Key Takeaways

1. ISO 42001 and ISO 27001 serve different purposes with different use cases. ISO 42001 is specifically for companies that deal with and manage AI systems, whereas ISO 27001 centers on information security management for any company.

2. Implementation timelines, costs, and compliance processes vary between the two standards, and you can choose based on your specific needs and priorities.

3. I.S. Partners conducts internal audits to identify gaps with international cybersecurity standards.

Which ISO Standard Do You Need?

ISO 27001 provides a solid structure for safeguarding information integrity, whereas ISO 42001 presents a proactive method for navigating the use of artificial intelligence in service organizations.

ISO 42001 is an international standard designed to establish, implement, maintain, and enhance an Artificial Intelligence Management System (AIMS) within companies. If you’re managing AI in any way within your company, this standard takes the forefront to maintain the ethics and transparency of the AI system. Moreover, it covers the full AI systems cycle, which starts with origination, then implementation, and continuous observation.

On the other hand, ISO 27001 is a standard that ensures proper information security management. First published in 2005 and later revised in 2022, the standard was developed by ISO (International Organization for Standardization) to help every organization update its information assets in the most secure way possible. 

Organizations must also remember that while these standards differ greatly in application and scope, they intersect in some major aspects. One major intersection is that both standards require annual internal audits to ensure consistent compliance

Intersections make it easier for organizations to apply both standards to their systems, especially for companies requiring both ISO standards. 

ISO 27001 vs 42001 1

ISO 42001 vs ISO 27001: Key Differences

While both standards are meant to reduce risks, they focus on different things: AI for ISO 42001 and information security for ISO 27001. 

ISO 42001 is best suited for customers integrating AI into their technology.

ISO 27001 is best used for Companies that own IT resources and need to provide their customers assurance about their information security program

In many cases, both standards may apply to a customer if the company offers a software solution that integrates with AI.” – Joe Ciancimino, Director at I.S. Partners

Below, we further dissect the difference between the two ISO programs based on different parameters. 

  1. Scope
  2. Application of Standard
  3. Process of Compliance
  4. Impact on Service Organizations
  5. Integration to Existing System
  6. Number of Controls
  7. Implementation Timeline
  8. Monitoring Protocols
  9. Cost

Scope

ISO 42001

In ISO 42001, the scope defines the boundaries and where the standard applies to companies with AI systems. If you use AI in your systems, this standard lays the groundwork for setting up, maintaining, and improving your AI management system. 

Moreover, the scope includes how an AI management system is planned and implemented within the organization’s existing management systems. It also involves how AI fits into your day-to-day operations and works with existing management methods.

This understanding is key for ensuring the AI system fits the organization’s goals and needs while securing sensitive data and maintaining ethical AI practices.

ISO 27001

For this risk management framework, the scope outlines your company’s Information Security Management Systems (ISMS) and what it safeguards. 

This includes information, processes, products, systems, and geographic areas that need air-tight protection. Notably, the scope statement also mentions what is not covered by the ISMS.

For example, Clause 4.3 of the ISO 27001 standard details how to define the scope of your ISMS. It emphasizes the importance of a clear scope statement and recommends creating a detailed Statement of Applicability to support it. The Statement of Applicability will give you more context and specifics to further clarify your ISMS’s inclusions relative to the Annex A controls.

Application of Standard

ISO 42001

Since ISO 42001 was created for managing AI risks, it applies to every company in any industry and is the only framework that can be certified for managing machine learning and AI technologies.

The program applies to companies integrating AI into their systems. It helps ensure responsible and transparent AI governance. This includes using AI to handle, process, and generate sensitive information using software programs.

ISO 27001

Any organization can use ISO 27001, no matter how big or small, what it does, or what sector it’s in. 

This includes small businesses, big companies, government agencies, and non-profits.

