ISO 42001 vs ISO 27001: Do You Need Both?

If your organisation already holds ISO 27001 certification and is now hearing about ISO 42001, you're probably asking one of two questions: "Is this the same thing with a different number?" or "Do I really need another certification?"

The short answer: they are not the same thing, and whether you need both depends on how your organisation uses AI. But here's the important part – if you already have ISO 27001, you're significantly closer to ISO 42001 than you might think.

This guide breaks down how the two standards compare, where they overlap, where they diverge, and how to decide what makes sense for your organisation in 2026.

---

The One-Line Difference

ISO 27001 protects your information. ISO 42001 governs how your AI systems use that information.

ISO 27001 asks: "Is your data secure?" ISO 42001 asks: "Is your AI behaving responsibly?"

Both are management system standards. Both are certifiable. Both follow the same high-level structure. But they address fundamentally different risks.

---

What Each Standard Does

ISO/IEC 27001:2022 – Information Security Management

ISO 27001 is the globally recognised standard for establishing, implementing, and maintaining an Information Security Management System (ISMS). It's been the cornerstone of information security governance since 2005, with the current version published in 2022.

It focuses on:

• Protecting the confidentiality, integrity, and availability of information assets
• Managing information security risks through a structured, auditable framework
• Implementing controls across 93 areas (Annex A), covering organisational, people, physical, and technological security
• Continuous improvement through internal audits, management reviews, and surveillance cycles

ISO 27001 is well-established in Australia. It's referenced by APRA CPS 234 for financial services, the PSPF and DISP for government procurement, and is increasingly expected by enterprise buyers, insurers, and trading partners.

ISO/IEC 42001:2023 – AI Management Systems

ISO 42001, published in December 2023, is the first international standard dedicated to AI Management Systems (AIMS). It provides a framework for the responsible development, deployment, and use of AI systems.

It focuses on:

• Governing the entire AI lifecycle – from design and data collection through to deployment, monitoring, and decommissioning
• Managing AI-specific risks including bias, fairness, transparency, explainability, and societal impact
• Conducting AI system impact assessments – evaluating potential consequences for individuals, groups, and society
• Ensuring human oversight of AI decision-making
• Maintaining accountability and traceability for AI outputs

Where ISO 27001 has 93 Annex A controls, ISO 42001 has 38, organised across domains like AI policy, risk management, data governance, AI system lifecycle, and third-party considerations.

---

Side-by-Side Comparison

Dimension	ISO 27001	ISO 42001
Full title	Information Security Management Systems	Artificial Intelligence Management Systems
First published	2005 (revised 2022)	December 2023
Core question	Is your information secure?	Is your AI responsible?
Management system	ISMS	AIMS
Annex A controls	93 controls across 4 themes	38 controls across 12 domains
Risk focus	Data breaches, unauthorised access, system compromise	Bias, opacity, unintended outcomes, societal harm
Key artefact	Statement of Applicability (SoA)	SoA + AI System Impact Assessment
Audit evidence	Access control logs, encryption configs, incident records, security policies	Model cards, bias testing results, data lineage, explainability reports, human oversight logs
Certification bodies	JAS-ANZ accredited bodies (BSI, SAI Global, Bureau Veritas, DNV, etc.)	Emerging; same accredited bodies expanding scope
Australian regulatory alignment	Privacy Act (APP 11), APRA CPS 234, SOCI Act, PSPF/DISP	Voluntary AI Safety Standard, Guidance for AI Adoption, proposed mandatory guardrails
Market maturity	Well-established; thousands of Australian organisations certified	Early adoption phase; rapid growth expected through 2026-2027

---

Where They Overlap

Both standards share the Annex SL high-level structure – the common framework that ISO uses across all management system standards. This means the core architecture is identical:

• Clause 4 – Context of the organisation
• Clause 5 – Leadership and commitment
• Clause 6 – Planning (risk assessment, objectives)
• Clause 7 – Support (resources, competence, awareness, documentation)
• Clause 8 – Operation
• Clause 9 – Performance evaluation
• Clause 10 – Improvement

In practical terms, this means organisations certified to ISO 27001 can leverage approximately 50-60% of their existing documentation and processes when implementing ISO 42001. Your risk management framework, internal audit programme, management review process, document control, and continual improvement mechanisms all carry across. Specific areas of overlap include:

• Risk assessment methodology and risk treatment planning
• Policy development and governance structures
• Competence requirements and training programmes
• Internal audit and management review processes
• Incident management and corrective action procedures
• Supplier and third-party management
• Data governance and access controls

If you've already done the hard work of building a mature ISMS, you're not starting from scratch – you're extending it.

