Skip to main content
Compliance · Framework Comparison

ISO 27001 vs
ISO 42001:
overlap and
divergence.

As AI moves from experiment to production inside Australian organisations, boards and buyers are starting to ask a new question: how is this governed? Two ISO standards frame the answer. ISO 27001 governs information security. ISO 42001 governs artificial intelligence. They are frequently mentioned in the same breath, which leads people to treat them as alternatives. They are not.

This guide explains what each standard actually does, where they overlap, where they genuinely diverge, and how to decide whether you need one or both. The short version: if you hold ISO 27001 and you are bringing AI into your business, ISO 42001 is an extension of what you already have, not a second system built from scratch.

01 / Different problems

They solve different problems.

The most common mistake is treating ISO 27001 and ISO 42001 as competing choices. They address fundamentally different concerns.

ISO 27001 is an information security management system standard. It exists to protect the confidentiality, integrity, and availability of information, whatever form that information takes. It asks: what are your information risks, what controls treat them, and how do you govern that programme over time. Think of it as protecting what you hold.

ISO 42001 is an artificial intelligence management system standard. It exists to ensure that AI is developed, deployed, and operated responsibly, addressing concerns that have no equivalent in traditional security work: bias and fairness, transparency, explainability, human oversight, and the impact an AI system has on the people subject to its decisions. Think of it as governing how you build and use AI.

An organisation can hold ISO 27001 and have no AI governance whatsoever. An organisation can deploy AI responsibly and still have poor information security. The two standards answer different questions, and which you need depends entirely on what your organisation actually does.

ISO 27001
Information Security Management System (ISMS). 10 management clauses and 93 Annex A controls across four themes. Requires formal risk assessment, a Statement of Applicability, internal audit, and management review. Certifiable since the standard's inception.
ISO 42001
AI Management System (AIMS). The first certifiable AI management standard, published December 2023. Requires AI governance roles, an inventory of AI systems, AI impact assessments, and controls for fairness, transparency, and human oversight across the AI lifecycle.
What ISO 27001 does not cover
AI-specific risks: algorithmic bias, model transparency, explainability of automated decisions, human oversight of AI outputs, or the societal and individual impact of an AI system on the people it affects.
What ISO 42001 does not cover
The depth of technical security controls in ISO 27001: cryptography, network security, vulnerability and patch management, physical security, and the broad information-risk programme that protects your whole environment.
02 / ISO 27001

What ISO 27001 actually is.

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. Certification means an accredited body has audited your ISMS and confirmed it meets the standard's requirements. It does not certify that you cannot be breached. It certifies that you run a documented, risk-driven, continuously improving process for managing information security.

The standard has two parts. Clauses 4 to 10 are the mandatory management requirements: context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A contains 93 controls across four themes (Organisational, People, Physical, Technological) that you select based on your risk assessment and document in a Statement of Applicability. You implement the controls your risk treatment justifies and record why you excluded the rest.

Where ISO 27001 has market force: Increasingly required in enterprise procurement, government tender evaluations, and supplier due diligence. APRA-regulated entities commonly use ISO 27001 as the management framework for meeting CPS 234 obligations. The Defence Industry Security Program preferences ISO 27001 for suppliers handling sensitive information.

03 / ISO 42001

What ISO 42001 actually is.

ISO/IEC 42001:2023, published on 18 December 2023, is the world's first certifiable management system standard for artificial intelligence. It specifies requirements for an AI Management System (AIMS): a structured way to govern how your organisation develops, procures, deploys, and operates AI across its lifecycle. Like ISO 27001, it is a management system standard rather than a technical specification. It does not tell you which model to use; it requires you to demonstrate that AI is governed.

What makes ISO 42001 distinctive is what it governs. It requires organisations to maintain an inventory of their AI systems, conduct AI impact assessments that consider effects on individuals and society, and implement controls addressing fairness and bias, transparency, explainability, data quality for AI, and human oversight of automated outputs. These are governance obligations with no direct equivalent in an information security standard.

The standard applies to any organisation that develops AI, deploys AI built by others, or embeds AI into its products and operations. That increasingly means most organisations, whether or not they think of themselves as "AI companies".

