ISO 27001 for AI Companies: Why ISO 42001 Alone Is Not Enough

Here is a claim you will hear from AI-native consultancies pitching ISO 42001 implementation: "You don't need ISO 27001 if you have ISO 42001. The AI standard is built on the management system backbone and covers everything you need." It is half true. And the half that is wrong will cost you a deal. This guide explains why AI companies almost always need both standards, what each one actually covers, and how to sequence the dual programme without paying for two certifications independently.

ISO/IEC 42001:2023 inherits its management system architecture from the ISO Annex SL framework, the same backbone shared by ISO 27001, ISO 9001, ISO 22301 and every other modern ISO management system standard. That means an ISO 42001 AIMS shares clauses 4 to 10 with ISO 27001 in structural form: context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. If you implement ISO 42001 properly, you do build a management system that looks superficially like an ISO 27001 ISMS. But ISO 42001's controls address AI-specific risk: model governance, data quality for training, transparency, human oversight, bias and fairness, lifecycle management, and impact assessment. ISO 27001's 93 Annex A controls address information security risk: access controls, cryptography, physical security, operations security, communications security, supplier relationships, and incident management. The two control sets overlap in roughly 15 percent of areas. They are not substitutes for each other.

Take a typical enterprise vendor security questionnaire of approximately 40 questions. Roughly 75 percent of the questions are ISO 27001 territory: information security controls, data protection and privacy, incident response and breach notification, third-party risk management, business continuity, and physical and environmental security. Roughly 25 percent are ISO 42001 territory: AI governance, model risk, bias, transparency, training data provenance and quality, and human oversight and explainability. If you only hold ISO 42001, you will satisfy the buyer on the AI-specific questions and fail them on everything else.

There is a structural reason ISO 27001 is asked for first. ISO 27001 has been the international information security standard since 2005. It has twenty years of buyer recognition, IRCA-registered auditors, UKAS-accredited certification bodies, and integration into procurement frameworks across every regulated industry. ISO 42001 was published in December 2023. Procurement teams trust certifications they recognise. Even buyers who specifically care about AI governance will check the ISO 27001 box first because it tells them you understand the broader information security discipline. Selling ISO 42001 without ISO 27001 to a sophisticated enterprise buyer is like applying for a senior role with a master's degree but no undergraduate. The qualification is impressive but the gap is conspicuous.

For an AI company without either certification, the most efficient path is a combined ISO 27001 plus ISO 42001 programme. The dual programme runs roughly as follows: Weeks 1 to 4 for joint scoping with ISMS scope and AIMS scope drafted together, Weeks 2 to 8 for ISO 27001 documentation and control implementation, Weeks 6 to 12 for ISO 42001 documentation, AI inventory, and AI-specific control implementation leveraging the ISMS backbone, Weeks 10 to 12 for internal audit covering both management systems, and Weeks 12 to 16 for Stage 1 and Stage 2 audits conducted as combined sessions where the certification body permits. Total elapsed time: 14 to 16 weeks for both certifications. Total cost: typically 35 to 45 percent lower than running the two programmes sequentially.

There is one scenario where starting with ISO 42001 alone makes sense. If you already hold ISO 27001 and a buyer has asked specifically about AI governance, the standalone ISO 42001 extension is the right move. It is a 10 to 14 week add-on rather than a parallel programme, and it inherits the management system you already operate. Outside that scenario, the answer is both, sequenced together. Founders who try to win the AI governance argument with ISO 42001 alone find they have spent 12,000 pounds on a certification their procurement reviewer does not yet recognise, while the 15,000 pounds they did not spend on ISO 27001 is what their reviewer actually wanted to see.

If your buyers are sophisticated enterprises with structured procurement processes, hold both. If your buyers are AI-native scale-ups and your differentiator is AI governance leadership specifically, ISO 42001 first is defensible. Most companies sit in the first category and assume they sit in the second.