If your organisation already holds ISO/IEC 27001 certification, you have a significant head start on ISO/IEC 42001. Both standards use the ISO Annex SL (now called Harmonised Structure) framework—the same high-level structure with identical clause numbering from 4 through 10, identical core requirements for context, leadership, planning, support, operation, performance evaluation, and improvement, and compatible risk management methodology. This shared architecture means much of your existing ISMS infrastructure can be extended rather than rebuilt for your AIMS.
However, "head start" is not the same as "done." ISO/IEC 42001 introduces genuinely new requirements that have no equivalent in ISO 27001, reflecting the distinct nature of AI system risks compared to information security risks. This guide identifies exactly what transfers, what is new, and how to structure an integrated programme.
What the Shared Annex SL Structure Means
The Harmonised Structure (HS) used by both standards means the following elements have an identical logical structure, even if the specific content differs:
- Clause 4 (Context): Both require documented analysis of the organisational context, interested parties, and defined scope. Your 27001 context analysis methodology applies directly to 42001—you extend it to include AI-specific interested parties (users of AI systems, populations affected by AI decisions) and AI-specific external factors (AI regulation, sector-specific AI guidance).
- Clause 5 (Leadership): Both require top management commitment, a documented policy, and assigned roles and responsibilities. Your existing 27001 leadership structure can host the AIMS, though a distinct AI policy is required (the ISMS policy is not sufficient on its own).
- Clause 6 (Planning): Both use a risk assessment process to drive planning and objectives. The risk assessment methodology from 27001 (identifying risks, assessing likelihood and impact, selecting controls) transfers directly. The subject matter of the risk assessment is different (AI system risks vs information security risks), but the methodology is the same.
- Clause 7 (Support): Document control, competence, awareness, and communication requirements are structurally identical. Your existing document control system, training records process, and awareness programme can be extended to cover AIMS documents and AI-specific training.
- Clause 9 (Performance Evaluation): Internal audit and management review requirements are identical in structure. Your existing internal audit programme and management review cadence can incorporate AIMS elements rather than running a completely separate process.
- Clause 10 (Improvement): Nonconformity and corrective action process is identical. Your existing NCR process and continual improvement methodology apply directly.
What Carries Over from ISO 27001
The following 27001 assets can be directly reused or lightly adapted for 42001:
| 27001 Asset | How It Applies in 42001 | Adaptation Needed |
|---|---|---|
| Document control system | Hosts all 42001 documented information | Add AIMS document category; update retention schedules |
| Risk assessment methodology | 42001 risk assessment uses same likelihood/impact approach | Add AI-specific risk categories (bias, drift, explainability, etc.) |
| Internal audit programme | Extend scope to include 42001 clauses | Train internal auditors on 42001; update audit checklists |
| Management review agenda | Add AIMS agenda items to existing review cadence | Add: AIMS objectives, AI incidents, AI risk status |
| NCR and corrective action process | Same process applies to AIMS nonconformities | Add AI system incidents as a nonconformity trigger |
| Supplier management process | Extend to cover AI-specific supplier risk (third-party AI systems) | Add AI vendor questionnaire; update supplier risk register |
What Is Genuinely New in ISO/IEC 42001
These are the requirements in 42001 that have no direct equivalent in ISO 27001 and must be built from scratch:
1. AI System Impact Assessment (Annex A.6 / Clause 6.1)
ISO 27001 has no equivalent of an impact assessment focused on harms to individuals from AI system outputs. The 42001 impact assessment is structurally similar to a GDPR DPIA but broader in scope: it covers harms to individuals whether or not personal data is involved, including harms from discriminatory outputs, manipulation, loss of human oversight, and economic or reputational harm. This is a new artefact that must be created for each in-scope AI system.
2. AI Policy (Clause 4.4)
A distinct AI policy covering the organisation's principles for responsible AI development and deployment, its approach to AI risk, and its commitments to affected parties. The ISMS policy cannot substitute for this; it covers a different subject matter. Most organisations write a 2–4 page AI policy that addresses: scope of AI use, risk appetite for AI, commitments to transparency and human oversight, and approach to bias and fairness.