---

Where They Diverge

The differences become clear when you look at what each standard asks you to assess, document, and control.

1. Risk Scope

ISO 27001 assesses risks to information assets – threats to confidentiality, integrity, and availability. ISO 42001 assesses risks from AI systems – unintended outputs, bias in decision-making, lack of transparency, harm to individuals or groups, and broader societal impact.

An AI chatbot that provides inaccurate medical advice is an ISO 42001 risk. The database behind it being breached is an ISO 27001 risk. Both are real. Both need managing. But they require different assessment approaches.

2. Impact Assessments

ISO 42001 introduces AI system impact assessments, which have no equivalent in ISO 27001. These go beyond traditional risk assessment to evaluate the potential consequences of AI deployment on individuals, groups, and society. This includes considering fairness, discrimination, autonomy, and human rights – dimensions that fall outside information security entirely.

3. AI Lifecycle Governance

ISO 42001 requires organisations to govern AI systems across their entire lifecycle: design, data collection and preparation, model training, testing and validation, deployment, monitoring, and decommissioning. This lifecycle approach introduces controls around data quality, model documentation (model cards), performance monitoring, drift detection, and responsible retirement of AI systems.

ISO 27001 has nothing equivalent to this. It governs systems and data, but it doesn't prescribe how an AI model should be developed, documented, or retired.

4. Transparency and Explainability

ISO 42001 requires organisations to ensure that AI decision-making is transparent and, where appropriate, explainable to affected parties. This means being able to articulate why an AI system made a particular decision – a requirement that touches product design, technical architecture, and stakeholder communication.

5. Human Oversight

While ISO 27001 addresses access controls and authorisation, ISO 42001 specifically requires meaningful human oversight of AI systems. This means defining when and how humans can intervene in AI decision-making, and ensuring that accountability sits with a competent person, not the algorithm.

6. Organisational Role in the AI Ecosystem

ISO 42001 requires organisations to understand their role in the AI value chain – as a provider, developer, or user of AI systems. This role determination affects which controls are applicable. A company that builds AI models faces different obligations than one that deploys a third-party AI tool.

7. Audit Evidence

The evidence an auditor expects is fundamentally different. ISO 27001 auditors look for access control logs, encryption configurations, network diagrams, and incident records. ISO 42001 auditors look for model cards, bias testing results, data lineage documentation, explainability reports, human oversight logs, and model performance metrics.

---

The Australian Context

Australia's AI regulatory landscape is evolving rapidly, and understanding where it's headed helps inform whether ISO 42001 makes strategic sense for your organisation.

Current State (2026)

Australia does not yet have AI-specific legislation. The regulatory approach relies on existing technology-neutral laws – primarily the Privacy Act 1988, APRA CPS 234, the SOCI Act, and sector-specific guidance from regulators like ASIC and the ACCC.

The Australian Government published a Voluntary AI Safety Standard in September 2024, followed by updated Guidance for AI Adoption in October 2025. Notably, the Voluntary AI Safety Standard explicitly aligns with ISO/IEC 42001 and the NIST AI Risk Management Framework (RMF 1.0).

The Senate Select Committee on Adopting AI has recommended that Australia move towards mandatory guardrails for high-risk AI applications. The Government has committed AUD $29.9 million to establish an Australian AI Safety Institute, which became operational in early 2026.

Where It's Heading

While Australia hasn't legislated mandatory AI guardrails yet, the direction of travel is clear. The proposed mandatory guardrails for high-risk AI closely mirror the voluntary standard – and both align with ISO 42001. Organisations that implement ISO 42001 now will be well-positioned when mandatory requirements arrive.

Additionally, from December 2026, Privacy Act amendments will require organisations to disclose in their privacy policies when substantially automated decisions significantly affect individuals' rights or interests. This directly intersects with ISO 42001's transparency and human oversight requirements.

The Commercial Signal

Beyond regulation, the market is moving. Enterprise buyers, particularly those in financial services, healthcare, and government, are beginning to ask about AI governance in procurement and vendor assessment processes. ISO 42001 certification provides a structured, auditable way to answer those questions – just as ISO 27001 does for information security.

