Can I get ISO 42001 without ISO 27001?

Yes. ISO 42001 is independent. But organisations with no ISO management-system background take longer because they have to build clauses 4-10 from scratch.

Is ISO 42001 harder than ISO 27001?

The management system clauses are equivalent in difficulty. The AI-specific elements — impact assessment, AI lifecycle, third-party AI — add roughly 30-40% extra work compared to a pure ISO 27001 programme.

Can the same auditor cover both standards?

Yes if the certification body has accredited both. Most major bodies — BSI, DNV, TÜV SÜD, LRQA, Bureau Veritas — now offer combined audits. Confirm accreditation status with the national accreditation body before signing.

Will my SOC 2 evidence count?

Partly. SOC 2 evidence overlaps with ISO 27001 information security controls but does not address ISO 42001's AI-specific controls (A.5-A.10). You will need additional evidence for the AI lifecycle, data and impact assessment areas.

Are the certificates issued together?

No. They are separate certificates with separate scopes, even when issued from a combined audit. This is helpful for procurement — many EU buyers ask specifically for one or the other.

Does ISO 42001 replace ISO 27001 for AI products?

No. They cover different risks. AI products typically need both — ISO 27001 for the information security of the platform, ISO 42001 for the responsible operation of the AI.

Last reviewed: May 2026 · 9 min read

ISO 42001 vs ISO 27001: What's the Same, What's Different

What each standard is for

ISO/IEC 27001:2022 is the information security management system standard. Its objective is to protect the confidentiality, integrity and availability of information. ISO/IEC 42001:2023 is the artificial intelligence management system standard. Its objective is the responsible development and use of AI — covering fairness, transparency, safety, security, privacy, accountability and societal impact.

What carries over from ISO 27001

Both standards use the ISO Harmonized Structure for the management system clauses, which means the wording of clauses 4-10 is intentionally aligned. Specifically:

Clause 4 (Context) — issues, interested parties, scope: structurally identical.
Clause 5 (Leadership) — policy, roles, responsibilities: same shape.
Clause 6 (Planning) — risk and opportunity actions, objectives, change planning: same shape with an AI-specific risk lens.
Clause 7 (Support) — resources, competence, awareness, communication, documented information: directly reusable.
Clause 9 (Performance evaluation) — monitoring, internal audit, management review: same shape.
Clause 10 (Improvement) — nonconformity and corrective action, continual improvement: same shape.

Auditors recognise this overlap and accept a single set of clause-level evidence (procedures, audit reports, management review minutes) covering both standards, provided AI and information security are addressed distinctly.

What is new in ISO 42001

AI system impact assessment (clause 8.4 and Annex A.5) — a dedicated process for assessing impacts on individuals, groups and society. ISO 27001 has no equivalent.
AI lifecycle management (Annex A.6) — design, development, verification, validation, deployment, monitoring and retirement specific to AI systems.
Data for AI systems (Annex A.7) — provenance, quality, preparation tailored to training, validation and operational data.
Use of AI systems (Annex A.9) — intended use, responsible use, human oversight.
Third-party AI relationships (Annex A.10) — supplier due diligence specifically for AI providers and integrators.

Side-by-side comparison

	ISO 27001	ISO 42001
Object	Information assets	AI systems
Primary risks	Confidentiality, integrity, availability	Fairness, safety, transparency, societal impact + CIA
Annex A controls	93 controls in 4 themes	39 controls in 9 categories
Risk methodology	Information security risk assessment	AI risk assessment + AI system impact assessment
Maturity	Established, well-known	Published Dec 2023, accreditation maturing
Regulatory linkage	GDPR Art. 32 evidence; SOC 2 mapping	EU AI Act risk mgmt & documentation

Running both as one integrated programme

The most efficient model is a single integrated management system with shared clause-level documents and two Statements of Applicability — one for ISO 27001 Annex A, one for ISO 42001 Annex A. Practical guidelines:

One AI & security policy framework with distinct AI and security policies underneath.
One risk register tagged by domain (information security, AI) with a unified scoring scheme.
One internal audit programme rotating coverage across both standards.
One management review with a dedicated AI agenda item.
Aligned surveillance audit cycle with the same certification body.

How an integrated audit saves money

Same certification body, same surveillance cycle, overlapping evidence sampling — combined audits typically save 20-30% on auditor-days versus two parallel programmes. The savings are largest in surveillance years two and three. See the detailed numbers in our ISO 42001 cost breakdown.

When NOT to run them together

If ISO 27001 is sited in security and ISO 42001 needs to live in product / AI governance, an artificial integration creates ownership friction.
If certification scopes differ materially (e.g. ISO 27001 across the whole company, ISO 42001 only for the ML platform), keep them separate.
If the ISO 27001 management system is itself immature, fix it first — bolting ISO 42001 on top compounds the problem.

Adding the EU AI Act on top

ISO 42001 evidence covers a meaningful share of EU AI Act high-risk system obligations, particularly Article 9 risk management, Article 10 data governance, Article 11 technical documentation, Article 17 quality management and Article 72 post-market monitoring. ISO 27001 supports Article 15 cybersecurity. Treating the three together — ISMS, AIMS, AI Act — avoids duplicating evidence three times.