ISO 27001 vs ISO 42001: how to run them as one integrated management system
AI governance is now a load-bearing part of how serious organizations build and deploy AI. Done well, it covers legal, operational and ethical risk in one frame and keeps those controls aligned with the business. Done poorly, you end up with two (or five) parallel compliance programs fighting each other.
The good news is that the relevant standards were designed to stack. ISO/IEC 42001, published in late 2023, defines an AI Management System (AIMS). It follows the same ISO Management System blueprint as ISO 9001 (quality), ISO 14001 (environment), ISO 20000 (IT service), ISO/IEC 27001, ISO 31000 (risk) and ISO 50001 (energy). If you have ever implemented any of these, ISO 42001 will feel familiar.
ISO 27001, in production since 2005, is the one that matters most for AI. Its Information Security Management System (ISMS) protects the confidentiality, integrity and availability of information. Every AI system trains on data, serves data and stores data, so ISO 27001 is already in scope whether you have declared it or not.
The rest of this post compares the two standards, walks through where the work overlaps, and explains how to run them as one integrated management system. If you only take one thing away: ISO 27001 vs ISO 42001 is the wrong framing. The right framing is ISO 27001 and ISO 42001, managed together.
How the two standards differ and where they overlap
| Dimension | ISO 27001 (ISMS) | ISO 42001 (AIMS) |
|---|---|---|
| Aim | Protect confidentiality, integrity and availability of information assets | Ensure trustworthy, ethical, compliant development and use of AI systems |
| Risk focus | Cyber threats, data breaches, unauthorized access, insider threats, operational disruption | Algorithmic bias, lack of transparency, model drift, over-reliance on automation, societal impact |
| Stakeholders | IT, security officers, compliance managers, data owners, system admins | AI developers, product managers, governance teams, ethics boards, end users, regulators |
| Regulatory anchor | GDPR and existing privacy/security law | EU AI Act and emerging AI-specific regulation |
| Shared features | ISO High-Level Structure, risk-based approach, leadership involvement, documented evidence, audits | Same |
| Joint use cases | Healthcare, finance, public sector: AI systems handling sensitive data need both secure data handling and ethical, transparent AI |
The point of the table is simple: the two standards are structurally aligned, conceptually complementary, and in most real deployments they apply to the same systems at the same time. Running them as two separate programs wastes effort.
The rest of this article explains how both standards are implemented inside the Modulos AI Governance Platform and why the right architecture is an Integrated Management System (IMS) that lets you run multiple standards as one traceable whole.
The Modulos governance taxonomy
In an earlier piece we introduced the Modulos AI governance taxonomy, the ontology that translates regulatory frameworks into actionable components. It is the content backbone of the platform.
The taxonomy identifies atomic, actionable units of work called Controls. Each Control is a specific implementation task that addresses an AI risk and satisfies a legal or regulatory Requirement. Controls are not bound to a single framework. That independence is what makes cross-framework reuse possible while preserving traceability back to each source Requirement.
The Risk Module links Risks directly to the assets at risk. Users perform risk management using information captured in the associated Controls (identification, assessment, mitigation, monitoring). This keeps technical teams and risk managers on the same record and makes risk management consistent across frameworks rather than a separate track.
Figure 1: Modulos governance taxonomy aligned to ISO 27001 and ISO 42001.
ISO-centric content and structure
The platform mirrors the content and structure of both standards so that implementation, review and audit all operate on the same object.
Content fidelity. Practitioners get implementation guidance supported by AI agents. Evidence is uploaded directly against each Requirement. Governance leads generate the Statement of Applicability (SoA). Auditors work against the full ISO requirement set.
Structural alignment. The platform follows the ISO top-down structure from organizational context through evaluation, so traceability is maintained end to end.
| ISO layer | Purpose | Description | Modulos equivalent |
|---|---|---|---|
| Requirements | High-level what | Expectations and obligations in the main chapters of each standard | Requirements |
| Controls | Low-level what | Specific, actionable measures that meet Requirements and manage risks. Annex A Controls are mandatory and must appear in the SoA. Custom Controls may be added. | Controls |
| Guidance | Low-level how | Recommended implementation approaches (e.g. ISO 42001 Annex B). Guidance is optional and does not enter the SoA. | Guidance |
Shared controls and efficiency gains
This is where integration stops being theory and starts saving time.
