Unorma

ISO 42001

ISO 42001 vs. ISO 27001: What's the Difference?

A detailed, clause-by-clause comparison of ISO 42001 and ISO 27001 — what overlaps, what's genuinely new, and how to run both management systems together efficiently.

Zofia Kubiak
Zofia Kubiak

June 19, 2026 · 17 min read

ISO 42001

This comparison comes up constantly because the two standards look deceptively similar at a glance — same publisher, same clause numbering, overlapping vocabulary. They are not interchangeable, and they are not competitors either. Here's exactly where they overlap, where they genuinely diverge, and how to run both efficiently if you need to.

TL;DR

  • Both standards share the identical Annex SL high-level structure (clauses 4-10: context, leadership, planning, support, operation, evaluation, improvement) — this is standard across all modern ISO management-system standards.
  • ISO 27001's Annex A has 93 controls across 4 themes (organizational, people, physical, technological) focused on information security broadly.
  • ISO 42001's Annex A has 38 controls across 9 categories focused specifically on the AI system lifecycle, AI-specific data governance, and responsible AI use.
  • You can run both as an Integrated Management System, sharing clauses 4-10 infrastructure while maintaining separate, standard-specific Annex A control sets.
  • ISO 27001 doesn't cover AI-specific risks like model bias or AI lifecycle governance — that's exactly the gap ISO 42001 fills, even for organizations with mature information security programs.

Why This Comparison Comes Up So Often

Most organizations evaluating ISO 42001 already have ISO 27001, or are actively pursuing both at once. The natural question is whether 42001 is redundant with existing information security work, or a genuinely separate undertaking. It's neither — it's a related but distinct management system with real overlap in structure and real divergence in content.

Shared DNA: The Annex SL Structure

Every modern ISO management-system standard — 27001, 9001, 42001 among others — follows the same Annex SL high-level structure for clauses 4 through 10. The clause titles are identical; only the AI- or security-specific content within each clause differs.

ISO 27001ISO 420014 Context4 Context5 Leadership5 Leadership6 Planning6 Planning7 Support7 Support8 Operation8 Operation9 Evaluation9 Evaluation10 Improvement10 Improvement
Both standards share the identical Annex SL clause structure — this is what makes running them together practical.

What's Genuinely New in ISO 42001

  • AI system lifecycle management — design, development, verification, deployment and retirement controls specific to AI, absent from 27001
  • AI-specific data governance — training, validation and testing data quality and provenance, distinct from general information security data controls
  • Responsible AI use controls — including use of third-party AI models, which 27001 doesn't address as a distinct control area
  • AI impact assessment requirements tied to the system's specific purpose and affected stakeholders

Annex A Side by Side

ISO 27001 Annex A93controls, 4 themesISO 42001 Annex A38controls, 9 categories
ISO 27001's Annex A is much larger and security-focused; ISO 42001's is smaller and AI-lifecycle-focused.
ISO 27001 Annex AISO 42001 Annex A
Total controls9338
Structure4 themes (organizational, people, physical, technological)9 categories (A.2 through A.10)
FocusInformation security broadlyAI system lifecycle and responsible AI use
Overlap with the other standardSome organizational/policy controls conceptually similarSome organizational/policy controls conceptually similar

Can You Run Them as One Integrated Management System?

Yes, and many organizations do. Because clauses 4-10 share the same structure, a single set of policies, internal audit program and management review process can cover both standards, with each standard's Annex A maintained separately underneath. This is the same pattern organizations already use to combine ISO 27001 with ISO 9001 or other management-system standards.

Certification Process Differences

The audit process itself is structurally identical — Stage 1 documentation review, Stage 2 operational evidence review, then 3-year certification with annual surveillance. The difference is entirely in scope: an ISO 42001 auditor is checking AI-specific evidence (model documentation, AI risk assessments, training data governance) rather than the security controls a 27001 auditor checks.

Which Should You Get First?

Your situationRecommendation
No existing ISO certification, building AI productsConsider both together — shared clause work reduces total effort versus doing them sequentially
Already ISO 27001 certified, expanding into AIPursue ISO 42001 second — reuse existing clause 4-10 infrastructure
Building AI products but with minimal broader security maturityISO 27001 first — AI-specific governance is harder to sustain without basic security foundations

Cost and Effort Implications of Doing Both

Running both from scratch simultaneously costs meaningfully less than doing them fully sequentially, because clause 4-10 documentation, internal audit programs and management review processes are largely shared infrastructure — the incremental cost of the second standard is mostly the Annex A-specific work, not a full second management system.

Common Misconceptions

  • "ISO 27001 already covers our AI risk." It covers information security risk to AI systems as IT assets, not AI-specific risks like model bias, hallucination, or AI lifecycle governance.
  • "They're competing standards." They're complementary — designed to be run together, not as alternatives to choose between.
  • "ISO 42001 replaces the need for AI-specific regulation compliance." It doesn't automatically satisfy the EU AI Act or other AI laws, though the underlying work overlaps substantially.

Primary Sources

Where Unorma Fits

Both frameworks, mapped

Unorma’s ISO 42001 framework maps directly to the standard’s clauses and Annex A controls, and gap analysis highlights where evidence you already have — including from an existing ISO 27001 program — carries over. See the complete ISO 42001 certification requirements checklist for the full requirement breakdown.

Frequently asked questions

Does ISO 27001 certification satisfy ISO 42001 requirements?

No — they share clause structure but different Annex A control sets. ISO 27001 doesn't address AI-specific risks like model lifecycle governance or AI training data provenance, which are core to ISO 42001.

Can we get ISO 42001 certified without ISO 27001?

Yes, ISO 42001 is a standalone standard and doesn't require ISO 27001 as a prerequisite, though organizations with existing ISO 27001 programs typically move faster.

How many controls does each standard have?

ISO 27001:2022 has 93 Annex A controls across 4 themes. ISO 42001:2023 has 38 Annex A controls across 9 categories.

Is it cheaper to pursue both standards together or separately?

Together, in most cases — clauses 4-10 infrastructure (policies, internal audit, management review) can largely be shared, so the incremental cost of the second standard is mainly its Annex A-specific work.

Which standard should a company pursue first?

It depends on maturity: organizations with minimal security foundations often benefit from ISO 27001 first, while those with existing security programs expanding into AI should generally pursue ISO 42001 second, building on existing infrastructure.

Does ISO 42001 certification help with EU AI Act compliance?

It helps substantially — much of the underlying risk management, documentation and governance work overlaps — but certification alone doesn't automatically satisfy EU AI Act legal obligations, which have their own specific requirements.

What's the biggest misconception about these two standards?

That they're competing or redundant. They're designed to be complementary, sharing management-system infrastructure while addressing genuinely different risk domains.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile