ISO 27001 AI Compliance: How ISO 42001 Sits On Top of the ISMS

ISO/IEC 27001:2022 is the international standard for information security management systems, certified by accredited bodies under the ISO/IEC 17021-1 conformity assessment scheme. ISO/IEC 42001:2023 is the international standard for AI management systems, published in December 2023. The two standards share the high-level structure that ISO mandates for management system standards under Annex SL. Annex A of ISO 27001:2022 lists 93 controls organized into four themes: organizational, people, physical, and technological. Several of those controls apply directly to AI deployments, and the evidence that satisfies them overlaps with what ISO 42001 expects.

I want to walk through which Annex A controls hit AI deployments hardest, how ISO 42001 adds AI-specific obligations on top of the ISMS, and what operational evidence carries both certifications.

How ISO 27001:2022 controls apply to AI

Annex A.5 covers organizational controls. A.5.21 is "Management of information security in the ICT supply chain," which applies directly to AI vendor relationships. The control requires the organization to define and implement processes to manage information security risks associated with ICT product and service supply chains. For AI vendors, the supply chain extends to the cloud provider hosting the model, the data labelers training the model, and the content moderation subcontractors reviewing inputs and outputs.

Annex A.5.23 is "Information security for use of cloud services." AI inference is a cloud service for most enterprise deployments. The control requires the organization to establish and manage information security risk for cloud services aligned with the organization's risk acceptance criteria. The control covers the contract scope, the data handling commitments, the certification status of the provider, and the operational monitoring of the service.

Annex A.5.34 is "Privacy and protection of PII." AI prompts that include personally identifiable information trigger this control. The evidence the auditor expects covers the classification of PII before it appears in prompts, the policy that authorizes the disclosure, and the records of disclosures with the corresponding policy version.

Annex A.8 covers technological controls. A.8.15 is "Logging." The control requires the organization to produce, store, protect, and analyze logs that record activities, exceptions, faults, and other relevant events. For AI deployments, the logging requirement applies at the prompt layer where the activity that matters is recorded.

A.8.16 is "Monitoring activities." The control requires the organization to monitor networks, systems, and applications for anomalous behavior and to take action on identified events. For AI deployments, the monitoring covers prompt patterns, response patterns, and policy violations at the AI traffic boundary.

A.8.34 is "Protection of information systems during audit testing." The control requires the organization to plan and agree audit activities involving the operational systems so that they do not impact operations. For AI deployments, this includes how the ISMS auditor accesses prompt records during the audit.

What ISO 42001 adds

ISO 42001:2023 is the management system standard for AI. The standard runs through the Annex SL clauses: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. The AI-specific content sits in Annexes A, B, C, and D of the standard.

Annex A of ISO 42001 lists controls and control objectives specific to AI. The controls cover AI policies, internal organization of AI activities, resources for AI systems, AI system impact assessment, AI system life cycle, data for AI systems, information for interested parties, AI system use, and third-party and customer relationships. Annex B provides implementation guidance for each control. Annex C maps AI risk sources to the controls. Annex D maps AI risks across domains.

The structural integration with ISO 27001 happens at the controls layer. An organization with an ISO 27001 ISMS that adds AI deployments expands the ISMS scope to cover the AI assets and the AI risks. Several Annex A.27001 controls already apply to AI assets. ISO 42001 adds AI-specific controls that the ISMS auditor can verify alongside the security controls.

The dual certification path most organizations adopt is to extend the existing ISO 27001 ISMS scope to cover AI and pursue ISO 42001 certification as an overlay. The ISMS auditor and the AIMS auditor may be the same accredited body or two different bodies depending on the certification scheme.

Stage 1 and Stage 2 audits

ISO certification under the ISO/IEC 17021-1 scheme proceeds in two stages for the initial certification. Stage 1 is a readiness review covering the documentation, the scope, and the management system structure. Stage 2 is the certification audit covering the operational effectiveness of the controls.

