As artificial intelligence (AI) becomes embedded in critical business processes, the risks and governance challenges it introduces can no longer be ignored. That’s where ISO/IEC 42001:2023, the new international standard for Artificial Intelligence Management Systems (AIMS), comes in.
For organisations already certified in ISO/IEC 27001:2022 (Information Security Management Systems), the question arises: How does ISO/IEC 42001:2023 fit into the picture?
How the structures are aligned
ISO/IEC 42001:2023 and ISO/IEC 27001:2022 share a common structure, known as Annex SL, which standardises the way management system standards are written. This means:
- Clauses are aligned (Scope, Normative References, Terms and Definitions, Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement)
- There is easier integration of policies, objectives, and processes
- There is familiar terminology and documentation expectations
This structural similarity allows organisations to seamlessly integrate AI governance into existing information security systems, minimising duplication of effort.
Whilst being aware of the similarities, it is also important to recognise the differences which come down to the focus areas and goals. The table below summarises these differences.
Differences in focus areas and goals between ISO/IEC 42001:2023 and ISO/IEC 27001:2022
| ISO/IEC 42001:2023 | ISO/IEC 27001:2022 |
| Governs responsible, ethical, and risk- aware use of AI | Protects confidentiality, integrity, and availability of information |
| Focus on AI-specific risks: bias, explainability, accountability | Focus on data-specific security threats and vulnerabilities |
| Includes controls around data quality, model lifecycle management, transparency etc. | Includes controls around cryptography, access control, supplier management etc. |
Despite different scopes, both standards ultimately aim to protect stakeholders and ensure trust in digital systems.
Why ISO/IEC 27001:2022-certified organisations are well positioned
If your organisation is already ISO/IEC 27001:2022 certified:
- You have mature risk management and internal audit processes. This is essential for ISO/IEC 42001:2023 certification.
- Your governance framework can be extended to cover AI, using similar principles and control structures.
- You likely already monitor, measure, and report on information system performance, a habit easily transferred to AI systems.
This makes adding ISO/IEC 42001:2023 a strategic and scalable move, rather than starting from scratch.
Where to start when adding ISO/IEC 42001:2023 to your existing ISMS
If your organisation is already ISO/IEC 27001:2022 certified, you have a solid foundation to build on. Below is a summarised list of key steps you can take to begin implementing ISO/IEC 42001:2023:
1. Define Your AI Scope
Identify where AI is used across your organisation i.e. in decision-making, automation, analytics, etc. This sets the boundary for your AIMS.
2. Do a Gap Assessment
Compare your existing ISMS with ISO/IEC 42001:2023. Highlight missing areas like AI-specific risks (bias, explainability), ethical controls and stakeholder governance.
3. Expand Your Risk Register
Add AI-related risks to your existing framework for example model drift, misuse of training data, or lack of oversight. Assess them with your current methodology.
4. Update Governance and Policies
Adapt your current ISO/IEC 27001:2023 roles and processes to cover AI oversight, transparency, and accountability. Introduce a basic AI policy and ethical guidelines.
5. Raise Awareness Internally
Brief key teams (IT, development, risk) on the standard’s purpose and their roles. Early buy-in will smooth the road to implementation.
6. Combine It with Your Next ISO 27001 Audit
When your ISO/IEC 27001:2022 surveillance or recertification audit comes around, consider adding ISO/IEC 42001:2023 as an extension rather than booking a separate standalone audit. This reduces cost, audit fatigue, and streamlines certification.
The Bigger Picture
Integrating ISO/IEC 42001:2023 with ISO/IEC 27001:2022 doesn’t just strengthen your risk management, but it builds stakeholder trust, aligns you with emerging regulatory frameworks, and helps future-proof your business against ethical and operational AI risks.
ISO/IEC 42001:2023 is not a replacement for ISO/IEC 27001:2022, but a complementary expansion. Together, they offer a comprehensive framework for digital trust, security, and responsible innovation in the age of AI.
Reach out to us at info@sancert.global if you would like to find out more about the
certification process for ISO/IEC 42001:2023.