If your organisation is already certified to ISO/IEC 27001, you have probably been asked a new question this year: do we also need ISO/IEC 42001? As businesses across the UAE build AI into customer service, logistics, healthcare and government platforms, boards and clients want proof that those systems are governed responsibly — not just that the data behind them is secure.
The two standards are closely related, share the same management-system structure, and are often certified together. But they answer different questions. This guide explains exactly what separates them, where they overlap, and how to decide which to certify first.
The short answer
ISO/IEC 27001:2022 protects your information. ISO/IEC 42001:2023 governs how your AI uses it.
ISO 27001 certifies an Information Security Management System (ISMS) — the controls that keep data confidential, accurate and available. ISO 42001 certifies an AI Management System (AIMS) — the controls that keep AI systems fair, transparent, safe and under meaningful human oversight.
| ISO/IEC 27001:2022 | ISO/IEC 42001:2023 | |
|---|---|---|
| Management system | Information Security (ISMS) | Artificial Intelligence (AIMS) |
| Core question | Is our information protected? | Is our AI governed responsibly? |
| What it protects | Confidentiality, integrity, availability of data | People affected by AI decisions |
| Annex A controls | 93 controls across 4 themes | 38 controls across 9 control objectives |
| Typical risks | Breaches, unauthorised access, data loss | Bias, opacity, unsafe outputs, loss of human oversight |
| Who needs it | Any organisation handling sensitive data | Any organisation that builds, deploys or relies on AI |
| Certifiable | Yes, by an accredited certification body | Yes, by an accredited certification body |
What ISO/IEC 27001:2022 covers
ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements — is the international standard for building and running an ISMS.
Its Annex A contains 93 controls grouped into four themes: organisational, people, physical and technological. In practice, certification means you can demonstrate that you have identified your information risks, applied proportionate controls, and can prove those controls work through internal audits and management review.
ISO 27001 says nothing about whether a model is biased, or whether a person can challenge an automated decision. That is the gap ISO 42001 was written to close. Learn more on our ISO/IEC 27001 certification page.
What ISO/IEC 42001:2023 covers
ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system — is the world's first certifiable AI management system standard.
Its Annex A contains 38 AI-specific controls grouped under nine control objectives, covering areas such as:
- AI policy — a documented position on how the organisation develops and uses AI
- Roles and responsibilities — named accountability for AI outcomes
- Data governance for AI — provenance, quality and suitability of training data
- AI system lifecycle — controlled design, testing, deployment, monitoring and retirement
- Impact assessment — evaluating effects on individuals and society before release
- Human oversight — the ability for a person to intervene, override or shut down
- Transparency — telling users when and how AI is being used
- Third-party and supplier AI — governing models you did not build yourself
Crucially, ISO 42001 applies whether you build models or simply use them. An organisation running a third-party large language model in its contact centre is in scope. Learn more on our ISO/IEC 42001 certification page.
Six key differences between ISO 42001 and ISO 27001
1. Purpose
ISO 27001 exists to protect information assets. ISO 42001 exists to govern AI behaviour and its effect on people. One is defensive; the other is about accountability for outcomes.
2. Scope of the system
An ISMS scope is drawn around information, systems and locations. An AIMS scope is drawn around AI systems and their lifecycle — including models you procure rather than develop.
3. The controls
ISO 27001's 93 Annex A controls are security controls: access management, cryptography, logging, supplier security. ISO 42001's 38 Annex A controls are governance controls: bias evaluation, explainability, impact assessment, human oversight.
4. The risks being managed
ISO 27001 manages confidentiality, integrity and availability. ISO 42001 manages risks that a secure system can still create — a model that is perfectly protected can still discriminate, hallucinate, or make an unexplainable decision that harms a customer.
5. Who cares about the certificate
ISO 27001 is demanded by procurement, cyber-insurers and enterprise clients. ISO 42001 is increasingly demanded by regulators, public-sector tender panels and customers who want assurance about automated decision-making.
6. Maturity
ISO 27001 is well established with decades of audit practice behind it. ISO 42001 was published in December 2023 — which means early adopters gain a genuine differentiator while the market catches up.
Not sure which ISO standard fits your business?
Free quote in 3–4 hours · Certification in 7–10 days · 1,000+ businesses certified
Do you need both ISO 42001 and ISO 27001?
For most organisations that build or use AI and handle sensitive data: yes, and in that order.