---

Do You Need Both?

Here's a practical decision framework:

You Likely Need ISO 27001 Only If:

• Your organisation handles sensitive data but does not develop, deploy, or significantly rely on AI systems
• Your AI usage is limited to general-purpose tools (e.g. using a chatbot for basic queries) with no material impact on business decisions or individuals
• Your customers and regulators are asking about information security, not AI governance

You Should Consider ISO 42001 If:

• You develop or deploy AI systems that influence decisions affecting individuals (hiring, lending, medical, insurance, customer service)
• AI is embedded in your products or core service delivery
• You're in a regulated industry where AI governance is becoming an expectation (financial services, healthcare, government)
• Enterprise clients or government procurement processes are asking about your AI governance practices
• You want to get ahead of Australia's mandatory AI guardrails before they arrive

You Likely Need Both If:

• You develop or deploy AI systems that process sensitive data
• Your AI systems make or support decisions that have material consequences for individuals
• You operate in a regulated industry with both information security obligations (APRA CPS 234) and emerging AI governance expectations
• You're pursuing government contracts where both PSPF alignment and responsible AI are assessed
• You want a comprehensive governance framework that covers the data your AI uses (ISO 27001) and how your AI uses it (ISO 42001)

---

Building on ISO 27001 to Reach ISO 42001

If you already hold ISO 27001 certification, the path to ISO 42001 is significantly shorter than starting from scratch. Industry research suggests that ISO 27001-certified organisations can achieve ISO 42001 compliance 30-40% faster than those without an existing management system.

Here's what you can leverage and what you'll need to build:

What Carries Over (~50-60%)

• Management system framework (governance, leadership commitment, policies)
• Risk assessment and treatment methodology
• Internal audit programme and management review processes
• Document control and records management
• Competence and training frameworks
• Supplier and third-party management
• Incident management and corrective action processes

What You Need to Add

• AI-specific risk assessment covering bias, fairness, transparency, and societal impact
• AI system impact assessments for each AI deployment
• AI lifecycle governance (design through to decommissioning)
• Model documentation (model cards, data lineage, performance metrics)
• Transparency and explainability controls
• Human oversight frameworks with defined intervention points
• AI inventory – a comprehensive register of all AI systems in use
• Updated Statement of Applicability covering ISO 42001's 38 Annex A controls

The Integrated Approach

The most efficient path is to build an integrated management system (IMS) that addresses both standards simultaneously. Because they share the same high-level structure, you can maintain a single governance framework, a single internal audit programme, and a single management review process – with domain-specific controls for information security (ISO 27001) and AI governance (ISO 42001).

Integrated audits can assess both standards at the same time, reducing audit burden and cost. Several JAS-ANZ accredited certification bodies are expanding their scope to offer integrated ISO 27001 + ISO 42001 audits.

---

Getting Started

Whether you're considering ISO 42001 on its own or as an extension of your existing ISO 27001 certification, here are practical first steps:

1. Conduct an AI inventory. You can't govern what you can't see. Document every AI system in use across your organisation – including tools your staff may be using without formal approval (shadow AI). Our ISO 42001 Readiness Quiz gives you a quick starting point.
2. Map your existing controls. If you have ISO 27001, map your current ISMS documentation and processes against ISO 42001's requirements. You'll likely find more overlap than you expect.
3. Assess your AI risk profile. Not all AI deployments carry the same risk. A recommendation engine for internal knowledge management is different from an AI system that influences lending decisions. Prioritise governance for high-impact systems.
4. Understand your role in the AI ecosystem. Are you developing AI, deploying third-party AI, or both? Your ISO 42001 obligations differ based on your role.
5. Talk to your certification body. If you're already certified to ISO 27001, your existing certification body may offer integrated audit pathways for ISO 42001.

---

Further Reading

• ISO 42001: A Blueprint for Responsible AI Implementation – our detailed guide to the AIMS standard
• ISO 42001 Framework Overview – framework summary and key requirements
• ISO 27001 Framework Overview – framework summary and certification pathway
• ISO 42001 Readiness Quiz – assess your organisation's AI governance readiness

---

CyberNinja Consulting is a Sydney-based cybersecurity advisory firm providing virtual CISO services to Australian and New Zealand businesses. We help organisations navigate both information security and AI governance – from ISO 27001 certification through to ISO 42001 implementation. Get in touch to discuss which frameworks are right for your organisation.