If you are ISO/IEC 27001 certified and your organisation has started using or deploying AI systems, EU AI Act obligations are not a separate regulatory burden. They are an extension of the management system you already operate. The discipline and the standard that bridges them is ISO/IEC 42001.
This article is for organisations that have an Information Security Management System in place and want to understand, concretely, what extending it into an AI Management System looks like under EU AI Act expectations. It covers three angles.
One. If you are ISO 27001 certified, what does EU AI Act compliance actually require of you?
Two. How does ISO/IEC 42001 relate to your existing ISO 27001 ISMS, and what is the realistic path from one to the other?
Three. Why ISO/IEC 42001 is the canonical conformance route for EU AI Act high-risk obligations, and what that means for organisations that want to meet the obligations efficiently.
If you are ISO 27001 certified, what does EU AI Act actually require of you?
The EU AI Act applies to organisations on a risk-based scale. The obligations vary substantially depending on the role you play and the risk classification of the AI systems involved.
If you deploy or develop AI systems classified as high-risk under Annex III of Regulation (EU) 2024/1689, you become subject to obligations across Chapter III of the regulation. These include risk management (Article 9), data and data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency and provision of information to deployers (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), and a quality management system covering all of the above (Article 17).
Article 17 in particular is significant for any organisation already operating an ISO 27001 ISMS. It requires providers of high-risk AI systems to put in place a quality management system that includes strategies for regulatory compliance, design and development controls, examination, test and validation procedures, technical specifications, data management systems, the risk management system referenced in Article 9, and post-market monitoring. The structure of these requirements parallels, almost line by line, the structure of an ISO management system.
Article 9 risk management is recognisably an ISO 31000-derived risk process applied to AI-specific harms. Article 10 data governance overlaps substantially with the data and information classification controls in ISO 27001 Annex A. Article 12 record-keeping is a logging requirement that ISMS-grade organisations already operate. Article 14 human oversight has equivalents in ISO 27001 segregation-of-duties and authorisation controls. The pattern continues across most of Chapter III.
If you are not already operating an ISO 27001 ISMS, the EU AI Act obligations represent a substantial build. If you are, much of the foundational governance, risk, and control discipline is in place. What is missing is the AI-specific layer: AI system inventory, AI impact assessment, AI lifecycle controls, AI-specific data governance, AI-specific transparency obligations, and post-market monitoring. ISO/IEC 42001 is the standard that provides that AI-specific layer in a form an external auditor can verify.
How ISO/IEC 42001 relates to your existing ISO 27001 ISMS
ISO/IEC 42001:2023 is a management system standard for AI, built on the Harmonized Structure (Annex SL) that ISO/IEC 27001:2022, ISO/IEC 27701, ISO 9001, and most modern ISO standards share. This is not a coincidence. The Harmonized Structure exists precisely so that organisations can integrate multiple management systems without rebuilding governance from scratch.
What this means in practice: if you have an ISO 27001 ISMS, the following clauses are largely already in place and need only AI-specific extension:
Clause 4 Context of the organisation. Your existing ISMS scope, interested parties, and external/internal issues are documented. ISO 42001 requires the same for AI systems specifically. You extend the analysis; you do not duplicate it.
Clause 5 Leadership. Top management commitment, policy, and roles are established under ISO 27001. ISO 42001 requires the same commitment to AI governance. Policy is extended, not duplicated.
Clause 6 Planning. Risk and opportunity processes are in place. ISO 42001 adds AI-specific risk treatment and the AI system impact assessment (Annex A.5 of ISO 42001), which is genuinely new content.
Clause 7 Support. Resources, competence, awareness, communication, and documented information requirements transfer directly. AI-specific competence requirements (working with model behaviour, drift, bias, lifecycle considerations) extend the existing framework.
Clause 8 Operation. This is where the new content concentrates. AI system lifecycle controls (Annex A.6 of ISO 42001), data governance for AI (Annex A.7), information for users of AI systems (Annex A.8), and the operational controls for AI development, deployment, and monitoring all need to be implemented. Many of these have ISO 27001 equivalents; many require new procedures.
