Skip to content

AI governance: Why ISO 42001 is the natural next certification step.

Artificial intelligence is transforming business operations across every sector. For organisations already certified to ISO/IEC 27001:2022, the emerging ISO/IEC 42001:2023 standard represents a logical and efficient pathway to governance excellence.

ISO 42001[1] is the world’s first comprehensive framework for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It builds on the foundation of information security governance, enabling organisations to demonstrate responsible AI adoption and regulatory readiness[2].

ISO 27001-certified organisations can achieve ISO 42001 compliance up to 40% faster than those starting from scratch[3]. Dual certification not only streamlines compliance but also positions organisations at the forefront of global AI governance, which will be a competitive differentiator through 2030 and beyond.

In our on-demand webinar Governing AI risk, Protecht’s David Tattam and Gary Lynam unpack the critical elements of AI governance, risk management, and compliance and introduce our AI Governance package:

Watch on demand

The strategic imperative: Why AI governance matters now

AI adoption is accelerating. According to McKinsey, 72% of organisations now use AI in at least one business function, up sharply from 55% the previous year[4] . This rapid adoption creates both opportunity and risk. AI systems handle sensitive data, make automated decisions, and shape human outcomes. They also introduce unique challenges around bias, transparency, accountability, and regulatory compliance.

The regulatory landscape is also evolving rapidly. The EU AI Act entered into force on 1 August 2024 and will be fully applicable by 2 August 2026, with enforcement for high-risk systems beginning in February 2026[5]. Beyond Europe, jurisdictions worldwide are building frameworks that will create complex, multi-jurisdictional compliance demands[6].

Organisations that proactively adopt AI governance frameworks such as ISO/IEC 42001 will be better positioned to navigate this complexity, build stakeholder trust, and demonstrate leadership.

Why ISO 42001 when you already have ISO 27001?

ISO/IEC 27001 and ISO/IEC 42001 share significant structural overlap, but they focus on distinct domains.

  • ISO 27001: Safeguards information security, confidentiality, integrity, and availability across all assets.
  • ISO 42001: Addresses AI-specific concerns including ethics, bias mitigation, explainability, lifecycle management, and human oversight.

For organisations already compliant with ISO 27001, adding ISO 42001 creates a unified governance structure that integrates information security and AI risk management.

Dual certification delivers:

  1. Unified governance: A single, board-level framework covering both AI and information security.
  2. Integrated risk management: Addressing IT risks and AI-specific challenges holistically.
  3. Stakeholder confidence: Independent validation of responsible AI adoption.
  4. Competitive differentiation: Clear market leadership in governance maturity.

Leveraging your ISO 27001 investment

Both standards follow the Annex SL high-level structure and the Plan-Do-Check-Act (PDCA) cycle. This shared methodology means ISO 27001-certified organisations already have the scaffolding for ISO 42001 implementation.

Many ISO 27001 controls map directly to ISO 42001, including:

  • Risk management: Existing methodologies can extend to AI-specific risks.
  • Incident management: Response procedures adapt easily to AI-related events.
  • Training and awareness: Security training frameworks expand to AI ethics and oversight.
  • Internal audit: Audit planning, corrective action, and review processes transfer directly.

Modern platforms accelerate this process by cross-referencing ISO 27001 clauses with ISO 42001 requirements, ensuring consistency and reducing implementation time.

In our experience working with organisations implementing ISO using Protecht, ISO 27001-certified organisations can achieve ISO 42001 compliance 30-40% faster than those starting from scratch. This efficiency gain comes mainly from reuse: the evidence and documentation for Clauses 4-10 has already been gathered and tested during ISO 27001 certification. Organisations can instead focus on the AI-specific requirements: impact assessments, AI governance policies, and specialised controls.

Beyond the foundation: New ISO 42001 requirements

While ISO 27001 lays the groundwork, ISO 42001 introduces AI-specific requirements, including:

  • Transparency and explainability: Documenting AI decision-making processes and limitations.
  • Data governance and quality: Standards for collection, bias testing, and provenance tracking.
  • Model development and validation: Testing, validation, and fairness evaluation.
  • Human oversight: Ensuring human-in-the-loop controls for critical decisions.
  • AI ecosystem governance: Oversight of AI vendors, third-party providers, and cross-border compliance.

The certification journey: four phases

Moving from ISO 27001 to ISO 42001 is not just a matter of adding new policies. It requires a structured program that builds on your existing ISMS, extends it to cover AI-specific requirements, and then demonstrates maturity through audit. The journey is measurable, phased, and, when approached strategically, achievable within a 12-month window.