The Australian regulatory context: Australia has no AI-specific legislation. It relies on technology-neutral laws supplemented by the Voluntary AI Safety Standard (September 2024) and the Guidance for AI Adoption (October 2025). A new automated decision-making disclosure obligation takes effect on 10 December 2026. ISO 42001 is a way to get ahead of a clearly tightening environment, not a response to an existing mandate.

04 / Where they overlap

The shared management-system backbone.

Here is the fact that changes the economics of running both. ISO 27001 and ISO 42001 are built on the same harmonised structure, known as Annex SL. That means the management-system skeleton is identical: the same clauses for context, leadership, planning, support, operation, performance evaluation, and improvement.

If you already operate a mature ISMS, you already have most of the machinery an AIMS needs. The governance concepts are shared even where the domain-specific controls are not.

Risk assessment
Both require a systematic, documented risk process. ISO 27001 assesses information security risk; ISO 42001 assesses AI-related risk and impact. The methodology and governance are the same.
Leadership and roles
Both require top-management commitment, defined roles and responsibilities, and a documented policy. An existing governance structure extends naturally to cover AI.
Internal audit and management review
Both require an internal audit programme and periodic management review. These can be run once across an integrated system rather than duplicated per standard.
Continual improvement
Both use the same corrective-action and improvement cycle. Nonconformities, corrective actions, and improvement tracking work identically across the two domains.

There is conceptual overlap at the control level too: data governance, access control, supplier management, and incident response all appear in both worlds, framed for their respective domains. An organisation with a well-run ISMS is not starting from zero on AI governance. It is starting from the management system it already has.

05 / Where they diverge

The parts that do not translate.

The shared backbone is real, but so are the differences. Each standard carries obligations the other simply does not have, and this is where the actual work of a second certification sits.

Unique to ISO 42001
AI system impact assessments, bias and fairness controls, transparency to affected individuals, explainability of AI outputs, and human oversight obligations. None of these have an equivalent in an information security standard, because they are about the behaviour and effects of AI, not the protection of data.
Unique to ISO 27001
The deep technical-security control set: cryptography, secure configuration, network security, vulnerability and patch management, physical and environmental security, and the broad information-risk coverage across your entire environment.

The practical implication is that neither standard is a subset of the other. ISO 42001 does not make your organisation secure. ISO 27001 does not make your AI fair, transparent, or accountable. If your organisation both holds sensitive information and uses AI in ways that affect people, the two standards cover different exposures, and holding one does not close the gap the other addresses.

06 / Do you need both

Which applies to your organisation.

The honest answer is that most organisations need ISO 27001 and do not yet need ISO 42001. That changes the moment AI enters a business process in a way that affects decisions or people. Here is how to think about your situation.

Already ISO 27001 certified, now adopting AI

ISO 42001 is additive, not a rebuild. You already own the management-system backbone. The incremental work is AI governance roles, an AI system inventory, impact assessments, and AI-specific controls. This is the cheapest possible path to an AIMS.

AI product or AI-first company

You likely need both. ISO 27001 covers the information security your customers expect; ISO 42001 is increasingly the differentiator that proves your AI is governed. For AI vendors, an AIMS certificate is becoming a trust signal in enterprise sales.

Regulated and using AI in decisions

Both, and watch the calendar. If AI informs decisions about customers, the automated decision-making disclosure obligation from 10 December 2026 is directly relevant. ISO 42001 gives you the governance and evidence to meet rising expectations.

Enterprise B2B asked for AI assurance

ISO 42001 is starting to appear in vendor questionnaires. If procurement teams are asking how you govern AI, an AIMS is the structured answer. If they are not asking yet, they likely will be within a year or two.

No AI in scope

ISO 42001 is not yet warranted. If AI is not in your products, operations, or decision-making, certifying an AIMS is over-investment. Keep your ISMS strong and revisit AI governance when AI actually enters a business process.

Limited budget

Build the ISMS first. ISO 27001 applies to almost everyone and does the heavier lifting on risk. The Annex SL backbone you build for it is exactly what makes ISO 42001 inexpensive to add later. Sequencing beats parallelising for most mid-market organisations.

07 / Integration

Run them as one integrated system.

Because both standards share the Annex SL structure, the efficient way to hold both is not two parallel management systems. It is one integrated management system with a shared governance backbone and two domain-specific control sets bolted on.

