Learn · ISO 42001 Concepts
Adding ISO 42001 to an
Existing ISO 27001 ISMS
If you hold ISO 27001, do not build a second management system. Both standards share the same clause 4–10 skeleton, so the right architecture is one integrated system carrying two certificates — you extend the machinery you have and build only what is genuinely new about AI.
The honest scope: the ISMS gives you the governance machinery, but the AI-specific artifacts — the system inventory, the impact assessments, the 38-control SoA — are real new work. Extension, not a checkbox.
Plain-English explainer · Harmonized-structure mechanics · Last reviewed July 2026
ISO/IEC 42001 and ISO/IEC 27001 are built on the same harmonized structure — identical clause numbering from context (4) through improvement (10) — which is why the correct move for an ISO 27001-certified organization is to extend the existing management system into an integrated one, not to stand up a parallel AIMS. Practitioners commonly estimate that a mature ISMS already provides half to two-thirds of the foundational machinery an AIMS needs: governance cadence, document control, competence and awareness, internal audit, management review, supplier management, and the security controls that protect the AI stack. What it does not provide is anything that answers ISO 42001's distinctive question — what could this AI system do to the people it touches? The AI system inventory, the impact assessments, the AI-specific lifecycle and data controls, and a second Statement of Applicability over the 38 AIMS controls are genuinely new artifacts. With that machinery in place, organizations typically reach certification readiness in three to six months — and can run the two certificates on one integrated audit calendar.
Reuse
What Your ISMS Already Gives You
Governance skeleton (clauses 4–10)
Both standards share the ISO harmonized structure: context, leadership, planning, support, operation, performance evaluation, improvement. Your committee cadence, roles, and escalation paths extend rather than duplicate.
Document control & competence machinery
Policy templates, version control, training records, awareness programs (clause 7) — one system serves both, with AI competence added for the people who own AI systems.
Internal audit & management review
One integrated internal-audit program and one management review can cover both standards — add AIMS agenda items and auditor competence rather than a parallel calendar.
Risk method & registers
The ISO 31000-shaped risk process you run for 27001 extends to AI risks (ISO/IEC 23894 guidance) — same scales, same treatment workflow, new risk categories.
Supplier management
Your vendor-assessment machinery extends to model vendors and AI-relevant suppliers (A.10.3) — new questions, same process and contract hooks.
Security controls that overlap
Access control, change management, logging, incident management, and BC/DR from ISO 27001 Annex A already cover much of the AI stack’s security surface.
Build
The Genuinely New AIMS Artifacts
This is the honest delta — the work an ISMS, however mature, has never done. It is also where AIMS auditors spend most of their Stage 2 time.
AI system inventory
The register of every AI system in scope — including embedded foundation models and shadow AI. No ISMS equivalent; incomplete inventories are a top AIMS finding.
AI system impact assessments
The outward-looking assessment of consequences for individuals, groups, and society (clause 6.1.4 / Annex A.5, per ISO/IEC 42005:2025). Genuinely new — an ISMS never asks this question.
AI policy & objectives
A distinct AI policy (A.2.2) aligned with — not buried inside — the information security policy, plus responsible-AI objectives.
The second SoA
A separate Statement of Applicability over the 38 AIMS controls (A.2–A.10). Cross-reference the 27001 SoA where controls overlap; justify every exclusion.
AI lifecycle & data-for-AI controls
Requirements, verification/validation, deployment, monitoring, technical documentation, event logs (A.6); data acquisition, quality, provenance, preparation (A.7) — ML-specific, not ISMS re-labels.
Transparency & oversight evidence
User-facing AI disclosure, information for affected parties (A.8), and demonstrable human oversight (A.9) — with logs that prove intervention is possible and happens.
The Integrated Path
How the Combined Program Actually Runs
- Scope first (clause 4.3, both standards): one scope statement per system is fine, but state the AIMS boundary — which AI systems, which roles you hold for each — explicitly rather than “everything the ISMS covers.”
- Extend the risk process before writing controls: add the AI risk categories and run the per-system impact assessments; let those drive the 38-control SoA the way your 27001 risk assessment drives the 93-control SoA.
- Cross-reference the two SoAs where controls genuinely overlap (access, change, logging, suppliers) — one control, two mappings, one evidence trail.
- Fold AIMS items into the existing internal-audit program and management review — same calendar, expanded checklist, AI-competent auditors.
- Certify with one body on an integrated audit: shared Stage 1/Stage 2 and surveillance visits reduce audit days versus two separate cycles. Confirm your certification body holds ISO/IEC 42006-based accreditation for AIMS before committing.
Integration — Common Questions
One system, two certificates — the mechanics.
Can ISO 42001 be integrated into an existing ISO 27001 ISMS?
Yes — that is the intended architecture. Both standards follow the ISO harmonized structure (identical clause 4–10 skeleton), so an organization with ISO 27001 extends its management system: same governance, document control, competence, internal audit, and management review, with AI-specific additions. The result is one integrated management system holding two certificates, not two parallel systems.
How much of ISO 42001 does an existing ISMS already cover?
Practitioners commonly estimate half to two-thirds of the foundational machinery: the clause 4–10 governance requirements and the overlapping security controls (access, change management, logging, incident management, supplier management). What it does not cover is the AI-specific core — the AI system inventory, impact assessments per ISO/IEC 42005, AI lifecycle and data-for-AI controls, transparency and human-oversight evidence, and the separate 38-control Statement of Applicability. Treat published percentages as planning heuristics, not guarantees; your actual delta depends on how many AI systems you run and how risky they are.
How long does ISO 42001 take if we already have ISO 27001?
Typically three to six months to certification readiness, versus longer from a standing start. The drivers are the number and risk level of AI systems in scope (each needs an impact assessment and lifecycle evidence) and how much of your AI estate is already documented. The management-system plumbing — usually the slow part of a first certification — is already running.
Do we need two Statements of Applicability?
Yes — one over ISO 27001's 93 Annex A controls and one over ISO 42001's 38. They are different control sets serving different risk questions. Where a control genuinely serves both (say, access control over the ML pipeline), implement once and cross-reference in both SoAs with one evidence trail. Every exclusion in the AIMS SoA needs a documented justification traceable to your risk and impact assessments.
Can one certification body audit both standards together?
Yes — integrated management-system audits are standard practice: shared Stage 1 and Stage 2 visits, combined surveillance, and audit-time efficiencies compared with two separate cycles. Two checks before committing: the body should hold accreditation for ISO/IEC 42001 under ISO/IEC 42006:2025 (verify on the accreditation body's directory or IAF CertSearch), and its audit team should include AI-competent auditors, which 42006 requires.
Should the AI policy live inside the information security policy?
Keep it distinct and aligned. Annex A.2.2 expects an AI policy addressing responsible development and use — fairness, transparency, human oversight, accountability — which is a different subject matter from information security, and A.2.3 explicitly requires alignment with your other policies. A one-page AI policy that references the ISMS policy suite audits far better than a paragraph buried in the infosec policy.
Related reading: the Learn hub, ISO 27001 and its 93-control catalog, the 38 AIMS controls, risk vs impact assessment, and a client story running both together. Terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours