Can you integrate ISO 27001 and ISO 42001 into a single management system?

Yes. Both standards follow the same Annex SL high-level structure, which means they share identical clause numbers and a common backbone. Organisations that already hold ISO 27001 can extend their existing management system to cover ISO 42001 rather than building a second system from scratch. Industry research suggests ISO 27001-certified organisations achieve ISO 42001 compliance 30 to 40 percent faster than those starting fresh.

How long does it take to integrate ISO 42001 into an existing ISO 27001 system?

For organisations with a mature ISO 27001 ISMS in place, integration typically takes between three and six months. The process begins with a gap analysis against ISO 42001 (two to three weeks), followed by extending the risk register, developing AI-specific policies, expanding the internal audit scope, and updating management review to cover AI governance performance.

What does ISO 42001 add that ISO 27001 does not cover?

ISO 27001 protects the confidentiality, integrity, and availability of information. ISO 42001 governs how AI systems behave. The key additions include AI risk assessment covering bias and fairness, AI lifecycle governance from design through retirement, data governance for training data quality, transparency and explainability requirements, human oversight controls, and AI-specific supplier management for third-party models and components.

Why integrate ISO 27001 and ISO 42001 instead of running them separately?

Integration avoids duplication of context analyses, risk assessments, internal audits, and management reviews. Certification bodies prefer integrated systems because they present a coherent governance framework. Most importantly, AI systems do not operate in isolation from information security. The data training your models needs protection, AI outputs are information assets, and the risks are interconnected, so the governance should be too.

ISO 27001 vs ISO 42001: Do You Need Both? A Lead Auditor’s Honest Answer

Apr 23
4 min read

ISO 27001 University: Research, IP & Student Records UK GDPR — **ISO 42001 and the EU AI Act: What UK Tech Companies Need to Know in 2026**

ISO 27001 vs ISO 42001: Do You Need Both? A Lead Auditor’s Honest Answer

ISO 27001 vs ISO 42001 is a comparison I am asked about constantly. Usually by companies that already hold ISO 27001 or are partway through implementation, and have started using AI in their products or operations. The question is always the same: do we need another standard?

As someone who holds Lead Auditor certification for both ISO 27001 and ISO 42001, and who implements both for clients, my answer is nuanced but honest. They are not competing standards. They are complementary. Whether you need both depends on how material AI is to your business.

What Each Standard Actually Covers

ISO 27001 is the international standard for Information Security Management Systems. Its purpose is to protect the confidentiality, integrity, and availability of information. It covers access management, encryption, incident response, supplier security, business continuity, and everything else that falls under the umbrella of keeping information safe.

ISO 42001 is the international standard for AI Management Systems. Its purpose is to govern how AI systems are developed, deployed, used, and retired responsibly. It covers AI risk assessment, bias and fairness, transparency and explainability, human oversight, data governance for AI, and the full lifecycle of AI systems.

ISO 27001 asks the question: is your information secure? ISO 42001 asks the question: are your AI systems behaving responsibly? Both are important questions, but they address fundamentally different risk domains.

The Shared Structure: Annex SL

Both standards follow the same Annex SL high-level structure. This means they share identical clause numbers for context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. If you have built an ISO 27001 management system, you have already done roughly 60% of the structural work needed for ISO 42001.

Your risk assessment process, your internal audit programme, your management review cycle, your competence and training framework, and your documentation structure all transfer directly. What changes is the content within those structures. ISO 42001 requires AI-specific risk categories, AI-specific controls, and AI-specific policies that sit alongside, not in place of, your information security framework.

This shared structure is precisely why integration works so well. It is also why organisations that already hold ISO 27001 can achieve ISO 42001 compliance significantly faster, typically 30 to 40 percent faster, than those starting from scratch.

A Simple Decision Framework: When You Need Both

Here is the honest assessment. You almost certainly need ISO 27001 if you handle sensitive data, serve enterprise customers, or operate in a regulated sector. It is the established baseline for information security governance.

You need ISO 42001 in addition to ISO 27001 if AI is a material part of your product or service, meaning your product uses AI to make decisions, generate outputs, or process data in ways that affect customers. You also need it if your AI systems make consequential decisions, such as credit scoring, hiring recommendations, medical analysis, or fraud detection. You need it if your enterprise customers are asking AI governance questions in procurement. You need it if you are selling AI-powered products into the EU and need to demonstrate alignment with the EU AI Act. And you need it if your board or investors want assurance that AI risk is being managed systematically.

You probably do not need ISO 42001 right now if your use of AI is limited to internal productivity tools like using ChatGPT for drafting emails, if AI is not a differentiating part of your product, or if none of your customers or regulators are asking about AI governance.

This will change. The direction of travel is clear: AI governance ex

pectations are increasing, and what is optional today may become expected or mandatory within the next two to three years.

The Practical Path If You Need Both

If you already hold ISO 27001, the most efficient approach is to integrate ISO 42001 into your existing management system. This avoids duplication, reduces audit costs, and creates a unified governance framework.

If you hold neither standard and AI is central to your business, you have two options. You can implement ISO 27001 first and add ISO 42001 afterwards. This is the conventional sequence and works well if you have immediate commercial pressure for ISO 27001. Alternatively, you can implement both standards simultaneously as an integrated management system from the outset. This is more efficient if you have the bandwidth, but it is a larger initial project.

I offer all three approaches through my service tiers. The Gold tier specifically includes ISO 42001 integration alongside ISO 27001, full internal audit across both standards, management review facilitation, and post-certification support.

If you are weighing up whether you need one or both standards, book a free 20-minute scoping call. I will give you an honest assessment based on your business, your customers, and your risk profile, and we can map out the most efficient path forward.

To discuss, book a free 20-minute scoping call.

ISO 27001

ISO 42001

Sampson ISO Audit & Consult Ltd