The reason is structural. ISO 42001 assumes information security is already under control — its AI controls sit on top of data governance, access control and supplier management that ISO 27001 already requires. Organisations that pursue ISO 42001 in isolation typically end up rebuilding those same security controls under different labels. Industry practitioners commonly estimate that an existing ISO 27001 ISMS already satisfies a majority of the foundational requirements ISO 42001 expects.
That said, they are separate certificates. Neither one automatically grants the other, and an auditor will assess each against its own requirements.
How ISO 42001 and ISO 27001 integrate
Both standards are written on ISO's harmonised management-system structure. That means clauses 4 through 10 — context, leadership, planning, support, operation, performance evaluation and improvement — are nearly identical in shape.
In practice this allows you to:
- Run one integrated management system rather than two parallel ones
- Share the same context analysis, risk methodology, internal audit programme and management review
- Reuse a single body of evidence across both audits
- Undergo combined audits, reducing audit days and disruption
The differences live almost entirely in Annex A. Your clause 4–10 work carries across; your controls do not.
ISO 42001 in the UAE
The UAE has made AI a national priority through the UAE National Strategy for Artificial Intelligence 2031, which sets out objectives spanning government service delivery, priority-sector adoption, and — importantly for certification — strong governance and effective regulation.
That national direction is already translating into certification activity. UCS has certified UAE government entities to ISO/IEC 42001:2023, including Ajman Transport Authority and the Government of Dubai Legal Affairs Department.
For UAE organisations bidding on government work, an ISO 42001 certificate is quickly becoming a way to evidence responsible AI governance rather than simply assert it.
Which should you certify first?
- You handle sensitive data but do not use AI yet — start with ISO 27001.
- You are ISO 27001 certified and are deploying AI — add ISO 42001. Most of your management system already exists.
- You use AI heavily and have no certification — scope both together and run an integrated implementation. It is faster than doing them sequentially.
- You only resell or embed a third-party model — you are still in scope for ISO 42001. Supplier AI is explicitly covered.
Frequently asked questions
Can you get ISO 42001 without ISO 27001?
Yes. ISO 42001 does not list ISO 27001 as a prerequisite, and the two are certified independently. In practice, however, ISO 42001 auditors will expect to see credible data governance and access controls — which is exactly what an ISMS provides.
Is ISO 42001 actually certifiable?
Yes. ISO/IEC 42001:2023 is a requirements standard, so an accredited certification body can audit and certify against it. UCS is internationally accredited and issues ISO 42001 certificates recognised globally.
How long does ISO 42001 certification take?
With UCS, fast-track certification is typically completed within 7–10 days from the Stage 2 audit, once your AI management system is in place. You can request a quote within 3–4 hours.
What are ISO 42001's Annex A controls?
Annex A of ISO/IEC 42001:2023 contains 38 controls grouped under nine control objectives, covering AI policy, roles and accountability, resources, impact assessment, the AI system lifecycle, data governance, information for interested parties, use of AI systems, and third-party relationships.
Does ISO 42001 make us compliant with the EU AI Act?
No standard automatically confers legal compliance. ISO 42001 does, however, give you the governance evidence — risk assessment, impact assessment, human oversight, transparency and lifecycle records — that regulators expect to see, which makes demonstrating compliance considerably easier.
What are the ethical implications of ISO 42001 for AI systems?
ISO 42001 turns broad ethical principles into auditable requirements. Fairness becomes a documented bias evaluation. Accountability becomes named ownership of AI outcomes. Transparency becomes a duty to tell users when AI is involved. Human autonomy becomes a control requiring that a person can override the system. The standard does not decide your ethics for you — it requires that you define them, apply them, and prove you did.
Do ISO 42001 and ISO 27001 share the same audit?
They are separate certificates but can be audited together. Because clauses 4–10 are shared, a combined audit reduces total audit days compared with certifying each standard separately.
Getting certified with UCS
UCS is an internationally accredited certification body issuing both ISO/IEC 27001:2022 and ISO/IEC 42001:2023 certificates, with fast-track certification in 7–10 days and a quote returned within 3–4 hours.
Whether you are adding AI governance to an existing ISMS or scoping both standards from scratch, our auditors will map what you already have against what each standard requires — so you certify once, not twice.
Ready to Get ISO Certified?
Most businesses achieve certification in just 7–10 days. Get a free assessment and tailored quote from our accredited team — no obligation, no jargon.
