Skip to main contentChat with us

Learn · ISO 42001 Concepts

Adding ISO 42001 to an
Existing ISO 27001 ISMS

If you hold ISO 27001, do not build a second management system. Both standards share the same clause 4–10 skeleton, so the right architecture is one integrated system carrying two certificates — you extend the machinery you have and build only what is genuinely new about AI.

The honest scope: the ISMS gives you the governance machinery, but the AI-specific artifacts — the system inventory, the impact assessments, the 38-control SoA — are real new work. Extension, not a checkbox.

4–10the clauses both standards share
2SoAs: 93 controls + 38 controls
3–6 motypical path with a mature ISMS

Plain-English explainer · Harmonized-structure mechanics · Last reviewed July 2026

ISO/IEC 42001 and ISO/IEC 27001 are built on the same harmonized structure — identical clause numbering from context (4) through improvement (10) — which is why the correct move for an ISO 27001-certified organization is to extend the existing management system into an integrated one, not to stand up a parallel AIMS. Practitioners commonly estimate that a mature ISMS already provides half to two-thirds of the foundational machinery an AIMS needs: governance cadence, document control, competence and awareness, internal audit, management review, supplier management, and the security controls that protect the AI stack. What it does not provide is anything that answers ISO 42001's distinctive question — what could this AI system do to the people it touches? The AI system inventory, the impact assessments, the AI-specific lifecycle and data controls, and a second Statement of Applicability over the 38 AIMS controls are genuinely new artifacts. With that machinery in place, organizations typically reach certification readiness in three to six months — and can run the two certificates on one integrated audit calendar.

Reuse

What Your ISMS Already Gives You

Governance skeleton (clauses 4–10)

Both standards share the ISO harmonized structure: context, leadership, planning, support, operation, performance evaluation, improvement. Your committee cadence, roles, and escalation paths extend rather than duplicate.

Document control & competence machinery

Policy templates, version control, training records, awareness programs (clause 7) — one system serves both, with AI competence added for the people who own AI systems.

Internal audit & management review

One integrated internal-audit program and one management review can cover both standards — add AIMS agenda items and auditor competence rather than a parallel calendar.

Risk method & registers

The ISO 31000-shaped risk process you run for 27001 extends to AI risks (ISO/IEC 23894 guidance) — same scales, same treatment workflow, new risk categories.

Supplier management

Your vendor-assessment machinery extends to model vendors and AI-relevant suppliers (A.10.3) — new questions, same process and contract hooks.

Security controls that overlap

Access control, change management, logging, incident management, and BC/DR from ISO 27001 Annex A already cover much of the AI stack’s security surface.

Build

The Genuinely New AIMS Artifacts

This is the honest delta — the work an ISMS, however mature, has never done. It is also where AIMS auditors spend most of their Stage 2 time.

AI system inventory

The register of every AI system in scope — including embedded foundation models and shadow AI. No ISMS equivalent; incomplete inventories are a top AIMS finding.

AI system impact assessments

The outward-looking assessment of consequences for individuals, groups, and society (clause 6.1.4 / Annex A.5, per ISO/IEC 42005:2025). Genuinely new — an ISMS never asks this question.

AI policy & objectives

A distinct AI policy (A.2.2) aligned with — not buried inside — the information security policy, plus responsible-AI objectives.

The second SoA

A separate Statement of Applicability over the 38 AIMS controls (A.2–A.10). Cross-reference the 27001 SoA where controls overlap; justify every exclusion.

AI lifecycle & data-for-AI controls

Requirements, verification/validation, deployment, monitoring, technical documentation, event logs (A.6); data acquisition, quality, provenance, preparation (A.7) — ML-specific, not ISMS re-labels.

Transparency & oversight evidence

User-facing AI disclosure, information for affected parties (A.8), and demonstrable human oversight (A.9) — with logs that prove intervention is possible and happens.

The Integrated Path

How the Combined Program Actually Runs

  • Scope first (clause 4.3, both standards): one scope statement per system is fine, but state the AIMS boundary — which AI systems, which roles you hold for each — explicitly rather than “everything the ISMS covers.”
  • Extend the risk process before writing controls: add the AI risk categories and run the per-system impact assessments; let those drive the 38-control SoA the way your 27001 risk assessment drives the 93-control SoA.
  • Cross-reference the two SoAs where controls genuinely overlap (access, change, logging, suppliers) — one control, two mappings, one evidence trail.
  • Fold AIMS items into the existing internal-audit program and management review — same calendar, expanded checklist, AI-competent auditors.
  • Certify with one body on an integrated audit: shared Stage 1/Stage 2 and surveillance visits reduce audit days versus two separate cycles. Confirm your certification body holds ISO/IEC 42006-based accreditation for AIMS before committing.

Integration — Common Questions

One system, two certificates — the mechanics.

Can ISO 42001 be integrated into an existing ISO 27001 ISMS?

Yes — that is the intended architecture. Both standards follow the ISO harmonized structure (identical clause 4–10 skeleton), so an organization with ISO 27001 extends its management system: same governance, document control, competence, internal audit, and management review, with AI-specific additions. The result is one integrated management system holding two certificates, not two parallel systems.

How much of ISO 42001 does an existing ISMS already cover?

Practitioners commonly estimate half to two-thirds of the foundational machinery: the clause 4–10 governance requirements and the overlapping security controls (access, change management, logging, incident management, supplier management). What it does not cover is the AI-specific core — the AI system inventory, impact assessments per ISO/IEC 42005, AI lifecycle and data-for-AI controls, transparency and human-oversight evidence, and the separate 38-control Statement of Applicability. Treat published percentages as planning heuristics, not guarantees; your actual delta depends on how many AI systems you run and how risky they are.

How long does ISO 42001 take if we already have ISO 27001?

Typically three to six months to certification readiness, versus longer from a standing start. The drivers are the number and risk level of AI systems in scope (each needs an impact assessment and lifecycle evidence) and how much of your AI estate is already documented. The management-system plumbing — usually the slow part of a first certification — is already running.

Do we need two Statements of Applicability?

Yes — one over ISO 27001's 93 Annex A controls and one over ISO 42001's 38. They are different control sets serving different risk questions. Where a control genuinely serves both (say, access control over the ML pipeline), implement once and cross-reference in both SoAs with one evidence trail. Every exclusion in the AIMS SoA needs a documented justification traceable to your risk and impact assessments.

Can one certification body audit both standards together?

Yes — integrated management-system audits are standard practice: shared Stage 1 and Stage 2 visits, combined surveillance, and audit-time efficiencies compared with two separate cycles. Two checks before committing: the body should hold accreditation for ISO/IEC 42001 under ISO/IEC 42006:2025 (verify on the accreditation body's directory or IAF CertSearch), and its audit team should include AI-competent auditors, which 42006 requires.

Should the AI policy live inside the information security policy?

Keep it distinct and aligned. Annex A.2.2 expects an AI policy addressing responsible development and use — fairness, transparency, human oversight, accountability — which is a different subject matter from information security, and A.2.3 explicitly requires alignment with your other policies. A one-page AI policy that references the ISMS policy suite audits far better than a paragraph buried in the infosec policy.

Related reading: the Learn hub, ISO 27001 and its 93-control catalog, the 38 AIMS controls, risk vs impact assessment, and a client story running both together. Terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations