
Artificial intelligence is rapidly transforming the way organisations operate. From customer service chatbots and predictive analytics to software development and decision-making tools, AI is becoming embedded in business processes across almost every sector.
As AI adoption increases, organisations face a growing challenge: how can they manage AI responsibly while maintaining robust information security?
Two international standards are increasingly relevant in this space: ISO 42001 and ISO 27001. While they share some common principles, they address different areas of governance and risk management.
So, if your organisation uses AI, do you need both?
ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS).
The standard provides a framework for identifying, assessing and managing information security risks. It helps organisations protect the confidentiality, integrity and availability of information through a structured and risk-based approach.
Organisations certified to ISO 27001 demonstrate their commitment to protecting sensitive information and maintaining effective information security controls.
Common areas covered by ISO 27001 include:
For many organisations, ISO 27001 serves as the foundation of their cybersecurity and information governance strategy.
ISO 42001 is the world's first international management system standard specifically designed for Artificial Intelligence Management Systems (AIMS).
Published in response to the rapid growth of AI technologies, ISO 42001 provides a framework for governing the development, deployment and use of AI systems.
The standard focuses on managing the unique risks and opportunities associated with AI, including ethical considerations, transparency, accountability and potential unintended consequences.
Key areas addressed by ISO 42001 include:
ISO 42001 helps organisations establish confidence that AI systems are being managed in a structured, responsible and trustworthy manner.
Although there is some overlap, the standards have different primary objectives.
Focuses on information security
Protects information assets
Addresses confidentiality, integrity and availability
Applicable to any organisation handling information
Establishes an Information Security Management System (ISMS)
Focuses on AI governance
Manages AI-related risks and opportunities
Addresses transparency, accountability, fairness and responsible AI use
Particularly relevant for organisations developing, deploying or using AI systems
Establishes an Artificial Intelligence Management System (AIMS)
Put simply, ISO 27001 asks:
"How do we protect our information?"
ISO 42001 asks:
"How do we govern and manage AI responsibly?"
Both questions are important, but they are not the same.
AI systems often rely on significant volumes of data, complex technologies and interconnected processes. As a result, organisations implementing ISO 42001 will encounter many areas that are already addressed within an ISO 27001 framework.
Examples include:
This shared management-system structure makes it easier for organisations already certified to ISO 27001 to integrate ISO 42001 into their existing governance framework.
The answer depends on how AI is used within the organisation.
If AI forms a significant part of your operations, products or services, ISO 42001 can provide a structured framework for managing AI-specific risks and responsibilities.
However, ISO 42001 is not a replacement for information security controls.
AI systems can introduce additional security challenges, including:
These areas remain firmly within the scope of ISO 27001.
For organisations that both use AI and handle sensitive information, the two standards are often complementary rather than alternative options.
Organisations that achieve certification to both ISO 27001 and ISO 42001 can demonstrate a broader commitment to governance, security and responsible technology use.
Potential benefits include:
As AI governance receives greater attention from regulators, customers and business partners, organisations may increasingly be expected to demonstrate both secure information management and responsible AI practices.
AI adoption continues to accelerate across industries. At the same time, organisations are under growing pressure to demonstrate that these technologies are being managed responsibly, securely and transparently.
ISO 27001 remains the leading framework for information security management, while ISO 42001 provides a dedicated approach to AI governance.
For organisations using AI, the question is often not whether one standard should replace the other, but how both can work together to support trust, resilience and responsible innovation.
Certification provides independent verification that your management system meets the requirements of the relevant international standard.
TÜV UK offers UKAS accredited certification services for ISO 27001 and ISO 42001, helping organisations demonstrate their commitment to information security and responsible AI governance through an impartial assessment process.
To learn more about ISO 27001 and ISO 42001 certification, contact us today.
TÜV UK Ltd
AMP House
Suites 27 - 29, Fifth Floor, Dingwall Road
Croydon, CR0 2LX
Tel.: +44 20 8680-7711
Enquiries.UK@tuv-nord.com