Organisations that already run ISO 27001 and are now asked by customers for ISO 42001 typically hear two answers. From consultants: “these are complementary standards, we can help you implement 42001 alongside your existing ISMS.” From certification bodies: “we can integrate the audits where our accreditation scope allows.” Both answers are correct and neither is useful for planning.
The practical question is different. How much of the 42001 work is already done by your existing ISMS? How much is genuinely new? Can you run a single combined programme, and if so, what does it look like? How do you sequence the audits to avoid paying for the same evidence twice?
This article is the dual-track plan — what overlaps, what doesn’t, and how to run the programme as an integrated management system rather than two parallel streams.
Why combine ISO 27001 and ISO 42001
Two reasons, one structural and one commercial.
The structural reason: both standards follow the ISO Harmonised Structure. Clauses 4 through 10 — context, leadership, planning, support, operation, performance evaluation, improvement — use aligned language and map to the same underlying management system logic. An organisation with a mature ISMS already has about 60% of what the AIMS requires at the management system level. The remaining 40% is the AI-specific substance: Annex A controls on AI lifecycle, impact assessment, AI data governance, and user-facing AI information.
The commercial reason: running the programmes sequentially costs about 70–80% of the effort of running them separately. Running them as a combined programme costs about 60% — a 30–40% efficiency gain. The gain comes from shared artefacts (a single policy suite, a single risk register structure, a single internal audit function), shared evidence cycles, shared management review meetings, and — where the certification body’s accreditation allows — combined audit events.
The caveat: combined programmes are genuinely harder to run than sequential programmes. A team already stretched by an ISO 27001 programme should not layer ISO 42001 on at month six and expect efficiency gains. The combined programme is most efficient when planned as combined from the start, or when layered into an existing mature ISMS with capacity to absorb the additional work.
The dual-track timeline
A combined first-time programme at an AI-focused SaaS of 100–500 people runs roughly 14 months. Organisations implementing 42001 on top of an existing certified ISMS can compress to 8–10 months. Starting from no management system foundation and pursuing both in parallel runs 16–18 months.
Phase 1: Combined scope, leadership, inventories Months 1–2
Phase 2: Risk & impact assessment (parallel tracks) Months 2–5
Phase 3: Shared and standard-specific controls Months 4–11
Phase 4: Combined internal audit and mgmt review Months 11–13
Phase 5: Stage 1 + Stage 2 (sequenced or combined) Months 13–14The shape: Phase 2 runs two parallel assessment tracks (ISO 27001 risk assessment and Statement of Applicability; ISO 42001 AI impact assessment and Annex A applicability). Phase 3 merges where controls overlap and splits where they don’t. Phase 4’s internal audit covers both standards in a single programme. Phase 5’s certification audits either run as a combined event or closely sequenced, depending on certification body capability.
Controls that overlap
The 60% overlap figure is useful shorthand, but it matters where the overlap sits. Most of the shared work is in management system infrastructure, not in specific controls.
Management system clauses (4–10). Context, leadership, planning, support, operation, performance evaluation, improvement. The two standards use aligned language and require structurally similar artefacts — a context-of-the-organisation document, a policy signed by senior leadership, risk and opportunity identification, competence and awareness, documented information control, operational planning, monitoring and measurement, internal audit, management review. One set of these artefacts scoped to cover both management systems is substantially less effort than two sets.
Organisational controls. Roles and responsibilities, segregation of duties, governance oversight, supplier relationships, incident management process. Largely shared; the 42001-specific additions (AI roles in particular) extend rather than replace the 27001 equivalents.
People controls. Screening, terms and conditions, security awareness, disciplinary process. Shared. 42001 adds AI-specific competency requirements but uses the same HR control infrastructure.
Physical controls. Entirely shared. 42001 doesn’t add meaningful physical controls beyond what 27001 already covers.
Technological controls — a significant fraction. Access control, cryptography, operations security, communications security, system acquisition and development security, supplier management. Most of these controls apply to AI systems as information systems, same as any other.
