ISO/IEC 42001 vs ISO/IEC 27001: Which Standard Does Your AI Programme Need?

ISO/IEC 42001:2023 and ISO/IEC 27001:2022 share an architectural DNA — the ISO Harmonised Structure (clauses 4–10, built on Plan-Do-Check-Act) — and they can be audited together by the same certification body in a single cycle. But they answer different questions, govern different risks, and satisfy different obligations under the EU AI Act. Conflating them is one of the more common mistakes compliance teams make when scoping an AI governance programme.

---

What Each Standard Actually Does

ISO/IEC 27001 defines requirements for an Information Security Management System (ISMS). Its central question is: how does the organisation protect the confidentiality, integrity, and availability of information? The 2022 revision restructured Annex A from 114 to 93 controls across four themes — organisational, people, physical, and technological. It is sector-agnostic, applies to any organisation that processes information, and has over 70,000 certified organisations worldwide. It is the dominant information-security certification globally.

ISO/IEC 42001:2023 defines requirements for an Artificial Intelligence Management System (AIMS). Its question is different: how does the organisation ensure AI systems are developed, deployed, and managed responsibly — with appropriate accountability, transparency, and impact management? Annex A contains 38 controls covering nine areas (A.2–A.10), ranging from policies for AI to system life cycle through to third-party and responsible use obligations. It is the first international standard specifically designed for AI governance.

The overlap is genuine. AI systems process information, and information security is one dimension of responsible AI. But the two standards are not interchangeable: ISO 27001 does not cover algorithmic bias, model drift, explainability, or fundamental rights impact. ISO 42001 does not substitute for systematic security governance over information assets.

---

The Shared Backbone: ISO Harmonised Structure

Both standards follow the same clause architecture:

This shared backbone is why the two certifications integrate cleanly. Policy frameworks, document control systems, internal audit programmes, management review cadences, and corrective action processes from ISO 27001 extend directly to ISO 42001. The governance infrastructure already exists; the domain-specific content is added on top.

The substantive divergence happens in Clauses 6 and 8.

---

Where They Diverge: Clause 6 and Clause 8

ISO 27001 — Clause 6 and 8 in practice

Clause 6 requires an information security risk assessment: identifying assets, threats, vulnerabilities, and risk owners. The treatment plan specifies which Annex A controls apply. The Statement of Applicability (SoA) documents which controls are included, which are excluded, and why.

Clause 8 implements the treatment plan. For AI systems within scope, this means applying controls like A.8.25 (Secure development lifecycle), A.8.24 (Use of cryptography — protecting model weights and inference outputs), A.8.16 (Monitoring activities — logging inference requests), and A.5.23 (Information security for cloud services — relevant when consuming GPAI model APIs).

What ISO 27001 does not address for AI: algorithmic bias and discriminatory outputs; training data representativeness; model drift; explainability to affected individuals; fundamental rights impacts; AI lifecycle obligations — model development, testing, validation, retirement; the transparency and human oversight requirements of the EU AI Act.

An ISO 27001-certified organisation has addressed the information security risks of its AI systems. It has not demonstrated any of the AI governance capabilities the Act requires.

ISO 42001 — Clause 6 and 8 in practice

Clause 6 requires an AI-specific risk and impact assessment — broader than ISO 27001's. It must include societal and ethical dimensions, not only technical security dimensions.

Clause 8 is where ISO 42001's distinctive content sits:

Clause 8.2 (AI System Impact Assessment): Before deploying an AI system, conduct a structured assessment covering purpose, affected parties, potential negative impacts, and mitigations. This maps closely onto the EU AI Act's Fundamental Rights Impact Assessment obligation under Article 27, though ISO 42001's scope is wider — it covers all in-scope AI systems, not only the public-body and specific deployer cases Article 27 targets.

Clause 8.3 (AI System Lifecycle): Requirements covering design, data management, testing, deployment, monitoring, and decommissioning. Training data must be relevant, representative, and free from bias that would undermine the system's purpose. Performance must be monitored post-deployment against defined thresholds.

Clause 8.4 (Documentation): Technical and operational documentation covering design decisions, training methodology, performance evaluation results, and deployment configuration. This maps substantially onto the EU AI Act's Annex IV technical documentation requirements under Article 11.

Clause 8.6 (Third-Party AI Systems): Evaluating and monitoring AI systems procured externally — due diligence, documentation requests, ongoing oversight. This maps onto deployer obligations under Article 26.

---

Side-by-Side: Where They Overlap, Where They Diverge

One important structural difference: ISO 27001's Annex A controls are mandatory where risk treatment requires them. ISO 42001's Annex A and Annex B are implementation guidance — they inform how to satisfy the standard's requirements, but they are not independently mandated.

---

How ISO 42001 Aligns with the EU AI Act

The EU AI Act is binding law. ISO 42001 is a voluntary management system standard. Neither can substitute for the other, but they connect in specific, documented ways.