Clause 9 Performance evaluation. Monitoring, measurement, analysis, evaluation, internal audit, and management review all transfer directly from ISO 27001. The scope of what you monitor expands to include AI system performance and impact.
Clause 10 Improvement. Nonconformity, corrective action, and continual improvement processes transfer directly.
The net effect is that a well-implemented ISO 27001 ISMS represents perhaps fifty to sixty percent of an ISO 42001 AIMS by structure, with the remaining forty to fifty percent concentrated in Clause 8 operational controls and the AI-specific Annex A controls.
The realistic transition path
Most organisations approaching ISO 42001 from an ISO 27001 base will follow a similar three-phase pattern.
Phase one: AI system inventory and impact assessment. Before any management system work, you need to know what AI systems your organisation deploys or develops, who the deployers and providers are, and what the risk classification looks like under EU AI Act Annex III. This is foundational work and typically takes four to eight weeks for an organisation with a modest AI footprint, longer for organisations with substantial AI deployments across multiple business units.
Phase two: gap analysis against ISO 42001. Map your existing ISMS to ISO 42001 clause by clause and identify what extends, what duplicates, and what is genuinely new. Most of the gap concentrates in Annex A controls (A.2 AI policies through A.10 third-party and customer relationships) and the AI-specific elements of Clause 8.
Phase three: implementation and integration. Build the AI-specific controls, extend the existing ISMS documentation to cover AI, conduct internal audit against the combined management system, and prepare for certification. Organisations with mature ISO 27001 ISMSes typically reach ISO 42001 audit readiness in six to twelve months from the start of Phase one. Organisations starting both standards from scratch typically take twelve to eighteen months.
Why ISO 42001 is the canonical conformance route for EU AI Act
The EU AI Act does not require ISO 42001 certification. It requires the substantive obligations in Chapter III to be met. ISO 42001 is, however, the most direct and most externally verifiable way to demonstrate that the management system underlying those obligations is in place and operating effectively.
For high-risk AI systems, the EU AI Act requires conformity assessment before placing the system on the market. The Act provides for conformity assessment based on internal control (Annex VI) and conformity assessment involving a notified body (Annex VII), depending on the type of AI system and the application. An ISO 42001 certificate does not, by itself, replace conformity assessment. It does, however, provide systematic evidence of the quality management system Article 17 requires, the risk management system Article 9 requires, the data governance Article 10 requires, the record-keeping Article 12 requires, and the post-market monitoring Article 72 requires.
Regulators across the EU have signalled that harmonised standards including ISO/IEC 42001 will be central to the conformity assessment process once the relevant high-risk obligations come into force. Organisations operating an ISO 42001-aligned AIMS will be substantially better positioned for conformity assessment than organisations operating ad hoc AI governance.
What this means for ISO 27001 certified organisations right now
If you are ISO 27001 certified and your organisation deploys or develops AI systems, three immediate actions are worth taking.
Inventory your AI systems. Many organisations are surprised to discover the breadth of their AI deployments once they actually map them. Marketing automation, recruitment screening, customer service chatbots, fraud detection, content moderation, and many other applications often qualify as AI under the EU AI Act definitions.
Classify them against Annex III. Not all AI systems are high-risk. Many are minimal risk and carry only transparency obligations under Article 50. Some are limited-risk. A smaller subset are high-risk and carry the full Chapter III obligations. The classification is the foundation for any compliance effort.
Decide on your integration approach. An ISO 27001 certified organisation has three realistic options. Operate two separate management systems (an ISMS and an AIMS) and integrate selectively. Operate an integrated management system that covers both information security and AI under one governance framework. Operate ISO 27001 as the primary management system and extend it to cover AI without a separate ISO 42001 certification. Each has trade-offs. The right choice depends on the size of your AI footprint, the regulatory pressure you face, and the value of an ISO 42001 certificate to your enterprise customers and procurement processes.
The competitive edge
Enterprise procurement teams, regulated industries, and EU-facing markets are already requesting AI governance evidence from suppliers. Organisations that can demonstrate an ISO 42001-aligned AIMS, ideally certified, will increasingly differentiate themselves in commercial contexts. Organisations that wait until conformity assessment becomes mandatory will find themselves implementing under deadline pressure rather than at their own pace.