3. Data Provenance and Quality Controls for AI (Annex A.7)
ISO 27001 Annex A includes data classification and handling controls, but these address confidentiality and integrity rather than the fitness-for-purpose of training data. ISO/IEC 42001 requires documented controls for: the provenance of training, validation, and test datasets; data quality assessment; representativeness analysis; and bias detection in training data. These are ML engineering concerns that typically sit outside the ISMS scope entirely.
4. Human Oversight of AI Systems (Annex A.9)
ISO 27001 addresses access control and separation of duties, but not the specific requirement that AI system outputs be subject to meaningful human review and override mechanisms. ISO/IEC 42001 requires documented human oversight controls for AI systems: who reviews outputs, how they are trained to do so, what the override mechanism is, and how oversight effectiveness is monitored.
5. AI System Transparency Documentation (Annex A.8)
ISO 27001 includes some transparency obligations (privacy notices, incident disclosure) but nothing equivalent to the AI-specific transparency documentation required in 42001: documentation for users and affected parties about how AI systems work, their limitations, and their accuracy characteristics. For organisations also subject to the EU AI Act, the Article 13 instructions for use can serve as this artefact.
6. Bias and Fairness Testing (Annex A.10)
No equivalent in ISO 27001. ISO/IEC 42001 requires structured testing of AI systems for bias and fairness, with documented results. The specific tests required depend on the system's use case and the populations affected, but must be planned, executed, and recorded.
Integration Options
There are two main structural approaches to running ISO 27001 and ISO/IEC 42001 together:
Option 1: Integrated ISMS + AIMS
A single management system that satisfies both standards. Common elements (document control, risk methodology, internal audit, management review, corrective action) are shared. Standard-specific elements (ISMS scope and controls for 27001; AI policy, impact assessments, and AI-specific controls for 42001) are maintained within the unified system.
Advantages: Less duplication; single internal audit programme; single management review; simpler documentation structure. Most organisations with an existing mature 27001 programme choose this approach.
Disadvantages: Requires careful scoping to ensure both standards are demonstrably satisfied; auditors for each standard must be satisfied that the shared elements genuinely meet their standard's requirements.
Option 2: Separate Systems with Shared Infrastructure
Distinct ISMS and AIMS, each with their own policy, scope, and control sets, but using shared document control, internal audit, and management review infrastructure. The two systems reference each other where relevant (e.g., the AIMS references the ISMS for information security controls applicable to AI system data).
Advantages: Cleaner separation; easier to demonstrate each standard is independently satisfied; works well when the ISMS and AIMS have significantly different scopes (e.g., different organisational units in scope).
Disadvantages: More administrative overhead; potential for duplication; two separate certification audits.
Your Gap if You Have ISO 27001
If your organisation holds current ISO 27001 certification, the gap to ISO/IEC 42001 is primarily in the AI-specific new requirements. Here is a prioritised gap list:
- High priority — must create from scratch: AI policy, AI system impact assessments for all in-scope systems, data provenance and bias analysis documentation for training datasets, human oversight design documentation, AI-specific bias and fairness test results.
- Medium priority — extend existing artefacts: Context analysis (add AI-specific factors), interested parties register (add AI-specific parties), risk assessment (add AI risk categories), supplier management (add AI vendor questionnaire), internal audit checklist (add 42001 clauses).
- Lower priority — minimal change: Document control, management review, corrective action process, competence records framework, awareness programme structure.
Timeline Comparison
For an organisation starting from scratch, ISO 27001 typically takes 6–12 months from gap assessment to certification. ISO/IEC 42001 from scratch takes a similar 6–12 months.
For an organisation with a mature ISO 27001 programme, the additional time to achieve ISO/IEC 42001 certification is typically 4–8 months, depending on the number of in-scope AI systems and the maturity of existing AI engineering practices. The most time-consuming elements are usually: writing the AI policy (relatively fast), completing impact assessments for all in-scope AI systems (time scales with number of systems), and producing data provenance and bias testing documentation for training datasets (requires ML engineering time, not just policy writing).