In practice that means one risk process that feeds both information security and AI risk, one internal audit programme covering both scopes, one management review that looks across both domains, and one set of policies and improvement tracking. You maintain the machinery once and apply it to two control sets. This is dramatically less work than certifying and operating two separate systems, and it produces a more coherent governance story for your board and your auditors.

The maintenance burden is where integration pays off most. Keeping a single management system audit-ready is demanding enough; keeping two in sync manually is where organisations struggle. This is where compliance automation earns its place, mapping shared controls once and monitoring evidence across both standards from a single view. Our sister platform Cybereen is built for exactly this: managing an integrated AIMS and ISMS, mapping overlapping controls, and automating the evidence collection that makes surveillance audits routine rather than a scramble. For the advisory side, our Secure AI practice helps organisations bring AI into a governed environment in the first place.

08 / Our perspective

Most organisations need one, not both. Yet.

Cliffside holds ISO 27001 certification for our own ISMS, and we have been Lead Auditors since 2008. We maintain our own management system, run our own internal audits, and manage the surveillance cycle every year. We know where the effort actually goes.

Here is our honest read. Most Australian organisations need a strong ISMS today and do not yet need an AIMS. But AI is entering business processes faster than governance is keeping up, and the organisations that will need ISO 42001 are often the ones telling themselves they are not "an AI company". When that need arrives, doing ISO 42001 on top of an existing ISO 27001 foundation is far cheaper than standing up a separate system, precisely because the two share so much.

We will not sell you a certificate you do not need. When a client asks whether they need ISO 42001, we start with a security assessment that maps where AI actually sits in the business, what governance already exists, and whether an AIMS is warranted now or is a decision for later. That is the honest answer, and it is usually more useful than a fashionable one.

Frequently asked questions.

What is ISO 42001?
ISO/IEC 42001:2023 is the world's first internationally certifiable management system standard for artificial intelligence, published on 18 December 2023. It specifies requirements for an AI Management System (AIMS): the policies, roles, risk processes, and controls an organisation uses to develop, deploy, and oversee AI responsibly. It addresses issues that traditional security standards do not, including bias and fairness, transparency, explainability, human oversight, and the assessment of an AI system's impact on affected individuals.
Do I need both ISO 27001 and ISO 42001?
It depends on whether AI is actually in scope for your organisation. ISO 27001 governs information security and applies to almost every organisation that holds sensitive data. ISO 42001 governs the responsible use of AI and only matters once you are building, deploying, or embedding AI systems in ways that affect people or decisions. If you have no AI in your business processes, ISO 42001 is not yet warranted. If AI is entering your products, operations, or decision-making, the two standards are complementary rather than competing, and an existing ISMS makes adding an AIMS considerably cheaper.
Can ISO 27001 and ISO 42001 be certified together?
Yes. Both standards are built on the same harmonised structure (Annex SL), which means they share an identical management-system skeleton: context, leadership, planning, support, operation, performance evaluation, and improvement. That shared backbone lets you run a single integrated management system with one risk process, one internal audit programme, and one management review cycle feeding two domain-specific control sets. Many certification bodies offer combined or integrated audits, which reduces duplicated effort and audit fatigue.
Is ISO 42001 mandatory in Australia?
No. Australia has no AI-specific legislation and does not mandate ISO 42001. The current approach relies on existing technology-neutral laws supplemented by the Voluntary AI Safety Standard (September 2024) and the Guidance for AI Adoption (October 2025). However, a new automated decision-making disclosure obligation takes effect on 10 December 2026, and AI assurance is increasingly appearing in enterprise procurement and vendor due diligence. ISO 42001 is a way to demonstrate responsible AI governance ahead of firmer regulation, not a legal requirement today.
How much extra work is ISO 42001 if I already have ISO 27001?
Less than most organisations expect, because the two standards share the entire management-system backbone. If you already run a mature ISMS, you already have the governance, risk assessment, internal audit, management review, and continual improvement machinery that ISO 42001 also requires. The additional work is largely domain-specific: establishing AI governance roles, building an AI system inventory, conducting AI impact assessments, and adding controls for bias, transparency, and human oversight. You are extending an existing system, not standing up a second one from scratch.

Bringing AI into a
governed environment?

Book a Consultation. We'll map where AI sits in your business, assess the governance you already have, and tell you honestly whether ISO 42001 is warranted now or a decision for later.