ISO 42001 vs. ISO 27001: Similarities and differences

Many professionals who have started their governance journey with ISO 27001 are now looking towards ISO 42001 — the standard that defines the AI governance framework. So, how is ISO 27001 similar to ISO 42001, and can you use any elements from an ISMS in an AIMS?

Similarities between ISO 27001 and ISO 42001

Let’s start with what is similar between these two standards.

Both standards have very similar structures according to the high-level structure (HLS) that is set by the International Organization for Standardization (ISO) for management system standards. This means that the main clauses (and almost all subclauses) are the same in both of these standards.

The purpose of Annex A in both standards is the same — they provide a list of controls from which companies can choose which ones are applicable to them; these controls are rather generic, so it is up to each company to decide how to implement them.

Learn more here: Understanding the ISO 27001 controls from Annex A.

The method for choosing those controls is also the same — both standards require companies to perform risk assessment, and then, during the risk treatment, to choose appropriate controls from Annex A. Interestingly enough, both standards require documenting the decision on which controls they will use in the Statement of Applicability, and both standards specify very similar structures for this document.

See also: Statement of Applicability in ISO 27001 – What is it and why does it matter?

Finally, both standards require the writing of the Risk Treatment Plan, which specifies how to implement those controls.

Of course, ISO 42001 has all other elements that are common not only with ISO 27001, but also with other management standards:

• Definition of objectives
• Top-level policy
• Training and awareness
• Managing documents and records
• Internal audit
• Management review
• Corrective actions
• etc.

To learn about these details, see this article: How to implement integrated management systems.

Main differences

Now let’s see what the main differences are.

Of course, the focus is very different — whereas ISO 27001 focuses on cybersecurity governance, i.e., the protection of confidentiality, integrity, and availability, ISO 42001 focuses on AI governance with very different goals — for example, accountability, environmental impact, fairness, privacy, robustness, safety, transparency, etc.

Therefore, the following clauses in ISO 27001 and ISO 42001 are different:

• Clause 6.1 of ISO 42001 specifies the risk management in a moderately different way from ISO 27001.
• Clause 8 of ISO 42001 is slightly different from that of ISO 27001.

There are also some completely new things.

Of course, Annex A controls are very different from those in ISO 27001.

Clause 4.1 requires that companies need to define their role — i.e., AI provider, AI producer, AI customer, AI partner, AI subject, or government authority. There is no such thing in ISO 27001.

In ISO 42001, there is a new sub-clause, 6.1.4 AI system impact assessment, which requires an additional assessment on top of the risk assessment defined in 6.1.2. There is no such concept in ISO 27001, although this concept is kind of similar to the business impact analysis in ISO 22301.

See also: How to implement business impact analysis (BIA) according to ISO 22301.

However, this AI system impact assessment is very different from the BIA in ISO 22301, and focuses on assessing potential consequences of AI systems to individuals or societies. It is also different from the risk assessment prescribed by ISO 42001 itself, because this impact assessment focuses on very likely outcomes of AI systems, whereas risk assessment is more theoretical because it also covers risks that are not likely; the second difference is that impact assessment is only external, since it covers individual users and whole societies, whereas risk assessment also covers the risks for the company itself.

ISO 27001 has only Annex A, whereas ISO 42001 also has annexes B, C, and D. Annex B is the most interesting one, because it serves the same purpose that ISO 27002 does for ISO 27001 — ISO 42001 Annex B provides guidance for the implementation of controls from Annex A.

Learn more here: What is ISO 27002?

Annex C could also be useful, since it provides a list of potential objectives, but also risk sources (i.e., “threats” in the cyber terminology), while Annex D provides some ideas on what kinds of sectors could use ISO 42001, as well as some ideas for integrating this standard with other standards (very general annex, not very useful.)

Comparison of clauses

So, let’s see the breakdown of these clauses and how similar they are.

Integration of ISO 27001 and ISO 42001?

So, are these similarities going to help companies integrate ISO 27001 and ISO 42001?

Up to a point, this will be possible — you can already integrate certain elements of the ISO standards described in the first section of this article, since they are all aligned. ISMS processes that specify the protection of confidentiality, integrity, and availability will certainly need to cover AI systems as well.

However, for the core elements of ISO 42001 — risk assessment, risk treatment, and implementation of AI controls — it seems to me these things will have to be mainly separated from ISO 27001, especially AI system impact assessment.

Let me know what you think in the comments below.

To learn more about ISO 42001 clauses, sign up for this free ISO 42001 Foundations Course — it will give you a detailed overview of each clause from this AI governance standard.