ISO 42001 vs. ISO 27001: how the two standards fit together
Information security or AI governance — or both? How ISO/IEC 27001 and ISO/IEC 42001 differ, where they overlap and in which order to tackle them.
Auf Deutsch lesen: deutsche Fassung
ISO/IEC 27001 and ISO/IEC 42001 are often mentioned in the same breath — and for good reason. They share a structure and a logic, but they protect different things. Understanding the difference helps you invest in the right order.
What each standard is for
ISO/IEC 27001 is the established standard for an information security management system (ISMS). It protects the confidentiality, integrity and availability of information — your data, your systems, your know-how.
ISO/IEC 42001 is the new standard for an AI management system (AIMS). It governs the responsible use of artificial intelligence: risks to people and society, transparency, human oversight, data quality and the life cycle of AI systems.
Where they overlap
- The same high-level structure (Annex SL): context, leadership, planning, support, operation, evaluation, improvement.
- Risk-based thinking and a Statement of Applicability that documents which controls apply.
- Internal audits, management review and continual improvement as recurring duties.
- A large shared base of evidence — policies, roles, training, supplier management.
The key difference
ISO 27001 asks: are our information assets secure? ISO 42001 asks: is our AI responsible and under control? Information security is largely about protecting the organisation; AI governance adds a strong focus on protecting the people affected by AI decisions. ISO 42001 therefore introduces AI-specific elements such as the AI impact assessment that 27001 does not have.
ISO 27001 secures your information. ISO 42001 builds on that and makes your AI trustworthy. A solid ISMS is a good foundation — but not a hard prerequisite.
Which one first?
Both orders work. A robust ISMS is a good foundation, but it is not a mandatory predecessor for ISO 42001. Because the two share structure, risk logic and much of the evidence, it often pays to look at them together and avoid building the same things twice. In practice the right sequence depends on where your risks and your client requirements sit — that is what a short assessment clarifies.
Frequently asked questions
Do I need ISO 27001 before ISO 42001?+
No. A solid ISMS is a helpful foundation but not a formal prerequisite. The standards share a lot, so they are often best approached together to avoid duplicate work.
Can both certificates be combined in one project?+
Yes. They share the high-level structure, risk logic and much of the evidence, so a combined build-up reduces the extra effort considerably. A reliable estimate follows the gap analysis.
What does ISO 42001 add that ISO 27001 doesn't have?+
AI-specific elements — most notably the AI impact assessment, a stronger focus on the people affected by AI decisions, transparency and human oversight across the AI life cycle.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor (PECB)
Last updated: 27 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act — honestly and without a sales pitch.