The ISO program can apply to them as long as the company handles sensitive customer data. ISO 27001 is commonly applied to SaaS providers and data services platforms

Process of Compliance

ISO 42001

To implement ISO 42001, you should review and update your AI management practices to meet ISO standards. Compliance with this standard includes the following general steps:

  1. Understand Your AI Management Practices. First, evaluate the AI management practices currently in place within your company. This process will need you to identify how AI is being utilized, the processes involved, and to what extent you use AI integration within your operations.
  2. Formalize a Plan. Once you understand the requirements, create a plan for implementing them within your company. This plan should outline the steps and resources you’ll need to achieve the final certification.
  3. Conduct a Risk Assessment. Next, assess your current practices against the requirements of ISO 42001. This risk assessment process helps you identify areas where your current processes may fall short and need improvement to meet the standard’s criteria.
  4. Implement Risk Management Measures. Once you assess and identify risks, develop strategies to mitigate or manage them. This may involve implementing controls, safeguards, or countermeasures to reduce the likelihood or impact of risks.
  5. Address Gaps in the System. With the gaps identified, focus on addressing them to become compliant with ISO 42001. Here, you need to be more proactive and start by implementing new processes, training employees, or updating documentation to meet the standards’ requirements.
  6. Prepare for the Certification Audit. Once you’ve addressed gaps and are confident in your organization’s readiness, it’s time to undergo the certification audit. A certification body will verify that your management system meets the requirements of ISO 42001.

ISO 27001

To get certified, an organization must have an ISMS meeting all the standard requirements. Then, they can ask a certification body to do a thorough audit.

The process of compliance with ISO 27001 includes:

  1. Develop an ISMS With Policies and Procedures. The first step is to create rules and guidelines for information security within your company. These policies and procedures outline how you’ll handle and protect sensitive information from threats.
  2. Perform a Risk Assessment. Start by going through a checklist of policies, procedures, and documents aimed at safeguarding your ISMS. Then, identify potential risks to your critical data. Think about what could go wrong, like cyberattacks or human error, and how serious each risk is. Determine how severe each risk is. Some might be minor annoyances, while others could be major threats to your data’s security.
  3. Develop a Risk Treatment Plan and Process. Your risk treatment plan should include:
    • Avoid risk: Stop doing certain tasks or processes that pose a risk.
    • Decrease risk: Use controls and safeguards to reduce the likelihood or impact of the risk.
    • Share risk: Transfer the risk to a third party, like an insurance company.
    • Accept risk: If mitigating the risk costs more than the potential damage, it may be better just to accept it.
  4. Implement the Missing Controls. Once you know your risks, you need to put measures and controls in place to mitigate them. These controls could include firewalls, encryption, or access controls to limit who can see certain information.
  5. Maintain an Internal Audit Program. Your internal team will undertake several crucial tasks to ensure the integrity and security of our systems. They will meticulously review documents, assess vulnerabilities through penetration tests, compile internal audit reports, and analyze any identified non-conformities. 
  6. Certification Audit. Finally, when your company is confident that it meets all the requirements of ISO 27001, you can undergo a certification audit. This is a thorough examination by an independent auditor to verify that your information security management system meets the ISO 27001 standards. If you pass, you’ll receive official certification showing clients and partners that your company takes information security seriously.
  7. Monitor and Measure Results. Regularly monitor and review the effectiveness of implemented risk mitigation measures. This allows for ongoing risk management and ensures your company remains resilient to evolving threats.

Impact on Service Organizations

ISO 42001

The main visible impact is that when service organizations integrate ISO 42001 into their governance structures, they guarantee their AI systems’ reliability, fairness, and openness from start to finish

This, of course, reduces risks and also encourages creativity, and earns trust from key stakeholders. 

Also, using AI can raise questions about whether your company is complying with different regulations. For example, using AI to handle sensitive data with human-like intelligence might conflict with rules about managing access to protected health information (PHI) and similar data.

ISO 27001

Obtaining an ISO 27001 certificate shows that your organization recognizes and seriously evaluates information security risks. 

It then puts measures in place to reduce those risks to an acceptable level, like actively addressing potential security threats and vulnerabilities.

When companies get ISO 27001 certification, it shows they’ve been through a tough evaluation and regular audits by a certified body. This certification means they follow global info security standards, and keeping it up shows they’re dedicated to keeping their security top-notch and always getting better.

Integration to Existing System

ISO 42001

ISO 42001 suggests merging AI management systems with your current organizational setups. This way, your AI systems match your organization’s objectives and strategies.

