How to Integrate ISO 27001 and ISO 42001 Into a Single Management System
- 5 hours ago
- 4 min read
If your organisation already holds ISO 27001 certification and is now developing, deploying, or using AI systems, you are in the strongest possible position to integrate ISO 42001 into your existing management system. Both standards follow the same Annex SL structure. That shared backbone means you are not building a second management system from scratch. You are extending the one you already have.
I hold Lead Auditor certification for both ISO 27001 and ISO 42001, and integration is the approach I recommend to every client that qualifies. It reduces duplication, lowers audit costs, and creates a unified governance framework that covers both information security and AI management. Industry research suggests that ISO 27001-certified organisations can achieve ISO 42001 compliance 30 to 40 percent faster than those starting from scratch.
The Shared Annex SL Structure: What Carries Across
Annex SL is the common high-level structure that underpins all modern ISO management system standards. It standardises clause numbers, core text, and common terms. This is why ISO 27001, ISO 42001, ISO 9001, and ISO 14001 all look structurally similar.
For practical integration, this means the following elements of your existing ISO 27001 system transfer directly. Your context of the organisation analysis under Clause 4.1 already identifies internal and external issues. You extend it to include AI-specific factors. Your leadership and commitment framework under Clause 5.1 already requires top management engagement. You broaden it to cover AI governance accountability. Your risk assessment process under Clause 6.1 is already established. You add AI-specific risks such as bias, fairness, transparency, and model drift. Your competence and awareness requirements under Clause 7.2 already ensure staff understand their security responsibilities. You extend this to include AI literacy. Your internal audit programme under Clause 9.2 already covers the ISMS. You expand the scope to include AI management system controls. And your management review under Clause 9.3 already reviews ISMS performance. You add AI governance performance to the agenda.
This is not theoretical. It is a practical, clause-by-clause extension of what you already operate.
What ISO 42001 Adds That ISO 27001 Does Not Cover
While the management system structure is shared, ISO 42001 introduces controls and requirements that are fundamentally different from ISO 27001. Information security is about protecting the confidentiality, integrity, and availability of information. AI governance is about ensuring that AI systems behave responsibly, ethically, and transparently.
The key additions include AI risk assessment and impact evaluation, which goes beyond traditional information security risk to consider bias, discrimination, lack of explainability, and unintended consequences of automated decisions. You also need AI lifecycle governance, covering the full cycle from design and training through deployment, monitoring, and eventual retirement of AI models. Data governance for AI requires specific attention to training data quality, provenance, representativeness, and bias detection. Transparency and explainability requirements mean you need mechanisms to explain how AI systems reach their outputs. Human oversight controls ensure that appropriate human intervention points exist, particularly for high-impact decisions. And AI-specific supplier management addresses the governance of third-party AI components, pre-trained models, and external data sources.
These controls sit within ISO 42001’s Annex A, which contains 12 control domains. Your Statement of Applicability for ISO 42001 operates just as it does for ISO 27001: you consider each control, justify inclusion or exclusion, and document your implementation.
A Practical Integration Roadmap
For organisations with a mature ISO 27001 ISMS in place, I recommend a structured integration approach that typically takes between three and six months.
The process begins with a gap analysis against ISO 42001. This maps your existing ISMS controls against the ISO 42001 requirements and identifies where you already comply and where new work is needed. This typically takes two to three weeks and produces a prioritised action plan.
Next, you extend your risk register to include AI-specific risks. This is not a separate risk assessment. It is an expansion of your existing risk assessment methodology to cover the additional risk categories that AI introduces. Your existing risk appetite framework and treatment process remain intact.
From there, you develop AI-specific policies and documentation. This includes an AI policy, AI system inventory, data governance procedures for AI, transparency and explainability guidelines, and human oversight protocols. These sit alongside your existing ISMS documentation, not in a separate filing system.
You then extend the scope of your existing internal audit programme to include the AI management system controls. Your auditors need to be competent to assess both information security and AI governance, which is where having a Lead Auditor qualified in both standards adds significant value.
Finally, management review is updated to include AI governance performance alongside ISMS performance. This creates a single, unified governance review that covers both domains.
Why Integration Beats Separate Systems
Some organisations consider running ISO 27001 and ISO 42001 as separate management systems. I advise against this for three reasons.
First, duplication creates waste. Separate context analyses, separate risk assessments, separate internal audits, and separate management reviews mean twice the documentation and twice the management overhead. Integration eliminates that duplication.
Second, auditors prefer it. When your certification body audits an integrated management system, they see a coherent governance framework. When they audit two separate systems, they spend time understanding the boundaries and often find inconsistencies between them.
Third, integrated systems actually work better. AI systems do not operate in isolation from information security. The data that trains your models needs to be protected. The outputs of your AI systems are information assets. The risks are interconnected, and the governance should be too.
If your organisation is ISO 27001 certified and AI is becoming material to your operations, integration is the most efficient and commercially sensible path to ISO 42001. I offer this as part of my Gold tier engagement, which includes full ISO 42001 integration, internal audit, management review facilitation, and post-certification support.
To discuss what integration looks like for your specific situation, book a free 20-minute scoping call.
Sampson ISO Audit & Consult Ltd
Comments