For AI deployments under ISO 27001, the Stage 2 audit samples specific AI activities during the audit window and traces each one through the relevant Annex A controls. The auditor asks for evidence that A.5.23 cloud service controls were applied to the specific AI vendor on the date of the sampled activity. The auditor asks for the A.8.15 log records covering the sampled activities. The auditor asks for the A.8.16 monitoring evidence showing anomalies were detected and resolved.

For ISO 42001, the Stage 2 audit covers the AI-specific controls from Annex A of the AI standard. The auditor samples AI activities and traces them through the AI impact assessment, the data governance, and the system life cycle controls. The records the auditor expects look very similar to the ISO 27001 records, with additional fields covering the AI-specific risk treatment.

Surveillance audits and recertification

ISO certification under the 17021-1 scheme requires annual surveillance audits and recertification every three years. The surveillance audit covers a subset of the controls each year, with the full scope rotating across the three-year cycle. Recertification covers the full scope at the end of the cycle.

For AI deployments, the surveillance audit pattern surfaces operational drift. An organization that produced strong evidence during Stage 2 sometimes loses control over the AI activity in the subsequent year. New AI vendors appear without going through the procurement control. New use cases bypass the impact assessment. The surveillance auditor samples activities from the most recent quarter, and the evidence has to be there.

The pattern that survives surveillance is per-request evidence that runs without dependence on the application team. The records exist because the architecture produces them, not because the application team remembers to write them.

The integration with EU AI Act conformity assessment

EU AI Act Article 43 covers conformity assessment for high-risk AI systems. The conformity assessment routes that apply depend on the high-risk category. For most high-risk categories under Annex III, the provider conducts internal control of production under Annex VI. For biometric identification and remote biometric categorization, conformity assessment under Annex VII involving a notified body applies.

ISO certifications are not formally equivalent to EU AI Act conformity assessment. The ISO 42001 certification supports the Article 17 quality management system requirement for providers. The ISO 27001 certification supports several of the security-related obligations. The conformity assessment itself is a separate exercise governed by EU regulatory bodies.

Operationally, the records that support ISO 42001 certification also support EU AI Act conformity assessment documentation. The Annex IV technical documentation under the Act covers the system description, the development process, the data used, and the monitoring approach. The ISO 42001 system description and life cycle records cover the same ground.

What the integrated audit trail looks like

The records that support ISO 27001 Annex A.8.15 logging, ISO 42001 system life cycle controls, and EU AI Act Article 12 record-keeping share a common format. Per AI request, the record contains: the workforce member or agent identity, the role and authorization in effect, the data classification of the prompt, the AI vendor and model called, the policy version that governed the decision, the decision outcome, the response classification, and the timestamp.

The record is committed to append-only storage independent of the application that made the request. The record is signed at creation. Retrieval supports identity, time range, vendor, and policy version queries.

That record set supports the ISO 27001 surveillance audit, the ISO 42001 annual audit, the EU AI Act conformity assessment documentation review, the DORA inspection, and the SOC 2 Type II testing. One record set, five regimes.

DeepInspect

This is the architecture DeepInspect was built to provide. DeepInspect sits at the AI request boundary as a stateless proxy between authenticated users and agents and any LLM endpoint. Per-route policies enforce identity, data classification, AI vendor selection, and retention scope for every request. Every decision produces a signed audit record covering the dimensions ISO 27001 Annex A.8.15 logging and ISO 42001 system life cycle controls expect.

The records support ISMS certification under ISO 27001:2022, AIMS certification under ISO 42001:2023, and the EU AI Act conformity assessment documentation. The same records carry DORA register data, NIST AI RMF Measure function evidence, and SOC 2 Type II operational testing.

If you are preparing for an ISO 27001 surveillance audit and your AI control evidence depends on application logs, the surveillance auditor will surface the gap. Book a demo today.