Do You Need ISO 42001 If You Already Have ISO 27001?

ISO 42001 and ISO 27001 share the same management-system structure but govern different risk. Here is what each one actually covers, and when the second one is worth building.


ISO 42001 and ISO 27001 are siblings, not competitors. Both are management-system standards built on the same Annex-SL high-level structure: define scope, assess risk, implement controls, run internal audits, get certified, keep it running. But they govern different risk. ISO 27001 governs information security in general. ISO 42001 governs how a company builds, deploys, and oversees the AI it ships, model risk, bias, transparency, human oversight, whether that AI was trained in-house or called through a third-party foundation model. Having ISO 27001 first makes ISO 42001 faster to build, because the management-system muscle transfers directly. Whether you need it at all depends on whether AI governance is actually part of your sales or diligence conversation yet.

The two get confused because they look alike on paper, same shape of scope document, same Statement of Applicability pattern, same internal-audit-then-certification-audit cycle. That resemblance is real and it is useful, not a coincidence to explain away. But it also means it is easy to assume ISO 42001 is just "ISO 27001 for AI companies," which undersells what is actually new in it. Our ISO 42001 framework page and ISO 27001 framework page each cover their own framework in depth; this post is the decision layer between them. If you are also weighing SOC 2 into this mix, SOC 2 vs ISO 27001 covers that adjacent comparison.

What does each framework actually govern?

ISO 27001 governs information security broadly: access control, vulnerability management, incident response, vendor risk, physical and organizational controls, the full 93 Annex A controls across four themes. It does not care what your product does. A logistics platform, a fintech, and an AI company can all run the identical ISMS scope and control set.

ISO 42001 governs something narrower and newer: an Artificial Intelligence Management System, an AIMS, specific to any AI a company develops, deploys, or uses. That means AI-specific risk assessment, bias, safety, transparency, data governance, human oversight, not general infosec risk. It also means documenting the lifecycle of each AI system, from data sourcing through deployment and monitoring, and it applies whether you trained the model yourself or you are calling a third-party foundation model in production. Governing AI you did not build is still governing AI under ISO 42001.

Why do they look so similar?

Because they are built on the same skeleton. Both are ISO management-system standards using the Annex-SL high-level structure: scope the system, assess risk against that scope, select and justify controls in a Statement of Applicability, run internal audits and a management review, then pass an external certification audit. If you have been through that cycle once, for ISO 27001 or any other ISO management-system standard, the shape of ISO 42001 will look immediately familiar.

What differs is the content inside that shape. ISO 27001's risk assessment asks about information security threats. ISO 42001's risk assessment asks about model risk, bias, and whether a human can actually review and override an AI-driven decision. The muscle, the process discipline of running a management system at all, is the same muscle. The subject matter is not.

Does ISO 27001 make ISO 42001 faster?

Yes, and this is the practical reason the two are worth comparing rather than treating as unrelated. A company that already has ISO 27001 has already built the parts of ISO 42001 that are not AI-specific: a working risk assessment process, an internal audit cadence, a management review cycle, a Statement of Applicability discipline, and the organizational habit of actually running a management system instead of just documenting one. None of that has to be rebuilt from scratch for ISO 42001.

What is genuinely new is the AI-specific risk content: bias assessment, transparency requirements, human-oversight documentation, and lifecycle tracking for each AI system in scope, including ones built on third-party foundation models rather than trained internally. That is real, non-trivial work, ISO 42001 is not a rubber stamp on top of ISO 27001, but it is a smaller project for a company that already runs one ISO management system than for a company building its first one from nothing.

ISO 42001 vs ISO 27001 at a glance

ISO 42001ISO 27001
What it governsHow you build, deploy, and oversee AI systems: model risk, bias, transparency, human oversightInformation security generally: access control, vulnerability management, incident response, vendor risk
PublishedDecember 2023, by ISO/IEC JTC 1/SC 42Current revision ISO/IEC 27001:2022 (originally 2005)
StructureAnnex-SL management system: scope, risk assessment, controls, internal audit, certification, surveillanceSame Annex-SL management system structure
Who asks for itBuyers and investors evaluating an AI-driven product's governance, still an emerging askUS, EU, and international enterprise buyers, public-sector tenders
Relationship to each otherIndependent certifications; neither requires the other, but the underlying management-system process transfers directly between themSame as at left

When do you actually need ISO 42001?

Not on the general principle of holding another certificate. Get ISO 42001 when your product ships AI-driven features that a customer, investor, or regulator actually cares about the governance of, when "how do you govern the AI in your product" is a live question in a sales cycle or a diligence process, not a hypothetical one. If your AI usage is incidental, an internal tool, a minor feature nobody in your pipeline is asking about, ISO 27001 alone likely still covers the governance question a buyer would ask.

That threshold moves as the market matures. ISO 42001 is the newest framework in this comparison, and the buyers, auditors, and diligence checklists around it are still forming through 2026. It is not legally required anywhere; the EU AI Act is the binding regulation sitting alongside it, and the two are frequently confused but answer different questions, ISO 42001 is a voluntary certification of your internal governance system, the AI Act is law with its own risk tiers. Holding ISO 42001 does not automatically satisfy AI Act obligations, but the governance habits it requires, risk assessment, documentation, human oversight, make demonstrating AI Act compliance meaningfully easier.

Frequently asked questions

Is ISO 42001 the same as ISO 27001? No. They are both management-system standards built on the same Annex-SL high-level structure, define scope, assess risk, implement controls, audit, certify, maintain, but they govern different risk. ISO 27001 governs information security generally. ISO 42001 governs how a company builds, deploys, and oversees AI systems specifically: model risk, bias, transparency, and human oversight.

Does having ISO 27001 make ISO 42001 easier? Meaningfully, yes. The management-system muscle, your risk assessment process, internal audit cadence, and management review cycle, transfers directly from one to the other. Only the AI-specific risk content, bias, transparency, lifecycle documentation, human oversight, is new work.

Do I need ISO 42001 if I only use third-party AI models, not my own? Yes, if the AI-driven parts of your product are something a customer, investor, or regulator cares about the governance of. ISO 42001 still expects you to govern AI you did not train yourself: know what the model does, monitor its outputs, and document your oversight.

When should a company get ISO 42001 instead of just ISO 27001? When it ships AI-driven features that are actually part of the sales or diligence conversation, not on the general principle of having more certifications. If nobody in your pipeline is asking about AI governance yet, ISO 27001 alone is probably still the right scope.

Can I get ISO 42001 without ISO 27001? Yes, they are independent certifications and neither requires the other. But a company starting from zero on both will spend real time building the management-system scaffolding that a company with ISO 27001 already has in place.

When was ISO 42001 published? December 2023, by ISO/IEC JTC 1/SC 42. It is the newest framework in this comparison and the market and audit ecosystem around it are still forming.

Last reviewed: July 12, 2026.

Where Scadable fits

Scadable builds ISO 42001's AI management system on top of the same risk-assessment and audit muscle it builds for ISO 27001, mapping AI-specific risk, implementing the governance and oversight controls that are missing, and keeping the documentation current as your product's AI usage changes. A company doing both does not pay for the underlying management-system work twice, Scadable reuses the scope, risk process, and audit cadence across frameworks instead of treating each one as its own project. Book a call to see whether ISO 42001 is actually the next framework your pipeline needs, or whether ISO 27001 alone still covers it.