If your organization already holds ISO/IEC 27001, you are not starting your ISO/IEC 42001 journey from zero. In our experience, teams with a mature information security management system find that a large share of the governance machinery carries straight over. What does not carry over is the part that matters most for AI: the controls that govern how AI systems are built, trained, monitored, and allowed to make decisions. At Abilene Academy, Switzerland's only PECB Titanium Partner, this is a question we field constantly from teams who have just earned their ISMS certificate and now face the EU AI Act: do we need ISO 42001, and how much of our 27001 work can we reuse? This guide answers both, practically and step by step, using the documents you already have.
The short version
Reuse your management system, not your controls. Clauses 4 to 10 of ISO 27001 map largely, clause for clause, onto ISO 42001, so your governance structure, internal audit programme, and management reviews extend with edits rather than a rebuild. The real work is the AI-specific control set and the AI system impact assessment, which have no equivalent in your ISMS.
ISO 27001 is your head start, not your finish line
ISO 27001 protects information. ISO 42001 governs artificial intelligence. They are built on the same skeleton but answer different questions. Your ISMS asks whether information stays confidential, available, and intact. An AI management system, or AIMS, asks whether your AI systems are fair, transparent, accountable, and safe across their life cycle. A team that treats 42001 as 27001 with an AI sticker fails its first certification audit, because the auditor is looking for evidence of AI governance that an ISMS was never designed to produce.
ISO/IEC 42001:2023 is the first international management system standard for artificial intelligence. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system, so that an organization can develop or use AI responsibly.
An AI management system (AIMS) is the set of policies, roles, processes, and controls an organization uses to govern its AI systems, in the same way that an ISMS governs information security.
Here is the honest split: the structure transfers, the substance does not. The diagram below shows which parts of your existing ISMS you reuse, and which parts you build new.
A crosswalk showing the ISO 27001 ISMS as the foundation, the shared Harmonized Structure (Clauses 4 to 10) reused in the middle, and the ISO 42001 AIMS additions on the right: AI-specific Annex A controls, an AI system impact assessment, role classification, and data and life-cycle governance.
What actually carries over from ISO 27001
Both standards follow the ISO Harmonized Structure, the common 10-clause template ISO uses for every modern management system. Clauses 4 through 10 are structurally near-identical in intent. If you have already done this work for your ISMS, you adapt it rather than rebuild it.
Context and interested parties (Clause 4)
You already mapped your internal and external issues and your stakeholders for the ISMS. For the AIMS you extend that map to include AI-specific parties, such as the people affected by automated decisions and the providers of the models you deploy.
Leadership and policy (Clause 5)
Your information security policy and governance structure transfer directly. You add an AI policy and assign accountability for AI, which can sit with the same governance body that already owns the ISMS.
Planning and the management of change (Clause 6)
Your risk methodology carries over as a method. The risk object changes from information assets to AI systems and their impacts, but the process of identifying, evaluating, and treating risk is the one you already run.
Support, awareness, and competence (Clause 7)
Document control, communication, and training processes extend as they are. You add AI-specific competence requirements for the people who build and operate AI systems.
Operation, evaluation, and improvement (Clauses 8 to 10)
Internal audit, management review, nonconformity, and corrective action all reuse your existing ISMS machinery. You widen the scope statement and the audit programme to include the AIMS.
The trap auditors look for
Reusing the management system is correct. Copying your ISO 27001 Statement of Applicability and renaming it is not. The Annex A controls belong to different standards with different objectives, and an auditor who sees information security controls dressed up as AI controls will raise a major nonconformity.
What is genuinely new in ISO 42001
This is where your ISMS gives you no shortcut, and where most of the real implementation effort lives. ISO 42001 introduces its own Annex A control set (commonly cited as 38 reference controls) organized into control areas that cover AI policy, internal organization, resources for AI systems, assessing the impact of AI systems, the AI system life cycle, data for AI systems, information for interested parties, the use of AI systems, and third-party relationships. ISO 27001 has only Annex A. ISO 42001 adds three more annexes that do real work: Annex B gives implementation guidance for each control, Annex C lists potential AI-related objectives and risk sources, and Annex D explains how to apply the AIMS across domains and sectors.
An AI system impact assessment is a structured assessment of the potential consequences of an AI system for individuals, groups, and society, including fairness, safety, and rights. It is required under ISO 42001 and has no equivalent in ISO 27001. ISO/IEC 42005 provides a recognized method for it.
Three additions deserve specific attention, because teams consistently underestimate them. First, the AI system impact assessment is a new discipline, not a renamed risk assessment: it looks outward at the effect of the system on people, where your ISMS risk assessment looks inward at threats to your assets. Second, ISO 42001 requires you to classify your role for each AI system, because a provider that develops a model carries different obligations from a deployer that merely uses one. Third, the standard demands governance over data and over the full life cycle of the model, which is far broader than the data-handling controls in your ISMS.
The AI system life cycle you now have to govern
ISO 42001 expects controls across the whole life of a model: design and objectives, data collection and preparation, development and training, verification and validation, deployment, operation and monitoring, and finally retirement. Each stage introduces its own risks, from biased training data to model drift in production, and each needs evidence that you manage it. For the risk discipline that underpins this, ISO/IEC 23894 gives guidance on AI risk management that complements the 42001 requirements and slots into the same methodology you already use for ISO 27001.
