They solve different problems.
The most common mistake is treating ISO 27001 and ISO 42001 as competing choices. They address fundamentally different concerns.
ISO 27001 is an information security management system standard. It exists to protect the confidentiality, integrity, and availability of information, whatever form that information takes. It asks: what are your information risks, what controls treat them, and how do you govern that programme over time. Think of it as protecting what you hold.
ISO 42001 is an artificial intelligence management system standard. It exists to ensure that AI is developed, deployed, and operated responsibly, addressing concerns that have no equivalent in traditional security work: bias and fairness, transparency, explainability, human oversight, and the impact an AI system has on the people subject to its decisions. Think of it as governing how you build and use AI.
An organisation can hold ISO 27001 and have no AI governance whatsoever. An organisation can deploy AI responsibly and still have poor information security. The two standards answer different questions, and which you need depends entirely on what your organisation actually does.
What ISO 27001 actually is.
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. Certification means an accredited body has audited your ISMS and confirmed it meets the standard's requirements. It does not certify that you cannot be breached. It certifies that you run a documented, risk-driven, continuously improving process for managing information security.
The standard has two parts. Clauses 4 to 10 are the mandatory management requirements: context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A contains 93 controls across four themes (Organisational, People, Physical, Technological) that you select based on your risk assessment and document in a Statement of Applicability. You implement the controls your risk treatment justifies and record why you excluded the rest.
Where ISO 27001 has market force: Increasingly required in enterprise procurement, government tender evaluations, and supplier due diligence. APRA-regulated entities commonly use ISO 27001 as the management framework for meeting CPS 234 obligations. The Defence Industry Security Program preferences ISO 27001 for suppliers handling sensitive information.
What ISO 42001 actually is.
ISO/IEC 42001:2023, published on 18 December 2023, is the world's first certifiable management system standard for artificial intelligence. It specifies requirements for an AI Management System (AIMS): a structured way to govern how your organisation develops, procures, deploys, and operates AI across its lifecycle. Like ISO 27001, it is a management system standard rather than a technical specification. It does not tell you which model to use; it requires you to demonstrate that AI is governed.
What makes ISO 42001 distinctive is what it governs. It requires organisations to maintain an inventory of their AI systems, conduct AI impact assessments that consider effects on individuals and society, and implement controls addressing fairness and bias, transparency, explainability, data quality for AI, and human oversight of automated outputs. These are governance obligations with no direct equivalent in an information security standard.
The standard applies to any organisation that develops AI, deploys AI built by others, or embeds AI into its products and operations. That increasingly means most organisations, whether or not they think of themselves as "AI companies".
The Australian regulatory context: Australia has no AI-specific legislation. It relies on technology-neutral laws supplemented by the Voluntary AI Safety Standard (September 2024) and the Guidance for AI Adoption (October 2025). A new automated decision-making disclosure obligation takes effect on 10 December 2026. ISO 42001 is a way to get ahead of a clearly tightening environment, not a response to an existing mandate.
The shared management-system backbone.
Here is the fact that changes the economics of running both. ISO 27001 and ISO 42001 are built on the same harmonised structure, known as Annex SL. That means the management-system skeleton is identical: the same clauses for context, leadership, planning, support, operation, performance evaluation, and improvement.
If you already operate a mature ISMS, you already have most of the machinery an AIMS needs. The governance concepts are shared even where the domain-specific controls are not.
There is conceptual overlap at the control level too: data governance, access control, supplier management, and incident response all appear in both worlds, framed for their respective domains. An organisation with a well-run ISMS is not starting from zero on AI governance. It is starting from the management system it already has.
The parts that do not translate.
The shared backbone is real, but so are the differences. Each standard carries obligations the other simply does not have, and this is where the actual work of a second certification sits.
The practical implication is that neither standard is a subset of the other. ISO 42001 does not make your organisation secure. ISO 27001 does not make your AI fair, transparent, or accountable. If your organisation both holds sensitive information and uses AI in ways that affect people, the two standards cover different exposures, and holding one does not close the gap the other addresses.
Which applies to your organisation.
The honest answer is that most organisations need ISO 27001 and do not yet need ISO 42001. That changes the moment AI enters a business process in a way that affects decisions or people. Here is how to think about your situation.
ISO 42001 is additive, not a rebuild. You already own the management-system backbone. The incremental work is AI governance roles, an AI system inventory, impact assessments, and AI-specific controls. This is the cheapest possible path to an AIMS.
You likely need both. ISO 27001 covers the information security your customers expect; ISO 42001 is increasingly the differentiator that proves your AI is governed. For AI vendors, an AIMS certificate is becoming a trust signal in enterprise sales.
Both, and watch the calendar. If AI informs decisions about customers, the automated decision-making disclosure obligation from 10 December 2026 is directly relevant. ISO 42001 gives you the governance and evidence to meet rising expectations.
ISO 42001 is starting to appear in vendor questionnaires. If procurement teams are asking how you govern AI, an AIMS is the structured answer. If they are not asking yet, they likely will be within a year or two.
ISO 42001 is not yet warranted. If AI is not in your products, operations, or decision-making, certifying an AIMS is over-investment. Keep your ISMS strong and revisit AI governance when AI actually enters a business process.
Build the ISMS first. ISO 27001 applies to almost everyone and does the heavier lifting on risk. The Annex SL backbone you build for it is exactly what makes ISO 42001 inexpensive to add later. Sequencing beats parallelising for most mid-market organisations.
Run them as one integrated system.
Because both standards share the Annex SL structure, the efficient way to hold both is not two parallel management systems. It is one integrated management system with a shared governance backbone and two domain-specific control sets bolted on.
In practice that means one risk process that feeds both information security and AI risk, one internal audit programme covering both scopes, one management review that looks across both domains, and one set of policies and improvement tracking. You maintain the machinery once and apply it to two control sets. This is dramatically less work than certifying and operating two separate systems, and it produces a more coherent governance story for your board and your auditors.
The maintenance burden is where integration pays off most. Keeping a single management system audit-ready is demanding enough; keeping two in sync manually is where organisations struggle. This is where compliance automation earns its place, mapping shared controls once and monitoring evidence across both standards from a single view. Our sister platform Cybereen is built for exactly this: managing an integrated AIMS and ISMS, mapping overlapping controls, and automating the evidence collection that makes surveillance audits routine rather than a scramble. For the advisory side, our Secure AI practice helps organisations bring AI into a governed environment in the first place.
Most organisations need one, not both. Yet.
Cliffside holds ISO 27001 certification for our own ISMS, and we have been Lead Auditors since 2008. We maintain our own management system, run our own internal audits, and manage the surveillance cycle every year. We know where the effort actually goes.
Here is our honest read. Most Australian organisations need a strong ISMS today and do not yet need an AIMS. But AI is entering business processes faster than governance is keeping up, and the organisations that will need ISO 42001 are often the ones telling themselves they are not "an AI company". When that need arrives, doing ISO 42001 on top of an existing ISO 27001 foundation is far cheaper than standing up a separate system, precisely because the two share so much.
We will not sell you a certificate you do not need. When a client asks whether they need ISO 42001, we start with a security assessment that maps where AI actually sits in the business, what governance already exists, and whether an AIMS is warranted now or is a decision for later. That is the honest answer, and it is usually more useful than a fashionable one.