ISO 42001 vs ISO 27001: Which Standard Does Your AI Programme Actually Need?

UK organisations running AI programmes increasingly ask whether ISO 42001 replaces ISO 27001, supplements it or applies at all.

We see this confusion regularly in scoping conversations: GRC teams reference standards that do not exist while procurement deadlines approach. This FAQ clarifies the practical differences between the two standards, explains which one applies to AI governance and helps you decide what your programme actually needs. Written for compliance leads, CISOs and heads of risk in mid-sized UK organisations evaluating AI governance options.

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 is an information security management standard. It governs how an organisation protects the confidentiality, integrity and availability of information assets across systems, people and processes.

ISO 42001 is an AI management system standard. It governs how AI systems are developed, deployed, monitored and retired, with specific controls for risks that only arise when machine learning enters the picture: model bias, explainability, drift, training data lineage and third-party AI dependency.

The two standards share a common management system structure, which means certified organisations can integrate them efficiently, but they address fundamentally different risk surfaces. ISO 27001 asks whether your data is secure, whilst ISO 42001 asks whether your AI systems behave responsibly, transparently and within defined boundaries throughout their lifecycle.

Do I need ISO 42001 if I already have ISO 27001?

Possibly, if you are developing, deploying or relying on AI systems in any material way. ISO 27001 certification demonstrates that your information security management is mature, but it does not cover the operational risks specific to AI: how models are trained, how decisions are explained to affected individuals, how bias is measured and mitigated, or how third-party AI services are governed.

These gaps sit entirely outside the scope of 27001 controls. An organisation can be fully 27001 certified and still have no formal accountability for an AI system that produces discriminatory outputs or fails silently in production. ISO 42001 fills that gap.

The good news is that 27001-certified organisations have most of the management system foundations already in place, so the implementation effort is meaningfully lower than starting from scratch.

Which ISO standard applies to AI governance?

ISO 42001 is the international standard specifically designed for AI governance. The latest version, published in 2023, is a certifiable management system standard that addresses the whole AI lifecycle, from initial use case definition through model retirement.

Other standards touch adjacent areas: ISO 27001 covers information security, ISO 27701 covers privacy, ISO 9001 covers quality management. None of these standards address the specific governance questions that AI raises, such as how to document model purpose, how to assess and treat AI-specific risks, how to monitor model performance for drift, or how to provide meaningful human oversight. ISO 42001 is structured around these questions.

For UK organisations needing a recognised framework to demonstrate responsible AI practice to regulators, customers or boards, ISO 42001 is a relevant standard to consider implementing.

What does ISO 42001 cover that ISO 27001 does not?

ISO 42001 covers the lifecycle controls specific to AI systems. These include defined roles and accountabilities for AI development and deployment, documented AI policies, AI-specific risk assessment methods covering bias and explainability, impact assessments on affected individuals, controls for training data quality and provenance, ongoing performance monitoring and drift detection, supplier and third-party AI governance, incident response procedures for AI failures and processes for retiring or replacing AI systems.

ISO 27001 addresses none of these directly. Its controls focus on protecting information from unauthorised access, modification or loss. An AI model that performs poorly on a particular demographic, or a vendor model that changes behaviour after a silent update, falls entirely outside 27001’s remit. ISO 42001 was written to close exactly these gaps.

Is ISO 42001 mandatory for UK organisations?

ISO 42001 is not currently mandatory under UK law.

The UK government has signalled a sector-led, principles-based approach to AI regulation rather than a single horizontal AI Act in the style of the EU. That said, regulatory pressure is building.

UK organisations selling into the EU will be progressively affected by the EU AI Act, which applies in phases: prohibitions on certain AI practices took effect in February 2025, with obligations on general-purpose AI models and high-risk systems following through 2026 and 2027.

Sector regulators including the FCA, ICO and MHRA have each published AI strategies or guidance signalling increased scrutiny in their domains, though the maturity of each approach differs. Procurement frameworks, particularly in the public sector, are beginning to ask suppliers about AI governance maturity.

Implementing ISO 42001 now helps an organisation prepare for these requirements, although it does not guarantee compliance with any specific regulation and organisations should seek independent legal advice on their specific obligations.

How long does ISO 42001 implementation typically take?

Implementation timelines depend heavily on starting position. An organisation with existing ISO 27001 certification and a clear inventory of AI systems can typically reach certification readiness in six to nine months. An organisation starting without an established management system or without a clear view of where AI is used across the business should plan for nine to fifteen months.

The early phases focus on AI system discovery, defining the management system scope, drafting AI policy and risk methodology and engaging stakeholders across data science, legal, procurement and operations. Later phases cover control implementation, internal audit and management review.

The discovery phase is often the most informative: many organisations find that AI is in use in more places than the executive team realised, particularly through embedded vendor features.

Can we implement ISO 42001 in-house or do we need external support?

It depends on internal capability. Organisations with mature management system experience, a working knowledge of AI risk and dedicated compliance resource might find that they can run an ISO 42001 programme in-house.

Most mid-sized UK organisations do not have all three.

The AI-specific elements, particularly risk assessment methodology, bias evaluation approaches and third-party AI governance, require expertise that compliance teams are still building. External support is most valuable in the early stages: scoping the management system, building the risk methodology and training internal teams to operate the system independently.

The goal should be a programme your team can run, not a permanent dependency on consultants.

How does ISO 42001 relate to the EU AI Act?

The EU AI Act is regulation; ISO 42001 is a voluntary management system standard. They are complementary rather than equivalent.

The AI Act sets legal obligations for AI systems placed on the EU market, with requirements scaled to risk level and phased in over several years. ISO 42001 provides a structured management system that helps organisations meet those obligations consistently.

For UK organisations selling AI-enabled products or services into the EU, holding ISO 42001 certification provides demonstrable evidence of an AI governance programme, which supports conformity assessments and customer due diligence. The standard does not replace specific AI Act requirements such as conformity assessment for high-risk systems, but it can materially reduce the effort required to meet them.

For a longer narrative walkthrough of the same comparison, see the ISO 42001 vs ISO 27001 blog post. For evidence requirements specific to ISO 42001 certification, see the ISO 42001 audit evidence FAQ.