Total overlap at the control level: roughly 60%, concentrated heavily in the management system structure and the organisational / people / physical clusters. The percentage feels low until you realise that the shared management system infrastructure is the work that normally takes longest — standing up governance, policies, internal audit, management review — and the overlap means you only do that work once.
Controls that diverge
The 40% that’s genuinely ISO 42001-specific clusters in four areas.
AI lifecycle controls. Processes for AI system objective setting, design, development and testing, deployment, operation, monitoring, and retirement. ISO 27001 doesn’t require these at this level of specificity. This is new work.
AI system impact assessment. Evaluation of AI systems’ effects on individuals, groups, and society. No ISO 27001 equivalent — 27001 risk assessment evaluates risks to the organisation; 42001 impact assessment evaluates consequences for others. Genuinely new process.
AI data governance. Data acquisition, quality, labelling, preparation, and handling specifically for AI training and operation. Overlaps with 27001 data handling controls but extends into territory 27001 doesn’t address — bias in training data, dataset lineage, labelling practices, synthetic data treatment.
Third-party AI and user-facing controls. Due diligence on AI system providers (where you integrate third-party AI), ongoing monitoring of third-party AI behaviour, information provided to users and affected parties about AI capabilities and limitations. Overlaps with 27001 supplier management and information-security obligations but AI-specific additions are substantial.
The pragmatic view: the 42001-specific work is the interesting substantive work — the stuff that makes 42001 meaningful as an AI management standard rather than just 27001 with an AI sticker. Teams that treat the combined programme as “27001 plus some extra controls” under-invest in the AI-specific work and produce a thin 42001 implementation that audits poorly and fails to deliver the commercial benefit certification is supposed to provide.
The AI impact assessment as a new programme element
Worth singling out because it’s the single most distinctive element of ISO 42001 and the one that most commonly trips first-time implementers.
The AI system impact assessment is a documented, repeatable process for evaluating the potential impact of AI systems on individuals, groups, and society. It runs before significant AI system decisions (deployment, material changes, new uses) and produces an auditable record. The assessment covers: intended and reasonably foreseeable use, affected parties, types and severity of potential impacts (economic, social, psychological, environmental, rights-based), likelihood, and mitigations.
What makes this new work rather than an extension of existing risk assessment: the evaluation perspective. ISO 27001 risk assessment evaluates risks from the organisation’s point of view — what could harm the organisation or its assets. AI impact assessment evaluates consequences from the affected party’s point of view — what could harm users, affected groups, or society, even if the organisation itself is unharmed. The skill set required is different, the methodology is different, and the documentation is different.
Design this process deliberately in Phase 2. Don’t try to bolt impact assessment onto your existing risk assessment process. They’re complementary tools serving different questions.
Combined audit sequencing
Audit sequencing is where combined programmes either realise their efficiency gain or throw it away.
Option 1: integrated combined audit. A single audit event covering both standards, conducted by auditors with scope across both, producing two certificates from a single fieldwork engagement. Most efficient. Requires a certification body whose accreditation covers both standards and auditor teams competent in both. As of 2026, this is possible with a growing number of certification bodies but still not universal. Check specifically.
Option 2: closely-sequenced audits. Stage 1 and Stage 2 for one standard, followed within weeks by Stage 1 and Stage 2 for the other. Evidence is reusable between the two audits because it was produced by the same management system. Saves some effort but not as much as integrated combined audit. Viable with any certification body that accredits both standards.
Option 3: separate audits. Full audits conducted independently. Little efficiency gain. Use only if forced by certification body constraints or if the organisation is consolidating toward combined audits over time.
The practical reality: in 2026, option 1 is worth negotiating hard for with your certification body, option 2 is the realistic fallback, and option 3 is avoidable with reasonable certification body selection.
Audit scope boundaries matter here. If the 27001 ISMS and the 42001 AIMS cover different organisational scopes (for example, 27001 covers the whole company and 42001 covers only the AI product line), the audits have different object boundaries even if conducted together. Plan this in Phase 1, not in Phase 5.
Where combined programmes still slip
Four failure patterns specific to combined programmes — distinct from the generic failure modes of either standard alone.