  1. Gap analysis and planning (Months 1–2): Map existing ISO 27001 controls, identify AI systems, and assess maturity.
  2. AIMS development (Months 3–5): Extend policies, implement AI-specific controls, and establish governance roles.
  3. Operation and monitoring (Months 6–8): Run PDCA cycles, conduct integrated audits, and monitor AI performance.
  4. Certification (Months 9–12): Align audit cycles with ISO 27001, prepare evidence, and engage accredited auditors.

Strategic benefits of dual certification

Certification is not an end in itself. The real value lies in the business outcomes that dual certification makes possible: stronger market positioning, greater trust from regulators and customers, and integrated governance that eliminates duplication and inefficiency. These benefits compound over time, creating both compliance assurance and strategic advantage.

  • Market differentiation: Establishes leadership in responsible technology adoption.
  • Stakeholder confidence: Independent validation of AI safety and governance.
  • Regulatory readiness: Anticipates global frameworks, reducing compliance risk.
  • Efficiency gains: Eliminates duplicate processes and strengthens governance integration.
  • Direct financial savings: Certification can save money on cyber insurance.

Future-proofing your investment: building beyond ISO 42001

Dual certification in ISO 27001 and ISO 42001 creates a strong foundation, but governance maturity does not stop there. Other ISO standards extend this framework into adjacent areas of risk and resilience, and should be sequenced according to organisational priorities.

  • ISO/IEC 27701 (Privacy Information Management):
    Designed as a privacy extension to ISO 27001, ISO 27701 strengthens governance where AI systems process personal data. It is the most immediate next step, often implemented alongside ISO 27001 audits to reduce cost and effort.
  • ISO 22301 (Business Continuity Management):
    Focused on resilience, ISO 22301 ensures that core information security and AI operations can withstand and recover from disruption. This becomes critical as reliance on AI deepens and regulatory expectations around resilience grow.
  • ISO 9001 (Quality Management Systems):
    While broader in scope, ISO 9001 embeds a culture of quality that underpins all governance systems. Many organisations adopt it later in their roadmap to reinforce process excellence and strengthen stakeholder confidence.

Taken together, these certifications extend governance beyond compliance into resilience and trust. A phased 3–5 year roadmap – starting with ISO 27701 for privacy, then ISO 22301 for resilience, and finally ISO 9001 for cultural excellence – ensures organisations remain ahead of regulatory demands and market expectations. Adopting a GRC platform with support for controls frameworks is by far the most efficient way to achieve and manage multiple overlapping certifications.

Conclusions and next steps for your organisation

The convergence of information security and AI governance marks a fundamental shift in technology risk management. For ISO 27001-certified organisations, pursuing ISO 42001 is not simply about compliance, it is a chance to lead in trustworthy and secure AI adoption.

The question is no longer whether AI governance will be essential, but whether your organisation will lead or follow. By acting now, you secure competitive advantage, strengthen stakeholder trust, and build resilience against future regulatory and technological change.

This is where Protecht provides the bridge. Our cyber and IT risk management solution helps you:

  • Implement and cross-map IT and AI control frameworks consistently
  • Centralise libraries and registers for risks, controls, and assurance activities
  • Streamline workflows so business risk owners act at the right time
  • Provide executives and boards with clear, reliable reporting on IT and AI governance posture
  • Demonstrate compliance with multiple standards, including ISO 27001, ISO 42001, NIST CSF, and SOC 2, through a single platform
  • Helps organisations centralise their data capture for all AI systems and tools, whether developed and deployed in-house, or licensed from third parties

With preconfigured control libraries, integrated assurance workflows, and dashboards that translate technical controls into board-level insights, Protecht helps you accelerate certification and deliver confidence across stakeholders.

Take the next step in your ISO roadmap.

Request a Protecht ERM demo and see how you can streamline IT and AI governance while building a future-proof compliance framework:

Request a demo

References and notes

[1] For ease of reading, in this blog we refer to each joint ISO/IEC standard with its full name and code on first mention and subsequently abbreviate as here.

[2] ISO/IEC 42001:2023 – AI Management Systems

[3] Protecht research documented later in this article

[4] McKinsey – The State of AI

[5] EU AI Act – Official Documentation

[6] UK AI White Paper – A Pro-Innovation Approach

About the author

Mike Franklin has a long background in cyber security and risk governance. Prior to joining Protecht to lead our cyber risk team, he worked for multiple blue-chip organisations in banking, finance and tertiary education. Mike’s deep expertise helps Protecht customers to strengthen their cyber security, ISMS and third party/vendor risk management programs.