Skip to content

ISO 42001 vs ISO 27001: Do Organisations Using AI Need Both?

Artificial intelligence is rapidly transforming the way organisations operate. From customer service chatbots and predictive analytics to software development and decision-making tools, AI is becoming embedded in business processes across almost every sector.

As AI adoption increases, organisations face a growing challenge: how can they manage AI responsibly while maintaining robust information security?

Two international standards are increasingly relevant in this space: ISO 42001 and ISO 27001. While they share some common principles, they address different areas of governance and risk management.

So, if your organisation uses AI, do you need both?

Understanding ISO 27001

ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS).

The standard provides a framework for identifying, assessing and managing information security risks. It helps organisations protect the confidentiality, integrity and availability of information through a structured and risk-based approach.

Organisations certified to ISO 27001 demonstrate their commitment to protecting sensitive information and maintaining effective information security controls.

Common areas covered by ISO 27001 include:

  • Information security risk management
  • Access control and user permissions
  • Data protection and confidentiality
  • Incident management
  • Supplier security
  • Business continuity and resilience

For many organisations, ISO 27001 serves as the foundation of their cybersecurity and information governance strategy.

Learn more

Understanding ISO 42001

ISO 42001 is the world's first international management system standard specifically designed for Artificial Intelligence Management Systems (AIMS).

Published in response to the rapid growth of AI technologies, ISO 42001 provides a framework for governing the development, deployment and use of AI systems.

The standard focuses on managing the unique risks and opportunities associated with AI, including ethical considerations, transparency, accountability and potential unintended consequences.

Key areas addressed by ISO 42001 include:

  • AI governance and oversight
  • AI risk assessment and management
  • Transparency and explainability
  • Bias and fairness considerations
  • Human oversight and accountability
  • Monitoring AI performance and outcomes
  • Responsible use of AI technologies

ISO 42001 helps organisations establish confidence that AI systems are being managed in a structured, responsible and trustworthy manner.

Learn more

How Are ISO 42001 and ISO 27001 Different?

Although there is some overlap, the standards have different primary objectives.

ISO 27001

Focuses on information security

Protects information assets

Addresses confidentiality, integrity and availability

Applicable to any organisation handling information

Establishes an Information Security Management System (ISMS)

ISO 42001

Focuses on AI governance

Manages AI-related risks and opportunities

Addresses transparency, accountability, fairness and responsible AI use

Particularly relevant for organisations developing, deploying or using AI systems

Establishes an Artificial Intelligence Management System (AIMS)

Put simply, ISO 27001 asks:

"How do we protect our information?"

ISO 42001 asks:

"How do we govern and manage AI responsibly?"

Both questions are important, but they are not the same.

Where the Standards Overlap

AI systems often rely on significant volumes of data, complex technologies and interconnected processes. As a result, organisations implementing ISO 42001 will encounter many areas that are already addressed within an ISO 27001 framework.

Examples include:

  • Risk management methodologies
  • Internal audits
  • Leadership and governance responsibilities
  • Competence and awareness requirements
  • Supplier management
  • Incident response processes
  • Continual improvement activities

This shared management-system structure makes it easier for organisations already certified to ISO 27001 to integrate ISO 42001 into their existing governance framework.

Do Organisations Using AI Need Both Standards?

The answer depends on how AI is used within the organisation.

If AI forms a significant part of your operations, products or services, ISO 42001 can provide a structured framework for managing AI-specific risks and responsibilities.

However, ISO 42001 is not a replacement for information security controls.

AI systems can introduce additional security challenges, including:

  • Exposure of sensitive data
  • Unauthorised access to AI platforms
  • Third-party AI supplier risks
  • Data quality and integrity concerns
  • Cybersecurity vulnerabilities within AI systems

These areas remain firmly within the scope of ISO 27001.

For organisations that both use AI and handle sensitive information, the two standards are often complementary rather than alternative options.

Benefits of Holding Both Certifications

Organisations that achieve certification to both ISO 27001 and ISO 42001 can demonstrate a broader commitment to governance, security and responsible technology use.

Potential benefits include:

  • Increased stakeholder confidence
  • Improved management of AI-related risks
  • Stronger information security practices
  • Enhanced governance and accountability
  • Support for regulatory and customer expectations
  • Independent verification of management system effectiveness

As AI governance receives greater attention from regulators, customers and business partners, organisations may increasingly be expected to demonstrate both secure information management and responsible AI practices.

Looking Ahead

AI adoption continues to accelerate across industries. At the same time, organisations are under growing pressure to demonstrate that these technologies are being managed responsibly, securely and transparently.

ISO 27001 remains the leading framework for information security management, while ISO 42001 provides a dedicated approach to AI governance.

For organisations using AI, the question is often not whether one standard should replace the other, but how both can work together to support trust, resilience and responsible innovation.

Independent Certification from TÜV UK

Certification provides independent verification that your management system meets the requirements of the relevant international standard.

TÜV UK offers UKAS accredited certification services for ISO 27001 and ISO 42001, helping organisations demonstrate their commitment to information security and responsible AI governance through an impartial assessment process.

To learn more about ISO 27001 and ISO 42001 certification, contact us today.

Information Security


Discover our dedicated page

Contact Us


Contact us with your enquiry today!

We are looking forward to your enquiry!

TÜV UK Ltd
AMP House
Suites 27 - 29, Fifth Floor, Dingwall Road
Croydon, CR0 2LX

Tel.: +44 20 8680-7711
Enquiries.UK@tuv-nord.com