Organizations need it all the more because the AI news often talks about the technology’s potential benefits and the fear that it could pose risks to humanity. Implementing an AI management system, in your case, ISO 42001 certification, shows that you grasp and handle these risks while enjoying the advantages of AI.

ISO 27001

ISO 27001 does not have specific provisions for integrations. However, it does have requirements related to third-party relationships and supplier management that are relevant when considering integrations.

The standard covers supplier relationships. Organizations must establish agreements with suppliers that cover relevant information security requirements, such as access control, performance monitoring, and auditing. This requirement entails thoroughly evaluating third-party vendors and forming comprehensive and secure contracts with them.

Number of Controls

ISO 42001

In the latest draft of ISO 42001, the 39 Annex A controls cover various aspects, including policies concerning AI, internal organization-like roles and responsibilities, and resources for AI systems such as data, tools, and human resources.

ISO 27001

Currently, the recent version, i.e., the 2022 version of ISO 27001, includes 93 controls grouped into four categories: 

  • Organizational
  • People
  • Physical
  • Technological

Implementation Timeline

ISO 42001

The timeline highly varies depending on your company’s size and the vastness of the current system implementation.

ISO 27001

The ISO 27001 certification process typically lasts around three months for small organizations and up to a year for larger companies. The specific timeline to establish ISO 27001 is described below:

  • Pre-audit phase: 1 to 4 months 
  • Stage 1 audit: In month 5
  • Stage 2 audit: Months 6 to 8 
  • Monitoring and continuous improvement: Months 9 to 12

Monitoring Protocols

ISO 42001

The provisions of ISO 42001 have requirements for these two main assessments:

  1. An AI risk assessment should be conducted regularly, and
  2. An AI system impact assessment.

This means you need to monitor how AI affects risks and keep on evaluating continuously.

ISO 27001

ISO 27001 has controls that concentrate strictly on network, system, and application operations to uncover abnormal activities. It means that you can deal with emergencies effectively and rapidly.

Cost

ISO 42001

Getting ISO 42001 certification involves going through an audit conducted by a certified auditor. This means that the cost is highly variable. The fees for this audit can vary depending on a few factors, just like how long the process takes.

ISO 27001

In the US, the cost of ISO 27001 certification can range anywhere from $10,000 to $60,000. There are a bunch of things that come into play when determining the cost, like the auditor you choose, how complex your ISMS is, and the size of your company.

Overview of Differences Between ISO 42001 and ISO 27001

ParametersISO 42001ISO 27001
ScopeDefines how the standard applies to companies using AI systems and focuses on how they’re managed.Outlines what parts of a company’s information and systems need tight protection.
Application of StandardFor any company using AI, no matter the industry.Any organization, as long as they handle customer information.
Process of ComplianceYou need to meet the standard requirements and pass a certification audit.Review and update your practices to meet the standard, focusing on managing risks.
Impact on Service OrganizationEnsures AI systems are reliable and fair, reducing risks and building trust.Shows the organization takes information security seriously, reducing risks to an acceptable level.
Integration to Existing SystemSuggests merging AI management with your current setup.Aligns information security controls with your quality objectives.
Number of ControlsCovers 39 controls related to AI policies and resources.Includes 93 controls grouped into different categories.
Implementation TimelineDepends on company size and system implementation.Usually, it is three months for small organizations and up to a year for larger ones.
Monitoring ProtocolsRequires regular assessments of AI risks and impacts.Focuses on monitoring network, system, and application operations for abnormalities.
CostVaries based on audit duration and other factors.Varies based on your system’s complexity and company’s size.

Align with ISO Standards through I.S. Partners’ Internal Audits

Achieving alignment with ISO standards requires dedication, detailed evaluations, and regular audits. With strict requirements and ongoing reevaluations, organizations need reliable strategies to ensure their processes meet ISO expectations and protect critical information.

I.S. Partners conducts comprehensive internal audits to evaluate your current practices and identify gaps. Stay on track with ISO alignment through continuous improvement and expert audits tailored to your business needs.

¨Contact us today and schedule a meeting with our experts.

FAQs

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

client-doelegal-2-2 (1)avmedmcl logonlex-logonolan logopaymedia-logo-1
Scroll to Top