ISO 42001 vs ISO 27001: Which Standard Does Your AI Programme Actually Need?

A question is emerging in GRC conversations that did not exist eighteen months ago: does our information security certification cover the AI systems we are now deploying? The short answer is no. ISO 27001 secures information assets. ISO 42001 governs AI systems. They address fundamentally different risk surfaces, and an organisation running AI workloads needs the second standard regardless of whether it already holds the first.

The confusion is widespread enough that, in our own search data, we see impressions for ‘ISO 47001’, a standard that does not exist. That tells us something about where the market is right now. Buyers know they need to do something about AI governance. They are not yet certain what.

What ISO 27001 actually covers

ISO 27001 is the international standard for information security management systems. It is concerned with the confidentiality, integrity and availability of information, and it provides a framework of controls covering access management, cryptography, supplier relationships, physical security, incident response and the rest of the information security discipline.

It is a mature standard. UK organisations in regulated sectors have been certifying against it for years, and it remains the right answer for the question it was designed to answer: how do we protect information assets from unauthorised access, loss or disclosure.

What ISO 27001 does not do is govern how an AI system is designed, trained, validated, deployed or monitored. In its current form, without AI-specific annexes, it treats AI workloads the same way it treats any other information system.

The model is a piece of software. The training data is a dataset. The outputs are information. Those things matter, and 27001 will help you secure them, but they are not the substance of AI risk.

What ISO 42001 covers that ISO 27001 does not

ISO 42001 is the international standard for AI management systems, published in December 2023 (readers should verify the current version with ISO or their certification body, as standards are subject to revision). It addresses the risks that arise from AI specifically: model bias and fairness, explainability and transparency, lifecycle management of models, data quality for training and inference, human oversight, accountability for automated decisions, and third-party AI dependency where the model itself or its training data sits outside your organisation.

These are not information security risks. A model can be perfectly secure, in the 27001 sense, and still produce discriminatory outputs, hallucinate with confidence, drift out of calibration, or expose the organisation to regulatory action because no human reviewed a decision that affected a citizen, a patient or a customer. ISO 42001 puts the controls and the management system around those risks. It is the standard that asks whether you should be deploying the model at all, not just whether the server it runs on is patched.

For UK organisations the timing matters. AI regulatory pressure is incoming through multiple routes including the EU AI Act, which can apply where AI system outputs are used in the EU regardless of where the provider is established, sector-specific guidance from the ICO, Ofcom and the FCA, and procurement requirements that increasingly ask suppliers to demonstrate AI governance maturity. Implementing 42001 now positions the business ahead of those requirements rather than retrofitting controls under pressure.

Do you need both standards?

In most cases, yes. The two standards are complementary rather than competing. ISO 27001 secures the infrastructure, the data and the access controls. ISO 42001 governs what the AI system does with all of that.

The management system structure is deliberately aligned. Both follow the high-level structure common to ISO management system standards, which means the governance scaffolding such as leadership commitment, risk assessment, internal audit, management review and continual improvement can be integrated rather than duplicated. An organisation with a working 27001 ISMS will find that much of the implementation effort for 42001 reuses existing processes, populated with AI-specific content.

That said, holding 27001 does not give you 42001 by default, and the gap is substantive. AI-specific controls including impact assessment, bias testing, model documentation and human oversight are simply not part of the 27001 control set.

How to decide where to start

For organisations with no current certification and an active AI programme, the practical sequence depends on existing maturity. If information security controls are weak, 27001 first gives you the foundation. If the AI programme is the more material risk and information security is already in reasonable shape, 42001 may be the priority even without 27001 certification.

For organisations already certified to 27001, the question is no longer whether to pursue 42001 but when. The answer typically turns on three factors: the materiality of AI to your operations, the regulatory exposure of your sector, and the procurement signals from your customers. In our practitioner experience working with NHS trusts, local authorities and professional services firms, clients are typically encountering at least one of these pressures, and often more than one.

What an ISO 42001 implementation looks like in practice

For the delivery practicalities - scope definition, AI inventory work, risk and impact assessment, control selection, gap remediation, the Stage 1 / Stage 2 audit path and what to look for in an implementation partner - the ISO 42001 implementation guide is the companion piece.

The short version on timing: roughly twelve months end-to-end for a typical mid-sized UK organisation without prior ISO 27001 certification, with the longer end of that range applying where the AI estate is large or the governance baseline is thin. Organisations already certified to ISO 27001 routinely halve that figure.

Key questions on ISO 42001 and ISO 27001

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 is an information security management system standard focused on protecting information assets. ISO 42001 is an AI management system standard focused on governing how AI systems are developed, deployed and monitored. They address different risk surfaces and are designed to operate alongside each other.

Do I need ISO 42001 if I already have ISO 27001?

If your organisation develops, deploys or relies materially on AI systems, yes. ISO 27001 will secure the data and infrastructure behind those systems but does not address AI-specific risks including bias, explainability, model drift and accountability for automated decisions. Those sit within the scope of ISO 42001.

Which ISO standard applies to AI governance?

ISO 42001, published in December 2023, is the international standard for AI management systems and is the appropriate framework for AI governance. Sector-specific guidance and emerging regulation, including the EU AI Act, sit alongside it rather than replacing it.

Can I implement ISO 42001 without being certified to ISO 27001 first?

Yes. ISO 27001 certification is not a prerequisite. In practice many organisations find the two reinforce each other and pursue them in parallel or in close sequence, but 42001 can be implemented and certified independently.

How long does ISO 42001 certification take for a UK organisation?

For a mid-sized UK organisation without prior ISO 27001 certification, plan for around a year, nine to fifteen months from kickoff to certification, with the longer end of the range applying where the AI estate is large or governance maturity is low. Where ISO 27001 is already in place, roughly six to nine months is realistic.

See also: the FAQ version

If you prefer a quick-reference Q&A format, the ISO 42001 vs ISO 27001 FAQ covers the same ground in eight focused answers. The ISO 42001 implementation guide goes deeper on the delivery practicalities once you have decided which standard you need. The ISO 42001 certification readiness checklist covers the step-by-step programme for GRC teams preparing the work.

Clarify the right path for your AI programme

The decision between 27001 and 42001 is not abstract. It turns on the AI systems you actually run, the regulatory pressures specific to your sector and the procurement signals coming from your customers. A short scoping conversation will identify which standard your programme needs first and what a realistic implementation path looks like for your organisation.

Schedule a 30-minute AI Governance Scoping Call to talk through your position with one of our practitioners. This conversation is a scoping discussion and does not constitute legal or compliance advice; regulatory obligations vary by organisation and sector.