The discipline is not new. If you operate ISO 27001, you already have most of the structure. ISO 42001 makes the structure AI-aware and provides the externally verifiable form the EU AI Act ultimately rewards. The transition is straightforward when planned. It is painful when deferred.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
Does ISO 42001 certification fulfil EU AI Act obligations?+
No. ISO 42001 certification does not by itself replace EU AI Act conformity assessment for high-risk AI systems, which is the responsibility of accredited Notified Bodies under Annex VI or Annex VII procedures. However, ISO 42001 is the most direct and most externally verifiable route to the substantive obligations Articles 9, 10, 12, 17, and 72 require. Regulators have signalled harmonised standards including ISO 42001 will be central to the conformity assessment process.
Do I need ISO 42001 if my AI systems are not high-risk?+
You are not legally required to. Minimal-risk AI systems carry no substantive obligations beyond the general principles in the EU AI Act, and limited-risk systems carry only the transparency obligations in Article 50. ISO 42001 remains a useful governance framework for any organisation deploying AI at scale, particularly where enterprise customers, regulators, or procurement processes expect demonstrable AI governance.
What is the relationship between ISO 42001 and EU AI Act conformity assessment?+
ISO 42001 provides the management system structure that satisfies the quality management system requirement under Article 17, the risk management system under Article 9, data governance under Article 10, record-keeping under Article 12, and post-market monitoring under Article 72. Conformity assessment itself is a separate procedure conducted by a Notified Body (Annex VII) or through internal control (Annex VI), depending on the AI system. ISO 42001 supports the substantive obligations; the conformity assessment validates them.
How long does ISO 42001 implementation take if I already have ISO 27001?+
Typically six to twelve months from the start of AI system inventory work to ISO 42001 audit readiness. The Harmonized Structure means Clauses 4 through 10 transfer substantially from ISO 27001. The AI-specific work concentrates in Annex A and in Clause 8 operational controls: AI inventory, impact assessment, AI-specific data governance, transparency to deployers, and post-deployment monitoring.
Do I need ISO 27001 before ISO 42001?+
No, but it helps. ISO 42001 can be implemented as a standalone management system. However, organisations operating an existing ISO 27001 ISMS typically reach ISO 42001 readiness in roughly half the time of organisations starting both standards from scratch. The shared Harmonized Structure means the governance, internal audit, and management review processes already in place can be extended rather than rebuilt.
Will ISO 42001 become a harmonised standard under the EU AI Act?+
The European Commission has issued a standardisation request to CEN-CENELEC covering AI Act conformity. ISO 42001 and related ISO/IEC standards are central to the response. Formal designation of ISO 42001 as a harmonised standard providing presumption of conformity has not yet been confirmed as of mid-2026; the harmonised standards process is in progress. Organisations operating an ISO 42001-aligned AIMS are positioned to benefit when designation occurs.
What is the difference between an AI provider and an AI deployer under the EU AI Act?+
A provider develops or places an AI system on the EU market under its own name. A deployer uses an AI system under its own authority, except in a personal, non-professional capacity. Most Chapter III obligations apply to providers of high-risk AI systems; deployers have a narrower obligation set in Article 26, including human oversight, monitoring, and incident reporting. The same organisation can be a provider for some systems and a deployer for others.
Need help mapping your ISMS to ISO 42001? AuditVantage® advises on ISO/IEC 27001 to ISO/IEC 42001 transition and integration, AI system inventory and Annex III risk classification, ISO 42001 implementation, and EU AI Act readiness for high-risk systems. See the AI Governance service → or EU regulatory compliance →
Have a question on this topic?
Discuss your situation with us. Tell us what you are working towards and we will tell you whether we can help, and how.
Talk through your AI Act positionAuditVantage® provides advisory and implementation services only. AuditVantage® is not a law firm; matters requiring legal advice or a formal legal opinion are referred to qualified counsel. ISO certification decisions rest with accredited certification bodies. EU AI Act conformity assessment for high-risk AI systems is conducted by accredited Notified Bodies. Information in this article reflects the regulation as published in Regulation (EU) 2024/1689 and may be subject to legislative adjustment.