Skip to main contentAI Policy Blueprint
Back to the snapshot

ISO 27001 to ISO 42001

ISO/IEC 27001:2022 and ISO/IEC 42001:2023 are designed to operate together. This map shows where each ISO 42001 Annex A control draws on an information-security control you may already run, and where it adds something specific to AI.

29
Carried over
9
Specific to AI
43
Security-only

What ISO 42001 adds for AI

The controls an AI management system introduces, where an information-security standard was not written to reach.

  • A.5.2AI system impact assessment process
    Specific to AI
  • A.5.3Documentation of AI system impact assessments
    Specific to AI
  • A.5.4Assessing AI system impact on individuals or groups
    Specific to AI
  • A.5.5Assessing societal impacts of AI systems
    Specific to AI
  • A.6.1.2Objectives for responsible development of AI
    Specific to AI
  • A.7.4Quality of data for AI systems
    Specific to AI
  • A.7.5Data provenance
    Specific to AI
  • A.9.3Objectives for responsible use of AI systems
    Specific to AI
  • A.9.4Intended use of the AI system
    Specific to AI

Each ISO 42001 Annex A control, grouped by objective, and the ISO 27001 controls it draws on.

    • A.2.2AI Policy
      Carried over

      Relates to

    • A.2.3Alignment with other organizational policies
      Carried over

      Relates to

    • A.2.4Review of the AI policy
      Carried over

      Relates to

    • A.3.2AI roles & responsibilities
      Carried over

      Relates to

    • A.3.3Reporting of concerns
      Carried over

      Relates to

    • A.4.2Resource documentation
      Carried over

      Relates to

    • A.4.3Data resources
      Carried over

      Relates to

    • A.4.4Tooling resources
      Carried over

      Relates to

    • A.4.5System & computing resources
      Carried over

      Relates to

    • A.4.6Human resources
      Carried over

      Relates to

    • A.5.2AI system impact assessment process
      Specific to AI

      Relates to

    • A.5.3Documentation of AI system impact assessments
      Specific to AI

      Relates to

    • A.5.4Assessing AI system impact on individuals or groups
      Specific to AI

      Relates to

    • A.5.5Assessing societal impacts of AI systems
      Specific to AI

      Relates to

    • A.6.1.2Objectives for responsible development of AI
      Specific to AI

      Relates to

    • A.6.1.3Processes for responsible AI system design & development
      Carried over

      Relates to

    • A.6.2.2AI system requirements & specification
      Carried over

      Relates to

    • A.6.2.3Documentation of AI system design & development
      Carried over

      Relates to

    • A.6.2.4AI system verification & validation
      Carried over

      Relates to

    • A.6.2.5AI system deployment
      Carried over

      Relates to

    • A.6.2.6AI system operation & monitoring
      Carried over

      Relates to

    • A.6.2.7AI system technical documentation
      Carried over

      Relates to

    • A.6.2.8AI system recording of event logs
      Carried over

      Relates to

    • A.7.2Data for development & enhancement of AI system
      Carried over

      Relates to

    • A.7.3Acquisition of data
      Carried over

      Relates to

    • A.7.4Quality of data for AI systems
      Specific to AI

      Relates to

    • A.7.5Data provenance
      Specific to AI

      Relates to

    • A.7.6Data preparation
      Carried over

      Relates to

    • A.8.2System documentation & information for users
      Carried over

      Relates to

    • A.8.3External reporting
      Carried over

      Relates to

    • A.8.4Communication of incidents
      Carried over

      Relates to

    • A.8.5Information for interested parties
      Carried over

      Relates to

    • A.9.2Processes for responsible use of AI systems
      Carried over

      Relates to

    • A.9.3Objectives for responsible use of AI systems
      Specific to AI

      Relates to

    • A.9.4Intended use of the AI system
      Specific to AI

      Relates to

    • A.10.2Allocating responsibilities
      Carried over

      Relates to

    • A.10.3Suppliers
      Carried over

      Relates to

    • A.10.4Customers
      Carried over

      Relates to