ISO 42001 vs ISO 27001: Combining an AIMS and an ISMS Correctly

ISO 42001 (AIMS, AI management system) and ISO 27001 (ISMS, information security) share the Annex SL structure and can be operated in an integrated manner. ISO 27001 protects information, ISO 42001 governs AI risks. Organisations that already have an ISMS extend its scope to cover AI and add the AI-specific Annex A controls, including an AI impact assessment. Both standards build on the same ten-clause framework and can be run within a single programme.

• Shared foundation: Both standards follow the Annex SL high-level structure. Clauses 4, 5, 6, 7, 9 and 10 (context, leadership, planning, support, evaluation, improvement) are structurally identical and can be audited jointly.
• Different focus: ISO 27001:2022 covers information security with 93 Annex A controls; ISO 42001 covers AI governance with 9 domains and 38 controls, including bias, fairness, explainability and lifecycle.
• The 42001 plus: Only ISO 42001 requires an AI impact assessment (clause 6.1.4) for impacts on individuals, groups and society - ISO 27001 has no counterpart for this.

Why the two standards fit together so well

ISO/IEC 42001:2023 was published in December 2023 as the world's first certifiable management system standard for artificial intelligence. ISO/IEC 27001:2022 is the established standard for information security management systems. Both belong to the family of modern ISO management system standards and therefore follow the same Annex SL high-level structure that also underpins ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (occupational health and safety) and ISO 22301 (business continuity).

This shared structure is the decisive lever. The ten-clause skeleton is deliberately compatible with combined and integrated management system audits. In concrete terms this means: organisations operating ISO 27001 have already built the engine room of a management system - leadership commitment, a risk-based approach, documented information, internal audit, management review and continual improvement. ISO 42001 builds on this and adds the AI-specific content. Clause 8 (operation) is the exception here: it is the part of the clauses where the AI-specific Annex A controls are operationalised, and it therefore differs the most in terms of content.

The audit rhythm is also identical: an ISO 42001 certificate is valid for three years, with annual surveillance audits and a recertification audit at the end of the cycle - exactly the same cadence as ISO 27001. This considerably simplifies joint audit planning.

What overlaps - and what does not

The overlap lies in the shared clause framework (clauses 4 to 7, 9 and 10), with the differences almost entirely in the Annex A part, in clause 8 (operation) and in the AI impact assessment.

Structurally identical and combinable (according to research):

• Clause 4 context, clause 5 leadership, clause 6 planning, clause 7 support, clause 9 performance evaluation, clause 10 improvement
• Documented information, internal audit, management review - usually integrated
• Risk-based approach - shared, with AI-specific additions

Key differences:

• ISO 27001 Annex A comprises 93 controls (2022 edition) and is focused on information security; ISO 42001 Annex A comprises 38 controls across 9 domains and is focused on AI governance - with additions on bias, fairness, explainability, lifecycle and impact assessment.
• ISO 42001 explicitly requires an AI impact assessment (clause 6.1.4) - ISO 27001 has no equivalent for this.

Aspect comparison: ISO 27001 vs ISO 42001

The table shows the pattern: shared framework, different content. Security aspects of AI - such as robustness and cybersecurity, addressed in the EU AI Act under Article 15 - are largely covered by ISO 27001 according to research, while ISO 42001 contributes the AI-specific governance, fairness and impact assessment topics. The two standards complement one another without replacing each other.

The integrated management system in practice

The standard pattern described in the research for organisations with a mature ISO 27001 is as follows: internal audit, management review, training and awareness, document control and supplier management are consolidated. The ISMS scope is extended to cover AI, and the AI-specific Annex A controls are added. Combined external audits are offered by all major certification bodies.

Organisationally, this is also reflected in the roles: ISO 42001 does not prescribe a single title such as "AI Officer", yet in practice an AI Officer or AIMS manager is appointed - in mid-sized DACH organisations often combined in one person with the CISO or the data protection officer. This creates a continuous line of responsibility between the ISMS and the AIMS. At group level, the AI Officer is often combined with the CISO or CDO, with explicit accountability to a board AI committee.

A subtle but important note: this article is not legal advice. Specific interpretations of standards, deadlines and articles - particularly in their interplay with the GDPR and the EU AI Act - belong in the hands of qualified advisers and the responsible certification body.

A concrete example: a group with an existing ISMS

The research outlines the profile of a DACH group (from 2,000 employees) with an already established ISO 27001:2022, often supplemented by ISO 27701 (PIMS). Here, integration is almost compellingly economical:

• Shared audit planning: Combined Stage 1 and Stage 2 audits with ISO 27001, where the certification body supports this; a shared internal audit cycle.
• Shared document layer: Policies cascaded from the group, supplemented by AI-specific procedures per business unit.
• Integrated risk register: The AI risk register is hooked into enterprise risk management as a sub-register or tag.
• Saving: According to research, combined audits typically save around 25 to 30 per cent of Stage 2 audit days compared with parallel individual audits.

On budget, the research provides some context (as of 2026, DACH): a group with a mature ISMS is looking at around EUR 200,000 to 500,000 for the ISO 42001 programme (consulting plus audit plus internal effort), with a duration of 12 to 18 months. A mid-sized deployer without a pre-existing system is at EUR 50,000 to 150,000 and 9 to 12 months. The time advantage of an existing management system is measurable: 6 to 12 months to Stage 1 with existing ISO 27001 or ISO 9001, compared with 9 to 18 months from scratch.

In numerical terms this means, for a group: if a parallel ISO 42001 Stage 2 involves around 10 audit days, combining it with the ISMS audit can save roughly 2.5 to 3 days - in every cycle, including the annual surveillance audits.

When both make sense - and when they do not

The combination makes sense when AI systems work with personal or safety-critical data and an ISMS already exists or is planned anyway. In that case, the AIMS and ISMS share their foundation, audit cycle and personnel. It is equally worthwhile for AI providers, who often already hold ISO 27001 and SOC 2 Type II and are pursuing ISO 42001 as a market differentiator - here, combined audits, shared evidence and a common trust centre come together.

Caution is warranted when the sole motivation is "completeness": a pure deployer should not pre-emptively mark all lifecycle controls (Annex A.6) as applicable if it cannot demonstrate them. According to research, this is one of the most common audit findings. The scope is what counts - not the desire for as many certificates as possible.

For agencies and B2B decision-makers

For marketing agencies and B2B service providers that operate AI-supported processes for clients, the combination of AIMS plus ISMS is increasingly becoming a trust signal in supplier due diligence. Organisations that already hold ISO 27001 have already built the most expensive piece and can set up ISO 42001 with manageable additional effort. Blck Alpaca supports DACH organisations in cleanly extending the ISMS scope to cover AI, making the AI-specific Annex A controls demonstrable, and planning the integrated audit so that the savings potential is actually realised. Get in touch if you want to run the AIMS and ISMS as one programme rather than two separate undertakings.