The High-Level Structure is shared. Clauses 4 (context), 5 (leadership), 6 (planning), 7 (support), 8 (operation), 9 (performance evaluation) and 10 (improvement) are structurally identical across ISO 27001 and ISO 42001. If your ISMS already has defined organizational context, management commitment, documented information procedures, internal-audit programme and management-review cadence, all of that extends directly to your AIMS. You do not rebuild; you reuse.
Annex A and Annex B overlap materially. ISO 27001 Annex A (information security controls) and ISO 42001 Annex A (AI-specific controls) are distinct sets, but they address overlapping concerns around data handling, access control, change management, incident response, supplier relationships, and documentation. When an AI system processes personal data (which most do), the same control can satisfy both standards: one access-control policy, one change-management procedure, one incident-response playbook, both audited.
Practical reuse rate: roughly half. In our experience with customers running both standards together, around 50% of controls can be reused when extending from ISO 27001 to ISO 42001. The remaining 50% are genuinely AI-specific: bias assessment, model drift monitoring, impact assessment, data quality for training, responsible AI use. These have no ISO 27001 equivalent and need to be built fresh.
Integrated audit programmes. Both standards require an internal audit programme (clause 9.2) and management review (clause 9.3). Run them once. One audit schedule that covers both scopes, one management review that covers both risks and performance. Accredited certification bodies are used to combined audits and most will price them at a discount compared to running Stage 1 and Stage 2 twice. This is a direct cost saving that compounds with each surveillance and recertification cycle.
One risk register, two lenses. A data-protection risk under ISO 27001 is usually the same underlying risk as a privacy-or-security risk under ISO 42001. Maintain one register, tag each risk with which standards it maps to, and run one treatment lifecycle. Separate registers produce drift, contradiction and duplicate work.
Modular controls
The platform is built to simplify compliance across multiple standards by reusing and extending Controls.
Reusable. Because ISO 27001 and ISO 42001 overlap substantially, many Controls do double duty. A single "Context Assessment" Control can contribute to both SoAs even when the scopes differ. Shared evidence (org charts, policy templates) often satisfies multiple Requirements. The platform keeps each Requirement distinct but makes completeness visible across frameworks.
Extensible. All Annex Controls are mapped to their Requirements, so each standard yields its own SoA from the same base. Where Requirements are complex or heterogeneous, the platform proposes additional reusable Controls to close gaps and reduce interpretation load.
Granular. Controls only work if they are actionable. That means a clear purpose, assigned accountability, and a well-defined implementation scope. The right level of detail is a judgment call: too broad and Controls lose precision; too detailed and they become overwhelming or detached from operational reality.
Harmonized risks
Requirements and Controls exist to close real risks, not just to pass audits.
Consider a data-protection Control aimed at unauthorized access. You assess it in terms of frequency and impact. The full lifecycle (identification, mitigation, monitoring, accountability) is close to identical whether the Control is in scope of ISO 27001 or ISO 42001. This is another argument for harmonizing Controls across standards and managing Risks in one consistent register rather than duplicating them per framework.
Organization-level vs application-level execution
Both standards include organization-level Requirements: setting policies, defining context, managing risk. Those are flagged as organization-level in the platform. Application-level frameworks put the principles to work through technical measures like bias mitigation or access controls, and those are labeled accordingly.
The distinction matters because it maps directly onto who owns the work. Strategy and governance sit at the organization level. Engineering and data science sit at the application level. The same taxonomy lets both teams see how their work fits the same compliance obligations.
Conclusion
ISO 27001 and ISO 42001 solve different problems but share a structure. Run separately they produce duplicate work. Run together they produce an Integrated Management System where a single Control can close multiple Requirements and a single Risk register serves both domains.
The Modulos platform is built around this integration. Requirements, Controls and Guidance are reusable, granular and standards-aligned, which means organizations implement both frameworks without duplication and with full traceability from policy to technical safeguard.
If you are preparing for ISO 42001 certification and already run (or plan to run) an ISO 27001 ISMS, this is the architecture that keeps both auditable without doubling your compliance headcount. Contact us for a demo.
Ready to Transform Your AI Governance?
Discover how Modulos can help your organization build compliant and trustworthy AI systems.