Treating 42001 as “27001 with AI controls.” Teams produce a thin AI impact assessment process, under-invest in lifecycle controls, and treat Annex A as a checklist. Audits pass minimally but the 42001 certificate doesn’t deliver commercial value because sophisticated customers can see the implementation is superficial. Mitigation: invest in the 42001-specific elements (impact assessment process, AI lifecycle controls, AI data governance) as substantive work, not as 27001 extensions.
Parallel teams with weak integration. One team runs the 27001 programme, another runs the 42001 programme, they share a leadership sponsor but no operational integration. Shared artefacts end up duplicated with slightly different language, shared audits are harder to coordinate, and the efficiency gain never materialises. Mitigation: one programme owner, one schedule, one policy suite. Subject-matter teams for specialised workstreams (AI impact assessment; ISMS risk assessment) report into the combined programme.
Scope divergence. 27001 ISMS scope and 42001 AIMS scope drift apart during implementation, producing two management systems with different object boundaries that share some artefacts incompatibly. Mitigation: define scope for both standards in Phase 1 with explicit intersection mapping, not as sequential decisions.
Certification body capability mismatches. Organisations select a certification body based on 27001 experience, then discover late that the body’s 42001 accreditation is thin or its 42001 auditors don’t meet the competency expectations. Mitigation: select certification body in Phase 1 based on combined-programme capability — both accreditations, both competent auditor pools, demonstrated experience running combined audits.
The underlying pattern: combined programmes rewards organisations that design them as combined from the start and punishes organisations that try to retrofit integration onto two parallel streams.
FAQ
How much does a combined ISO 27001 + ISO 42001 programme cost?
Certification body fees for combined Stage 1 + Stage 2 typically run $40,000–$100,000 for a mid-sized SaaS, about 30–40% less than separate first-time audits. Internal effort and consulting run similarly reduced proportions. Total first-year programme cost is usually 60–65% of what two separate programmes would cost.
Can I certify both standards in a single audit?
If your certification body holds accreditation for both and has auditor teams competent across both. As of 2026, a growing but not universal number of certification bodies offer this. Confirm specifically during selection.
Which standard should I certify first if I do them sequentially?
ISO 27001 first if you don’t have an existing ISMS — it’s the foundation. If you already have ISO 27001, ISO 42001 first makes sense as a standalone add-on. Sequential implementation loses most of the combined-programme efficiency gain, so only choose it when combining isn’t practical.
Does ISO 42001 require me to already have ISO 27001?
No. ISO 42001 is a standalone standard. But implementing it without any ISMS foundation is substantially more work, so organisations without an ISMS typically pursue both together or implement ISO 27001 first.
What’s the practical overlap between the two standards?
Roughly 60% of the work overlaps, concentrated in the management system structure (clauses 4–10), organisational controls, people controls, physical controls, and some technological controls. The 40% that’s 42001-specific covers AI lifecycle controls, AI impact assessment, AI-specific data governance, and AI user-facing controls.
Can one auditor audit both standards?
If the auditor holds competency in both. Some lead auditors have qualified for both; many have not. Check specifically for the auditor assigned to your programme.
How long does a combined programme take?
14 months for a first-time programme with no existing management system foundation. 8–10 months for 42001 added to an existing certified 27001 ISMS. 16–18 months without any management system foundation and pursuing both in parallel.
Are the certificates issued separately?
Yes. Each standard produces its own certificate. Combined audits produce two certificates from a single engagement.
What happens at surveillance audits?
Annual surveillance audits typically cover both standards in a single event (where the certification body supports combined audits), focused on a rotating subset of controls and on changes since certification. Surveillance audits are lighter-touch than initial audits.
Should I combine ISO 42001 with SOC 2 instead of ISO 27001?
SOC 2 is a US-centric attestation report; ISO 42001 is an international management system standard. Combining SOC 2 and ISO 42001 is possible but doesn’t produce the same structural efficiencies as combining two ISO management system standards. For US-centric organisations without international exposure, running SOC 2 and ISO 42001 as separate programmes is usually fine; for organisations with EU exposure, ISO 27001 + ISO 42001 combined delivers more commercial value.