Can you integrate ISO 27001 and ISO 42001 into a single management system?

Yes. Both standards follow the same Annex SL high-level structure, which means they share identical clause numbers and a common backbone. Organisations that already hold ISO 27001 can extend their existing management system to cover ISO 42001 rather than building a second system from scratch. Industry research suggests ISO 27001-certified organisations achieve ISO 42001 compliance 30 to 40 percent faster than those starting fresh.

How long does it take to integrate ISO 42001 into an existing ISO 27001 system?

For organisations with a mature ISO 27001 ISMS in place, integration typically takes between three and six months. The process begins with a gap analysis against ISO 42001 (two to three weeks), followed by extending the risk register, developing AI-specific policies, expanding the internal audit scope, and updating management review to cover AI governance performance.

What does ISO 42001 add that ISO 27001 does not cover?

ISO 27001 protects the confidentiality, integrity, and availability of information. ISO 42001 governs how AI systems behave. The key additions include AI risk assessment covering bias and fairness, AI lifecycle governance from design through retirement, data governance for training data quality, transparency and explainability requirements, human oversight controls, and AI-specific supplier management for third-party models and components.

Why integrate ISO 27001 and ISO 42001 instead of running them separately?

Integration avoids duplication of context analyses, risk assessments, internal audits, and management reviews. Certification bodies prefer integrated systems because they present a coherent governance framework. Most importantly, AI systems do not operate in isolation from information security. The data training your models needs protection, AI outputs are information assets, and the risks are interconnected, so the governance should be too.

ISO 42001 and the EU AI Act: What UK Tech Companies Need to Know in 2026

Apr 21
4 min read

ISO 27001 University: Research, IP & Student Records UK GDPR — **ISO 42001 and the EU AI Act: What UK Tech Companies Need to Know in 2026**

ISO 42001 and the EU AI Act: What UK Tech Companies Need to Know in 2026

The EU AI Act is no longer forthcoming legislation. It is law, and its enforcement phases are rolling out through 2026 and 2027. For UK tech companies that develop AI products or sell AI-powered services into the European Union, this creates immediate governance obligations that did not exist two years ago.

ISO 42001, the international standard for AI management systems, provides a structured framework that aligns with many of these obligations. There is approximately 40 to 50 percent overlap in high-level requirements between the two frameworks, covering risk management, data governance, transparency, and ethical oversight. Understanding where ISO 42001 helps with EU AI Act compliance, and crucially where it does not, is essential for any UK company planning its AI governance strategy.

The EU AI Act Enforcement Timeline

The EU AI Act came into force in August 2024 and is being implemented in phases. In February 2025, the prohibitions on unacceptable risk AI practices took effect, including social scoring, certain biometric categorisation, and untargeted facial recognition. By August 2025, AI literacy and training requirements became mandatory. Through 2026, transparency obligations for general-purpose AI models and limited risk systems are being enforced. By August 2027, the full high-risk AI system requirements come into effect, covering AI deployed in healthcare, critical infrastructure, law enforcement, education, and human resource management.

This timeline matters for UK companies because the EU AI Act applies extraterritorially. If your AI system is placed on the EU market, if its outputs affect individuals within the EU, or if you provide AI services to EU-based customers, you are within scope regardless of where your company is headquartered. For UK tech companies with European customers, this is not optional compliance.

Where ISO 42001 Supports EU AI Act Compliance

ISO 42001 provides a governance foundation that maps to several core EU AI Act requirements. The standard’s risk management framework under Clause 6.1 supports the AI Act’s requirement for risk management systems for high-risk AI. Its AI system impact assessment process supports the conformity assessment requirements. The data governance controls address the AI Act’s data quality and bias requirements under Article 10. Transparency and communication requirements under Clause 7.4 support the Act’s transparency obligations. And the human oversight controls align with the AI Act’s requirements for human supervision of high-risk systems.

For UK companies approaching EU AI Act compliance, ISO 42001 provides a structured starting point. The work you do for ISO 42001 certification directly accelerates your compliance with the Act, and vice versa. This means you are not running two parallel compliance programmes. You are building one governance framework that serves both purposes.

Where ISO 42001 Does Not Cover the EU AI Act

It is important to be honest about the limitations. ISO 42001 is a voluntary management system standard. The EU AI Act is binding legislation with penalties of up to 35 million euros or 7% of global turnover for the most serious violations.

Several EU AI Act requirements are not addressed by ISO 42001. The Act requires a signed EU Declaration of Conformity and CE marking for high-risk AI systems. ISO 42001 does not cover this. The Act includes specific reporting obligations to European authorities and requirements for cooperation with national regulators. ISO 42001 does not address these. The Act prohibits certain AI practices outright, such as social scoring and certain forms of emotion recognition. ISO 42001 does not include these prohibitions.

Additionally, the European Commission has requested harmonised standards from CEN and CENELEC that will provide more specific compliance guidance. These emerging European standards, including prEN 18286, may eventually provide a more direct pathway to demonstrating conformity with the AI Act than ISO 42001 alone.

The practical takeaway is that ISO 42001 should be treated as a governance foundation, not as a complete compliance solution for the EU AI Act. Legal compliance advice for the specific requirements of the Act should come from qualified legal counsel.

What UK Tech Companies Should Do Now

If your company develops, deploys, or sells AI-powered products and services to EU customers, there are concrete steps you should be taking now.

Start by mapping your AI systems. Identify every AI system your organisation develops, deploys, or uses. Classify each system against the EU AI Act risk categories to understand which obligations apply. Conduct an AI risk assessment using the ISO 42001 framework to identify governance gaps. This serves double duty: it prepares you for ISO 42001 certification and identifies where EU AI Act compliance work is needed. Implement AI governance documentation including an AI policy, system inventory, data governance procedures, and human oversight protocols. Begin building the evidence trail that both ISO 42001 auditors and regulators will expect to see. And if you already hold ISO 27001, explore integration with ISO 42001 to create a unified governance framework that covers information security and AI management together.

I work with UK tech companies and universities to implement ISO 42001, both as a standalone framework and integrated with existing ISO 27001 management systems. If you need clarity on what AI governance looks like for your organisation, book a free 20-minute scoping call to discuss your situation.

To discuss, book a free 20-minute scoping call.

ISO 27001

ISO 42001

Sampson ISO Audit & Consult Ltd