Brochures

From ISO 27001 to ISO 42001: The Migration Path

Zertia Team · 5 min read
Share

If your organization holds ISO 27001 and operates AI, ISO 42001 is not a second project. It is an extension. The question is not whether to add it, but how to add it without duplicating work, creating parallel documentation, or destabilizing the ISMS that already passes audits.

## The common belief

Two opposite framings are common. The first treats 42001 as a lightweight add-on, something that can be bolted onto the ISMS with a few new documents. The second treats it as a complete parallel system, implemented separately to avoid confusion.

Both framings miss the design intent. ISO 42001 was built on the same Harmonized Structure as 27001, specifically so that organizations could extend their existing management system rather than build a second one. But the extension is not cosmetic. It requires deliberate choices about what to share and what to keep distinct.

## What to share, what to extend, what to add

### Share (no rework needed)

The clauses 4 to 10 of both standards are structurally identical. That means your existing context analysis, leadership commitment, planning framework, support infrastructure, performance evaluation, and improvement processes can serve both standards directly. An organization with a mature 27001 ISMS has already done this work. Rewriting it for 42001 is waste.

Shared elements typically include:

– Management review process and cadence
– Internal audit program structure
– Document and record control
– Competence and training framework
– Corrective action process
– Resource planning and leadership engagement

### Extend (adapt existing elements)

Some elements serve both standards but need adaptation to accommodate AI-specific scope. Risk management methodology is the clearest example: your 27001 risk framework can be extended to cover AI risks, but the risk categories, assessment criteria, and treatment options need AI-specific additions.

Other typical extensions:

– Supplier evaluation (extending vendor risk to AI providers)
– Change management (extending to model updates and retraining)
– Incident response (extending to AI-specific failure modes)
– Scope statement (explicitly including AI systems)

### Add (genuinely new)

A small number of 42001 Annex A controls have no 27001 equivalent and must be built new. These include:

– AI impact assessment for affected parties
– Data governance for AI systems (training data provenance, appropriateness)
– Human oversight design
– AI system lifecycle management
– AI-specific third-party evaluation
– Post-deployment monitoring for model behavior

These are the parts of the AIMS that cannot be retrofitted from the ISMS.

> The migration is not a bigger ISMS. It is an ISMS that knows where it stops and where the AIMS begins.
>

## A realistic 6-month migration timeline

For an organization with a mature 27001 ISMS:

Months 1–2: Gap assessment. Map every clause and Annex A control of 42001 against existing 27001 evidence. Classify as share, extend, or add. Build an inventory of AI systems in scope and assign ownership.

Months 2–4: Extensions. Adapt risk methodology, supplier evaluation, change management, and incident response to cover AI-specific scope. Update the scope statement. Extend the Statement of Applicability.

Months 3–5: New controls. Build the genuinely new 42001 controls: impact assessment, AI data governance, human oversight, AI lifecycle management, post-deployment monitoring. Roll out and generate early evidence.

Months 5–6: Internal audit (joint 27001 + 42001), management review, preparation for Stage 1 42001 audit.

An organization starting from scratch on 42001, without a 27001 base, typically needs 12 months. The savings from reusing 27001 are real and material.

## Reframing the question

The migration question is usually framed as “What new documents do we need?” A better framing is “What new capabilities does our management system need, and how do we fit them into the operating cadence we already have?”

Documentation follows capability, not the other way around. Migrations built around documentation produce binders. Migrations built around capability produce a management system that actually governs AI.

## The structural shift

Management system certification is moving toward modular, composable certification. 27001, 42001, 27701, 9001, 22301, and 14001 all share the Harmonized Structure. The market expectation is that mature organizations will certify against several of these standards using a single integrated management system, with each standard covering the domain it specializes in.

Organizations that plan for modularity now will add future standards with incremental effort. Organizations that treat each standard as a separate silo will carry duplicative structures for decades.

## What this means for your organization

Audit the ISMS before planning the extension. The strength of the migration depends entirely on the quality of the existing 27001 implementation. Weak foundations produce weaker extensions.

Sequence the first audit carefully. First-time 42001 certification is usually cleaner when audited independently of 27001, even when the underlying system is integrated. Combined audits are efficient once both systems are stable.

Design the Statement of Applicability as one document with two standards. Modern GRC practice is to maintain a unified SoA that references 27001 Annex A and 42001 Annex A controls together, with clear attribution of which control addresses which standard’s requirements.

> The organizations that will certify 42001 fastest are the ones that treat their ISMS as a platform, not a product. The platform absorbs new standards. The product is obsoleted by them.
>

Ready to extend your ISMS into AI governance?

📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)

Your fast track to compliance starts here

Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.