Can you integrate ISO 27001 and ISO 42001 into a single management system?

Yes. Both standards follow the same Annex SL high-level structure, which means they share identical clause numbers and a common backbone. Organisations that already hold ISO 27001 can extend their existing management system to cover ISO 42001 rather than building a second system from scratch. Industry research suggests ISO 27001-certified organisations achieve ISO 42001 compliance 30 to 40 percent faster than those starting fresh.

How long does it take to integrate ISO 42001 into an existing ISO 27001 system?

For organisations with a mature ISO 27001 ISMS in place, integration typically takes between three and six months. The process begins with a gap analysis against ISO 42001 (two to three weeks), followed by extending the risk register, developing AI-specific policies, expanding the internal audit scope, and updating management review to cover AI governance performance.

What does ISO 42001 add that ISO 27001 does not cover?

ISO 27001 protects the confidentiality, integrity, and availability of information. ISO 42001 governs how AI systems behave. The key additions include AI risk assessment covering bias and fairness, AI lifecycle governance from design through retirement, data governance for training data quality, transparency and explainability requirements, human oversight controls, and AI-specific supplier management for third-party models and components.

Why integrate ISO 27001 and ISO 42001 instead of running them separately?

Integration avoids duplication of context analyses, risk assessments, internal audits, and management reviews. Certification bodies prefer integrated systems because they present a coherent governance framework. Most importantly, AI systems do not operate in isolation from information security. The data training your models needs protection, AI outputs are information assets, and the risks are interconnected, so the governance should be too.

The ISO 27001 Gap Analysis: What It Covers, What It Costs, and Why You Need One Before Committing

May 14
4 min read

ISO 27001 University: Research, IP & Student Records UK GDPR — ISO 27001 Gap Analysis Explained: UK Costs, Process & Certification Readiness

The ISO 27001 Gap Analysis: What It Covers, What It Costs, and Why You Need One Before Committing

An ISO 27001 gap analysis is the essential first step before committing to certification. It tells you where you stand today, what needs to change, how much work is involved, and whether your timeline and budget are realistic. Without it, you are estimating blind.

I include a gap analysis in every ISO 27001 engagement because it protects both sides. It gives you clarity on what you are committing to, and it gives me the information I need to scope the project accurately and deliver on time. Too many organisations jump straight into implementation without understanding their starting point, and that is where projects go over budget and over time.

What an ISO 27001 Gap Analysis Covers

A thorough gap analysis assesses your current security posture against every requirement of ISO 27001:2022. This is not a quick checklist exercise. It is a structured assessment that covers the management system requirements in Clauses 4 through 10 and the control objectives in Annex A.

On the management system side, the analysis examines whether you have defined the context of your organisation and identified interested parties, whether top management has demonstrated commitment to information security, whether you have a functioning risk assessment and treatment process, whether you have established security objectives and plans to achieve them, whether you have the necessary resources, competence, and awareness programmes, whether your operational processes are defined and controlled, whether you monitor, measure, and evaluate your ISMS performance through internal audits and management reviews, and whether you have mechanisms for nonconformity management and continual improvement.

On the Annex A side, the analysis reviews each of the 93 controls across the four domains, organisational, people, physical, and technological, to determine which are relevant to your scope, which are already implemented, which are partially implemented, and which are missing entirely.

The output is a clear picture of your maturity level against the standard, with a prioritised list of gaps that need to be closed before you can pass a certification audit.

Human-Led vs Automated Platform Assessment

There are two approaches to gap analysis, and they produce very different results.

Automated compliance platforms offer questionnaire-based assessments where you answer a series of questions about your security practices and the platform generates a gap report. These are useful for a quick, high-level view, but they have significant limitations. They cannot assess the quality of your documentation, only its existence. They cannot evaluate whether your risk assessment methodology is appropriate for your specific context. They cannot interview your team to understand how processes actually work versus how they are documented. And they cannot apply professional judgement to determine whether a control is operating effectively.

A human-led gap analysis, conducted by a qualified auditor, provides depth that automated tools cannot match. I review your actual documentation, interview key personnel, examine evidence of control operation, and assess your risk methodology against the standard. I can identify not just what is missing, but what is present but inadequate, what is technically compliant but commercially impractical, and what your auditor is most likely to challenge.

For organisations that are serious about achieving certification efficiently, the human-led approach pays for itself in reduced rework, fewer surprises during the audit, and a more realistic project plan.

What an ISO 27001 Gap Analysis Costs in the UK

For a small to mid-sized UK organisation, a professional gap analysis typically costs between £2,000 and £6,000 depending on the size and complexity of the scope, the number of locations and systems involved, and the depth of assessment required.

This is a fraction of the total certification cost, and it is the single most valuable investment you can make at the start of the process. A good gap analysis saves money downstream by preventing you from over-investing in areas that are already compliant and focusing your resources on the gaps that matter most.

The output should include a maturity assessment against each clause and control, a prioritised action plan with clear owners and timelines, a realistic estimate of the effort required to achieve certification readiness, a starter risk register identifying your most significant information security risks, and a set of 90-day quick wins that demonstrate immediate progress.

Why You Need a Gap Analysis Before Committing

I have seen organisations commit to ISO 27001 certification on the basis of a rough estimate, only to discover halfway through that their starting point was much further from compliance than they assumed. This leads to budget overruns, missed deadlines, and frustration.

A gap analysis eliminates this risk. It gives you the data to make an informed decision about whether to proceed, how to budget, and what timeline is realistic. It also gives you early deliverables, including a core policy suite, starter risk register, and quick wins, that demonstrate progress to stakeholders while the larger project is being planned.

My Bronze tier engagement is built around this principle. It includes scoping workshops, a professional gap analysis, a certification roadmap, 90-day quick wins, a core policy suite, and a starter risk register. It is designed to give you everything you need to understand the journey ahead and make a confident decision about proceeding to full implementation.

If you are considering ISO 27001 and want to start with a clear-eyed assessment of where you stand, book a free 20-minute scoping call. I will give you an honest view of what is involved and whether I am the right fit for your organisation.

To discuss, book a free 20-minute scoping call.

ISO 27001

ISO 42001

Sampson ISO Audit & Consult Ltd