How to extend your ISMS into an AIMS, step by step
Here is the practical sequence we teach in the classroom and run on real implementations. It assumes you hold a current ISO 27001 certificate and want to reach ISO 42001 with the least duplicated effort.
Step 1. Build your AI system inventory
You cannot govern what you have not listed. Inventory every AI system you develop, embed, or use, including third-party tools and any generative AI in daily use. For each, record its purpose, the data it consumes, the decisions it influences, and who owns it. This is the AIMS equivalent of your information asset register, and everything else rests on it.
Step 2. Classify your role for each system
For every system in the inventory, decide whether you are the provider, the developer or producer, or the deployer. The classification sets your obligations under both ISO 42001 and the EU AI Act, so settle it before you scope anything else.
Step 3. Run a gap analysis against ISO 42001 Annex A
Place your existing ISMS controls beside the AI controls in Annex A. You will find that organizational, documentation, and access controls largely transfer, while the AI-specific controls around impact, data quality, transparency, and life cycle are empty. The empty rows are your implementation backlog.
Step 4. Extend your scope and risk criteria
Widen your management system scope statement to cover the AIMS, and add AI risk and impact criteria to your existing methodology. Keep one integrated risk process rather than two parallel ones; auditors and your own team will thank you.
Step 5. Conduct AI system impact assessments
For each high-impact system, run an impact assessment covering fairness, safety, transparency, and effect on individuals, using ISO/IEC 42005 as your method. This is the single most common gap at certification, so do it early and document it well.
Step 6. Build the AI controls and write a Statement of Applicability for the AIMS
Implement the Annex A controls your gap analysis flagged as missing, then produce a fresh Statement of Applicability for the AIMS. Do not reuse the ISMS document; justify each AI control on its own terms.
Step 7. Extend your audit and review machinery, then run an internal audit
Extend your ISO 27001 internal audit programme and management review to include the AIMS, then run a full internal audit against ISO 42001. Treat the findings as your pre-certification dress rehearsal.
Step 8. Reuse audit evidence where it genuinely overlaps
Evidence of management commitment, document control, training records, and corrective-action discipline from your last ISO 27001 surveillance audit can support the AIMS audit directly. Evidence of AI controls, impact assessments, and data governance must be generated new.
Reuse the document, not the content
Your strongest reuse is structural: the same risk register template, the same internal audit checklist format, the same management review agenda. Keep the formats your team already knows, and fill them with AI content. Familiar structure plus new substance is the most efficient honest route to certification.
ISO 27001 and ISO 42001 side by side
ISO 27001 vs ISO 42001 at a glance
Dimension: What it governs
Dimension: Core question
Dimension: Management clauses
Dimension: Annex structure
Dimension: Risk focus
Dimension: Signature artifact
Dimension: Certification
About us
Abilene Academy has a 99% first-time PECB exam pass rate, with more than 2,500 professionals trained across 120+ countries and more than 600 organizations served. Delivering ISO 27001 and ISO 42001 courses in English, French, and Spanish, with other languages on request.
Why the timing is not optional
The EU AI Act, Regulation (EU) 2024/1689, applies in phases, and a key milestone, 2 August 2026, brings the obligations for general-purpose AI and the Act's governance provisions into effect. The Act reaches beyond the European Union: a Swiss organization that places an AI system on the EU market, or whose AI output is used inside the EU, falls within scope. ISO 42001 is the recognized route to demonstrate the governance the Act expects, which is why teams that already invested in ISO 27001 are extending to 42001 now rather than waiting. Our EU AI Act compliance guide breaks down the obligations and deadlines, and the Swiss picture connects directly to FINMA's expectations and the revised FADP.
An ISO 27001 certificate is not AI compliance
Holding ISO 27001 does not make you compliant with the EU AI Act, and it does not cover AI-specific risk. If you deploy or develop AI systems that touch the EU market, plan your ISO 42001 work against the 2 August 2026 milestone now, not after it passes.
The training path from 27001 to 42001
If your team already holds ISO 27001 Lead Implementer or Lead Auditor credentials, the leap to ISO 42001 is smaller than the title suggests, because the management-system thinking is identical. What your people need is the AI-specific layer: the Annex A controls, the impact assessment, and the role obligations. ISO 42001 Lead Implementer is the direct next step for the team extending the management system, ISO 42001 Lead Auditor suits those who will audit the AIMS, and Lead AI Risk Manager fits the risk owner who will run AI risk and impact assessments. We deliver these in physical classroom, online classroom, eLearning, and self-study formats.
Ready to extend your ISMS into an AIMS? The ISO 42001 Lead Implementer course is the direct next step for the team building the AIMS, and ISO 42001 Lead Auditor prepares those who will audit it.
For an organization with a mature ISO 27001 ISMS, a focused extension to ISO 42001 commonly runs three to six months, depending on how many AI systems are in scope and how much AI governance already exists informally. The management-system work is fast because it reuses what you have; the time goes into the AI system inventory, the impact assessments, and building the new Annex A controls.
Sources and references
ISO/IEC 42001:2023, Artificial intelligence, Management system (iso.org).
ISO/IEC 27001:2022, Information security management systems, Requirements (iso.org).
ISO/IEC 42005, Artificial intelligence, AI system impact assessment (iso.org).
ISO/IEC 23894:2023, Artificial intelligence, Guidance on risk management (iso.org).
Regulation (EU) 2024/1689 (the EU AI Act) (eur-lex.europa.eu).