The Act's standardisation pathway (Article 40) allows the European Commission to mandate harmonised standards that create a presumption of conformity with specific AI Act requirements. ISO 42001 has been referenced by the EU AI Office as a standard that may support demonstration of compliance with particular Articles — specifically:

• Article 9 (risk management system): ISO 42001 Clause 6.1 and 8.2 provide a recognised methodology for the continuous risk assessment the Act requires.
• Article 10 (data governance): ISO 42001 Clause 8.3 data requirements structure the training-data quality and governance obligations.
• Article 11 (technical documentation): ISO 42001 Clause 8.4 documentation requirements align closely with Annex IV content areas.
• Article 17 (quality management system): For high-risk AI providers, Article 17 requires a QMS as a condition of compliance. ISO 42001 certification directly satisfies this requirement — the standard is itself a management system.
• Article 14 (human oversight): ISO 42001's requirements for oversight mechanisms and explainability map onto Article 14's human oversight provisions.

Where ISO 42001 does not reach the Act's requirements: CE marking under Article 48; registration in the EU AI Act Database under Article 49; the conformity assessment procedures under Article 43 (which have their own Annex VI internal and Annex VII notified-body routes); and the binding role and legal responsibility assignments for providers (Article 16) and deployers (Article 26).

ISO 42001 certification is strong evidence of governance maturity and positions an organisation substantially ahead of competitors starting from scratch. It is not a compliance certificate under the Act.

One important caution: ISO 42001 does not make you EU AI Act compliant on its own, and neither does ISO 27001. The Act is binding law; its conformity assessment procedure under Article 43 is the mechanism that enables CE marking and market access for high-risk AI systems. For stand-alone high-risk AI systems (the Annex III list), that deadline is 2 December 2027 under the Digital Omnibus agreed in May 2026.

---

When to Pursue Each — and When to Pursue Both

ISO 27001 only makes sense when an organisation uses AI in limited ways — standard SaaS tools, no Annex III use cases, no AI systems deployed under the organisation's own name. The primary assurance requirement is information security, not AI governance.

ISO 42001 only is uncommon. Information security is a prerequisite for responsible AI, and organisations implementing ISO 42001 typically already have or are working toward ISO 27001.

Both certifications is the right answer when:

1. The organisation is a high-risk AI provider. Article 17's QMS requirement is most efficiently satisfied by ISO 42001. Article 15's cybersecurity requirement is most efficiently satisfied by ISO 27001. Together, they cover the full technical and governance requirements of the high-risk provider regime.

2. Enterprise customers require both. B2B AI vendors increasingly receive procurement requirements for ISO 27001 as the baseline security assurance and ISO 42001 as AI-specific governance evidence. A joint certification programme answers both from a single audit cycle.

3. ISO 27001 is already in place. The Harmonised Structure means the governance infrastructure — leadership commitment, policy framework, internal audit programme, management review, corrective action process — already exists. Adding ISO 42001 requires AI-specific content (impact assessment, lifecycle documentation, AI performance monitoring) but does not require rebuilding the management system. The marginal implementation cost is substantially lower.

For a technology company with 50–500 employees and 5–20 AI systems: ISO 27001 from scratch typically runs 9–18 months and €30,000–€100,000 in internal effort, consulting, tooling, and certification fees. ISO 42001 from scratch is comparable. Adding ISO 42001 to an existing ISO 27001 programme takes 4–9 months — the governance infrastructure reuse reduces implementation effort by 40–60%. Certification bodies frequently offer 20–30% reductions on joint audits compared to two sequential engagements.

---

Certification Process: What to Expect

Both standards follow the same management-system certification sequence: gap assessment → scope definition → risk/impact assessment → control/documentation implementation → ISMS/AIMS operated for sufficient period to generate audit evidence (typically 3–6 months) → Stage 1 documentation review → Stage 2 operational effectiveness audit → certification awarded → annual surveillance audits + 3-year recertification cycle.

The domain-specific differences in the ISO 42001 process:

• Scope definition must specify which AI systems are in scope. This can be all AI systems the organisation develops or deploys, or a defined subset — certification bodies will want clarity on what is in and out.
• Risk and impact assessment must cover societal and ethical dimensions, not only technical security risk. Stakeholder mapping — who is affected by each AI system, and how — is required.
• Lifecycle documentation must be produced for each in-scope AI system: design decisions, training data documentation, testing results, deployment configuration, monitoring thresholds.
• Auditor availability is expanding but less consistent than for ISO 27001. Verify that your target certification body has trained ISO 42001 auditors before starting.

