirements
A.6.3 Training A.4.3-4.4 Competencies Add AI competencies
A.8.25 Secure development A.6.2 AI system life cycle Extend for AI development
A.8.31 Environment separation A.6.2.5 Deployment Align for AI systems

ISO 42001-Specific Controls

These ISO 42001 controls address AI-specific concerns not covered by ISO 27001:

ISO 42001 Control Focus No ISO 27001 Equivalent
A.5.2-5.4 Impact assessment AI impact on individuals Unique to AI
A.7 Data for AI Training data quality, provenance AI-specific
A.8 Information to parties AI transparency AI-specific
A.9.5 Human oversight Human control of AI AI-specific

ISO 27001 Controls Relevant to AI

ISO 27001 Control AI Relevance
A.8.23 Web filtering Training data acquisition
A.8.24 Cryptography Model protection, inference encryption
A.8.11 Data masking Training data privacy
A.8.12 Data leakage prevention Model output protection
A.8.10 Information deletion Training data, model retirement

Statement of Applicability Integration

Approach Options

Option Description Pros Cons
Single SoA Combined document for both standards Unified view Complex
Linked SoAs Separate documents with cross-references Clear standard separation More documents
Layered SoA ISO 27001 base, ISO 42001 extension Shows relationship May duplicate

Example Integrated SoA Structure

Control Standard Applicable Justification Implementation
A.5.1 (27001) ISO 27001 Yes Required Full
A.2.2 (42001) ISO 42001 Yes Required Full - extends A.5.1
A.5.15 (27001) ISO 27001 Yes Access control Full
A.9.3 (42001) ISO 42001 Yes AI use control Partial - links to A.5.15
A.5.3 (42001) ISO 42001 Yes AI impact assessment Full - AI-specific

Implementation Approach

Starting Point: Existing ISO 27001

If you have ISO 27001 certification:

Phase Activities
1. Gap analysis Compare ISMS to ISO 42001 requirements
2. Scope extension Determine if AIMS scope differs from ISMS
3. Risk extension Add AI-specific risks to assessment
4. Control extension Add ISO 42001 Annex A controls
5. Documentation Extend policies, procedures for AI
6. Implementation Implement AI-specific controls
7. Audit Combined or sequenced certification audit

Starting Point: No Existing Certifications

If pursuing both certifications:

Approach Description
ISO 27001 first Establish ISMS, then extend for AI
Simultaneous Implement integrated system from start
ISO 42001 first AI focus first, add security controls

Recommendation: For AI-native organizations, simultaneous implementation is most efficient. For others, ISO 27001 first provides a solid foundation.

Integration Timeline

Adding ISO 42001 to Existing ISO 27001:

Phase Duration Activities
Gap analysis 2 weeks Compare ISMS to ISO 42001
Scope/policy extension 2 weeks Update scope, extend policy
Risk assessment extension 2-3 weeks Add AI risks
Control implementation 4-6 weeks Implement AI-specific controls
Documentation update 2-3 weeks Update procedures, records
Internal audit 1-2 weeks Verify AI additions
Certification audit 2-3 weeks Combined or extension audit
Total 15-21 weeks

Audit Considerations

Combined Audits

Aspect Details
Feasibility Many certification bodies offer combined audits
Efficiency Reduced audit days overall
Auditor competence Must be qualified for both standards
Scheduling Align audit cycles

Audit Options

Option Description Best For
Fully integrated audit Single audit covering both Mature integrated system
Sequential audit Same auditor, same visit, sequential review Newly integrated system
Separate audits Different audits, different times Different scopes/teams

Challenges and Solutions

Challenge 1: Different Scopes

Problem: ISMS covers entire organization, AI systems are in specific area

Solution:

  • Define clear scope boundaries
  • Show relationships in documentation
  • Explain scope relationship to auditors

Challenge 2: Different Risk Appetites

Problem: Information security risk tolerance differs from AI risk tolerance

Solution:

  • Document distinct risk criteria where needed
  • Unified risk methodology with different thresholds
  • Clear escalation for AI-specific risks

Challenge 3: Different Stakeholders

Problem: Security team manages ISMS, AI team manages AI

Solution:

  • Clear roles and responsibilities
  • Regular coordination meetings
  • Shared governance structure

Challenge 4: Documentation Volume

Problem: Two standards = too much documentation

Solution:

  • Integrated documentation structure
  • Shared procedures where possible
  • Clear cross-references

Recommended Integration Pattern

Text 
Integrated Management System Structure
────────────────────────────────────────────────────

                    ┌─────────────────────────┐
                    │   Executive Sponsor     │
                    └───────────┬─────────────┘

                    ┌───────────▼─────────────┐
                    │ Integrated MS Owner     │
                    │ (ISMS + AIMS)           │
                    └───────────┬─────────────┘

          ┌─────────────────────┼─────────────────────┐
          │                     │                     │
┌─────────▼─────────┐ ┌─────────▼─────────┐ ┌─────────▼─────────┐
│ Security Team     │ │ AI Team           │ │ Common Functions  │
│ (ISMS focus)      │ │ (AIMS focus)      │ │ (Shared)          │
└───────────────────┘ └───────────────────┘ └───────────────────┘
          │                     │                     │
          └─────────────────────┴─────────────────────┘

                    ┌───────────▼─────────────┐
                    │ Integrated Processes:   │
                    │ • Risk Assessment       │
                    │ • Internal Audit        │
                    │ • Management Review     │
                    │ • Incident Management   │
                    │ • Document Control      │
                    └─────────────────────────┘

Need help integrating ISO 42001 with your existing certifications? Talk to our team

← PreviousISO 42001 Certification Cost and TimelineNext →ISO 42001 and the EU AI Act: Compliance Alignment
Back to ISO 42001 guides