01 / What's shared
Annex SL clauses 4-10 transfer.
Both ISO 27001 and ISO 42001 are written on the Annex SL high-level structure. The seven management-system clauses are the same in shape; the content differs only where AI specifics replace information-security specifics.
- Clause 4 - Context. Same approach: identify interested parties, scope the management system, name the issues that affect outcomes. For 42001, the scope is AI uses; for 27001, it's information assets.
- Clause 5 - Leadership. Same approach: top-management commitment, policy, roles. The committee that approves your 27001 ISMS scope can approve your 42001 AIMS scope at the same meeting.
- Clause 6 - Planning. Same approach: risk and opportunity assessment, objectives, change management. Different risk lens (AI risks vs. information-security risks).
- Clause 7 - Support. Same approach: resources, competence, awareness, communication, documented information. Reuse the documentation control system you already operate.
- Clause 8 - Operation. Same approach: operational planning and control. Different operations under control (AI lifecycle vs. information assets).
- Clause 9 - Performance evaluation. Same approach: monitoring, internal audit, management review. Reuse the audit team, the review meeting cadence, the trend-tracking dashboard.
- Clause 10 - Improvement. Same approach: nonconformity, corrective action, continual improvement. Reuse the corrective-action workflow.
Where AI specifics replace information-security specifics, you typically need to update wording in policies, expand internal-audit scope, and add AI representatives to existing forums. Most shops do this in weeks, not months.
02 / What 42001 adds
An AI scope, an AI policy, 38 controls.
The non-overlap is real but bounded. You add:
- An AI scope statement. Which AI systems and AI uses your management system covers. Often narrower than your 27001 scope; sometimes broader if you have AI uses outside the 27001 information-asset scope.
- An AI policy. Distinct from the 27001 information-security policy. Approved by leadership. Published internally. Reviewed annually.
- AI-specific roles and responsibilities. Often a single named owner (an AI Governance Lead, sometimes the same person as the CISO with an additional hat).
- AI system impact assessment. Per AI system in scope. Required before deployment and at intervals after. Distinct from the 27001 risk assessment but draws on the same risk-management discipline.
- The 38 Annex A controls. Organized across nine categories (AI policies, organization, resources, impact assessment, life cycle, data, transparency, system use, third-party relationships). The Statement of Applicability documents which you've selected and why.
For a complete walk-through of the Annex A controls, see the ISO 42001 brief.
03 / The integrated management system
One review. One audit program. Two scopes.
The dominant approach for organizations stacking 42001 on 27001 is an integrated management system. The structural moves:
- One management review meeting cadence covers both ISMS (27001) and AIMS (42001) agenda items.
- One internal audit program rotates between 27001 and 42001 scopes. Auditor competence may need a top-up for AI-specific topics; reuse the audit framework.
- One document control system with separate document categories for AI policy, AI impact assessments, and AI procedures.
- One corrective-action workflow across both management systems. Findings get categorized by which standard's controls they affect.
- One statement of leadership commitment that names both standards.
Where AI uses are tightly coupled to information assets (most production systems), keeping the management systems integrated avoids duplicate evidence work. Where AI uses are decoupled (R&D models that never touch production data), keep them separate to avoid scoping confusion.
04 / Practical sequence
From 27001 certified to 42001 certified in 6 to 9 months.
- Gap analysis (4-6 weeks). Map your existing 27001 ISMS to 42001's clauses 4-10. Identify AI-specific additions you need. List the 27001 controls that already produce evidence relevant to 42001 Annex A.
- Scope and policy (2-4 weeks). Define the AI management system scope. Draft and approve the AI policy. Update leadership commitment statements.
- Impact assessments (4-8 weeks). Run the AI system impact assessment for each in-scope AI system. This is often the longest single workstream because it requires real engineering input.
- Annex A control implementation (8-12 weeks). Run the controls you've selected. Generate evidence. Use the integrated management system processes you already have.
- Internal audit (4-6 weeks). Audit the new scope. Find your gaps. Close them.
- Stage 1 + Stage 2 audits (4-6 weeks). Your existing certification body usually adds 42001 to your scope at the next surveillance cycle.
Total: 26 to 42 weeks, depending on the complexity of your AI use and the readiness of your existing ISMS. Greenfield 42001 certification typically takes 39 to 56 weeks.
05 / How Northbeams maps to this
Reuse 27001 evidence; supply the 42001 inventory.
If you already export Northbeams audit logs for ISO 27001 A.5.34, A.8.10, and A.12.4, the same exports support 42001 Annex A.6, A.7, and A.9. The shape of the evidence is identical; the control category it satisfies is what changes.
A.4 / A.6 inventory
The AI inventory you didn't have under 27001.
Continuous discovery across browser, desktop, and CLI gives 42001 the AI scope it asks for. Per-user, per-tool, per-time.
A.5 impact assessment input
Per-tool risk classification on-device.
The data your AI impact assessor needs without ever capturing prompt content. The classifier runs in the browser.
A.9 use of AI controls
Sanctioned, sandboxed, or blocked.
Pre-mapped to your existing 27001 control language, extended for AI-specific obligations.
A.6 + 27001 A.12.4
One signed event log, two standards.
SHA-256 signed CSV exports satisfy 27001 A.12.4 and 42001 Annex A.6 retention obligations from the same artifact.
If you're stacking 42001 on top of an existing 27001 ISMS, Sentinel produces the audit log both standards' auditors trust. See the audit-ready evidence pack →
06 / FAQ
Common questions about stacking 42001 on 27001.
- Why is ISO 42001 faster if I have ISO 27001?
- Both standards share the Annex SL high-level structure (the same management-system clauses 4 to 10). The leadership commitment, internal audit program, document control, management review, and corrective-action workflow you already operate for 27001 transfer directly to 42001. You're scoping new controls and a new control category; you're not building a management system from scratch. Most shops report about 40% faster certification.
- What's the same between 27001 and 42001?
- Annex SL clauses 4-10: context of the organization, leadership, planning, support, operation, performance evaluation, improvement. Internal audit. Management review. Document control. Corrective action. Risk-based thinking. The Plan-Do-Check-Act cycle.
- What's new in 42001 vs 27001?
- AI-specific scope (the AI management system covers the AI lifecycle, not information security). AI policy. AI roles and responsibilities specific to AI. AI system impact assessment. The 38 Annex A controls covering AI policy, organization, resources, impact assessment, life cycle, data, transparency, system use, and third-party relationships.
- Can I run 27001 and 42001 as one integrated management system?
- Yes, and it is the dominant approach for organizations going for both. An integrated management system has one set of management review meetings, one internal audit program with parallel scopes, one document control system, and shared leadership commitment. Each standard's controls remain distinct, but the overhead is shared.
- What's the typical sequence?
- Gap analysis against 42001's clauses 4-10 (mostly reuse from 27001). Then scope your AI management system. Then run the AI system impact assessment. Then implement Annex A controls based on the Statement of Applicability. Then internal audit, stage 1, stage 2. Six to nine months for most 27001-certified shops.