---

How Confir Helps

Confir cross-maps your AI system assessments to ISO 42001 Annex A controls alongside the EU AI Act — using deterministic, rule-based logic that produces the same finding every time from the same inputs. When you complete an assessment in Confir, the output explicitly references which Annex A areas the evidence addresses (for example, a completed Article 9 risk management assessment maps to ISO 42001 Clause 6.1 and A.6.1; an Annex IV technical documentation pack maps to ISO 42001 Clause 8.4 and A.6.2). This means your AI Act compliance work generates documentation that simultaneously supports ISO 42001 certification evidence — rather than running two parallel programmes.

Confir does not replace an accredited ISO 42001 certification body, issue conformity certificates, or conduct Stage 1/Stage 2 audits. It produces the documented evidence a certification body will want to review.

---

Frequently Asked Questions

Does ISO 42001 certification prove EU AI Act compliance?

No. ISO 42001 certification demonstrates that the organisation operates a conforming AI Management System against the standard. EU AI Act compliance requires additional elements: CE marking under Article 48; registration in the EU database under Article 49; conformity assessment under Article 43 using the Annex VI internal-control or Annex VII notified-body route; and adherence to the binding role obligations in Articles 16 (provider) and 26 (deployer). ISO 42001 certification is strong evidence of governance maturity — particularly for Article 17's QMS requirement — but it is not a compliance certificate under the Act.

Can ISO 27001 Annex A controls substitute for Article 15 cybersecurity requirements?

Largely yes, with explicit mapping. ISO 27001's Annex A technology cluster (A.8.1–A.8.34) addresses most of the cybersecurity dimensions Article 15 requires for high-risk AI systems. An ISO 27001-certified organisation can reference ISMS controls as evidence for Article 15 cybersecurity compliance — but must explicitly map which controls address which Article 15 sub-requirements in its Annex IV technical documentation. A generic ISO 27001 certificate without that mapping will not satisfy an auditor or notified body.

Is ISO 42001 required to sell AI products in the EU?

No. ISO 42001 is voluntary. The EU AI Act's mandatory requirements are set by the regulation itself, not by ISO 42001. However, if the European Commission adopts ISO 42001 or specific parts of it as a harmonised standard under Article 40, organisations with prior certification would benefit from a presumption of conformity with corresponding AI Act requirements — without needing to re-demonstrate compliance from scratch. That presumption is the certification's long-term strategic value.

How long does adding ISO 42001 to an existing ISO 27001 programme take?

Typically 4–9 months, compared to 9–18 months from scratch. The ISO Harmonised Structure means existing governance infrastructure — policies, internal audit programme, management reviews, corrective action process — carries over directly. The new work is domain-specific: AI impact assessments, lifecycle documentation for each in-scope AI system, AI-specific performance monitoring, and training for staff on AI governance requirements. Organisations that have already done this work for EU AI Act preparation often find ISO 42001 certification straightforward.

Where do the two standards overlap most directly?

Three areas: risk management (ISO 27001 Clause 6 / ISO 42001 Clause 6.1 and 8.2), documentation requirements (ISO 27001 Annex A controls on asset management and secure development / ISO 42001 Clause 8.4), and monitoring (ISO 27001 A.8.16 monitoring / ISO 42001 Clause 8.3 post-deployment performance monitoring). In each overlap area, the two standards complement rather than duplicate: ISO 27001 asks whether the system is secure; ISO 42001 asks whether it behaves reliably, fairly, and within the bounds of its intended purpose.

Does ISO 42001 replace the need for a GDPR DPIA when deploying AI systems?

No. A GDPR Data Protection Impact Assessment (DPIA) under GDPR Article 35 is a distinct obligation triggered when processing is likely to result in high risk to natural persons' rights and freedoms — it is DPO-led and GDPR-governed. An EU AI Act Fundamental Rights Impact Assessment under Article 27 is a separate obligation for specific deployers (public bodies and deployers of creditworthiness or life/health insurance systems from Annex III). ISO 42001's Clause 8.2 impact assessment can inform both, but it substitutes for neither. Article 27(4) does allow a FRIA to build on an existing DPIA to avoid duplicating effort — use that provision when both are required.

Is the 2 December 2027 deadline relevant to ISO 42001 decisions?

Yes, as a planning anchor. Under the Digital Omnibus agreed in May 2026, stand-alone high-risk AI systems under Annex III must comply with the full EU AI Act high-risk regime from 2 December 2027. ISO 42001 implementation takes 4–18 months depending on starting point. Companies that begin a joint ISO 27001 / ISO 42001 implementation in mid-2026 can realistically achieve certification by mid-2027 — leaving months to complete the remaining Act-specific steps (conformity assessment under Article 43, technical documentation finalization, registration under Article 49) before the deadline.

---

Related guides

• ISO Harmonised Structure framework
• EU AI Act standardisation alignment
• Article 9 risk management compliance
• Annex A control requirements
• A.8.25 secure development lifecycle
• ISO 42001 certification pathway