Organizations that want to manage AI responsibly and certify their information security face two standards: ISO 27001 for information security and ISO 42001 for AI management. Implementing them separately means duplicate work: policy twice, risk assessment twice, two internal audits. But both standards share the same underlying structure, which makes an integrated implementation much more efficient. This article shows how to approach it.
The shared structure of ISO management systems
For several years now, ISO management system standards have followed a common layout, the so-called harmonized structure. As a result, ISO 27001 and ISO 42001 share the same chapter structure: context of the organization, leadership, planning, support, operation, evaluation and improvement. For the implementation this means that a large part of the framework is identical. You do not have to reinvent governance, high-level policy, the risk management process, the internal audit and the management review twice.
What you can share
In an integrated approach you share the overarching elements. One governance structure with clear roles, one set of core processes for risk management, document management, internal audit, management review and continual improvement. A number of controls also overlap in practice: access management, supplier management, awareness and incident management touch both information security and AI governance. By implementing these controls once and linking them to both standards, you avoid duplicate administration.
What stays domain-specific
Not everything can be shared. ISO 27001 has its own Annex A with 93 security controls and a Statement of Applicability. ISO 42001 has its own AI-specific topics: the AI inventory, AI impact assessments, transparency about automated decision-making, bias and data quality. You set up these domain-specific parts separately, but within the same overarching management system. The art is to keep the distinction between the shared foundation and the specific superstructure sharp.
The order: simultaneously or sequentially
If an organization already has ISO 27001, you build ISO 42001 on top of it: you use the existing governance and processes and add the AI-specific elements. If you start with both at once, you set up the shared foundation once and then work out the two domains in parallel. Implementing simultaneously requires more coordination, but yields the biggest efficiency gain because you do not have to adjust the foundation afterward.
The role of the risk assessment
Both standards revolve around risk management, but with a different focus. ISO 27001 looks at risks to the confidentiality, integrity and availability of information. ISO 42001 looks at risks of AI systems, including bias, transparency and impact on affected people. In an integrated approach you use the same risk management process and the same methodology, but with separate risk registers or clearly marked categories. This preserves coherence without the two risk types getting mixed up.
One internal audit, two scopes
An important advantage lies in the internal audit and the management review. Instead of two separate tracks you run a combined audit program covering both standards, with attention to the specific requirements of each. That saves time and gives management an integral picture of both information security and AI governance. The certification audits are performed by the certification body and can often be combined or scheduled in alignment.
The role of tooling
An integrated implementation requires oversight of two standards at once. A GRC platform that supports multiple standards lets you register shared controls once and link them to both standards, while domain-specific controls stay separate. That makes the coherence visible and prevents a change in one system from unnoticeably affecting the other. For an integrated project this oversight is the difference between efficiency and chaos.
Secure Audit guides integrated implementations of ISO 27001 and ISO 42001, supported by our GRC tool in which both standards come together. This way you achieve two certificates with considerably less duplicate work. Get in touch for a no-obligation conversation about an integrated project.
Frequently asked questions
Why can you implement ISO 27001 and ISO 42001 in an integrated way?+
Both standards follow the same harmonized structure: context, leadership, planning, support, operation, evaluation and improvement. As a result a large part of the framework, such as governance, risk management and internal audit, is identical and shareable.
What stays domain-specific between the two standards?+
ISO 27001 keeps its own Annex A and Statement of Applicability; ISO 42001 has AI-specific topics such as the AI inventory, impact assessments, transparency, bias and data quality. You set those up separately within the same management system.
Can you test both standards in one internal audit?+
Yes. You run a combined audit program covering both standards, with attention to the specific requirements of each. That saves time and gives management an integral picture of information security and AI governance.
Is integrated implementation always more efficient?+
Usually yes, because you set up the shared foundation only once. Implementing simultaneously requires more coordination but yields the biggest gain. If you already have ISO 27001, you build ISO 42001 efficiently on the existing structure.
About the author
Partner | IT Auditor