ISO Show

#247 How do ISO 27001 Information Security and ISO 42001 AI Management compare?

     

Information is increasingly becoming the number one priority for businesses. With so many of us reliant on tech to stay in operation, there is an inevitable increase in data breaches and incidents year-on-year.

The addition of new AI driven technology has added a new layer of complexity to the information security landscape, regarding both the new risks using the technology brings as well as falling prey to more complex AI led scams.  

Thankfully ISO Standards are here to help, with ISO 27001 tackling general information security and ISO 42001 for effective AI Management. But how do these two compare, and is there merit in implementing both?

In this episode, Ian Battersby is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to discuss what ISO 27001 and ISO 42001 are, the main differences between the Standards and how they can complement each other when integrated.  

You’ll learn

  • Who is Bas Von Hertom?
  • Who are TUV Nord?
  • What are ISO 27001 and ISO 42001?
  • How does ISO 42001 support regulatory frameworks such as the EU AI Act?
  • How do ISO 27001 and ISO 42001 differ in managing information security risks?
  • Other key differences between ISO 27001 and ISO 42001
  • How much more work is involved for Implementing ISO 42001 if you already have ISO 27001 in place?
  • Can ISO 27001 and ISO 42001 be integrated?
  • What organisations should be implementing both Standards?
  • How are Certification Bodies quoting for ISO 27001 and ISO 42001?
  • Bas’s advice to leadership teams looking to build a case for full certification

Resources

In this episode, we talk about:

[02:05] Episode Summary – Ian is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to explore the differences between ISO 27001 and ISO 42001 and the benefits of integrating both Standards.

[02:30] Who is Bas Von Hertom? Bas is the Cyber Security Specialist at TUV Nord. He is a lead auditor for Standards including ISO 27001, ISO 42001, TISAX and standards specifically for industrial automation.

Bas had once stated around 5 years ago that he would never pursue a career in auditing, but once he came into contact with TUV Nord he decided to give it a go. Before joining TUV, he was a very hands-on systems administrator and many of those skills transferred well into auditing.

[04:45] Who are TUV Nord? TUV Nord are a UKAS accredited Certification Body. They also offer services for testing and inspection.

TUV have worked with a large range of sectors, from manufacturing and energy to IT, healthcare and even space.

[06:25] What are ISO 27001 and ISO 42001? ISO 27001 is the Standard for Information Security Management, with compliant management systems being called an ISMS. It provides structure for identifying, assessing, and managing risks related to the information security while also ensuring availability and resilience on the information security.

ISO 42001 AI Management is a much more recent Standard, being published in December of 2024. It focuses on ethical and effective AI management, with a system that applies to relevant products in addition to the wider business.

[07:30] How does ISO 42001 support regulatory frameworks such as the EU AI Act? The EU AI Act sets out legal obligations that organisations offering AI products must comply with, however it only defines the rules rather than providing any implementation guidance.

This is where ISO 42001 can fill the gaps, by providing a framework that will meet these regulatory requirements.

[08:45] How do ISO 27001 and ISO 42001 differ in managing information security risks? Both Standards take a risk-based approach to their subject matter, but the nature of the risks that each address are what differ.

ISO 27001 focuses on risks that relate to the protection of information assets based on confidentiality, integrity and availability of information. It’s also ensures that business objectives are clearly defined and aligned with business strategy.

ISO 42001 on the other hand deals with a broader and more complex set of risks, because it also looks at ethical considerations. This can includes the monitoring and measurement of ethical risks such as AI bias and discrimination. It also looks at societal, legal and reputational risks as one of ISO 42001’s key values is creating trust within the AI space.

[10:10] Other key differences between ISO 27001 and ISO 42001: Besides their subject matter, another key difference is the way objectives are framed and evaluated. In ISO 42001 these objectives have to be aligned with the Annexes within the Standard, which is something not commonly done when implementing ISO 27001.

ISO 42001 also requires an ‘AI Impact Assessment’, which again, aligns with the systems objectives as the results of the AI Impact Assessment will describe the way bias, ethical and societal considerations impact other requirements within ISO 42001.

[11:00] How much more work is involved for Implementing ISO 42001 if you already have ISO 27001 in place? If you already have ISO 27001 in place, you have a strong foundation for ISO 42001. ISO 27001 puts the fundamental base in place, with a governance structure, risk assessment processes, internal audits, corrective actions and methods for continual improvement.

There’s a lot of overlap where the high-level requirements are concerned. However, ISO 42001 also looks at AI products and services, which differs from ISO 27001.  

ISO 42001 may also require additional training for those involved with the management systems and the AI products and services.

[12:15] Can ISO 27001 and ISO 42001 be integrated? Yes, and in fact, Bas highly encourages it!

If you intend to implement both Standards, it’s much more efficient to do so as an integrated management system. They both utilise the Annex SL format, a high-level structure that’s shared with most ISO Standards, so they’re designed to be integrated.

This also saves on duplication of effort where documentation is concerned and also potentially on cost if you require additional support with implementation.

[13:30] What organisations should be implementing both Standards? Both ISO 27001 and ISO 42001 can apply to any business.

Most businesses are now utilising AI in some form, and ISO 42001 can apply to those using it just as much as it does to those developing their own AI tools or selling related services.

However, sectors where ISO 42001 will likely become fundamental include the financial sector, where AI tools for fraud detection are becoming popular. There’s also a growing need for it within the medical field as AI is increasingly used for research and development.

[14:30] How are Certification Bodies quoting for ISO 27001 and ISO 42001? There are a number of variables that Certification Bodies use to work out certification costs, these include size of the organisation and business complexity.

This can be tricky to calculate for ISO 42001 as you need to consider the amount of AI systems used before you can provide a quote. The full requirements for this are described in ISO 42006, which is a guidance Standard.

Most certification bodies will offer a discount for the combined certification to both Standards.

An integrated approach is certainly something that Bas recommends, in addition to ensuring that you keep the same auditor or audit team throughout the implementation. By having one team for both systems, you can complete combined internal audits to save on time and resources.  

[16:20] Bas’s advice to leadership teams looking to build a case for full certification: First of all, don’t wait, just make a start.

A lot of businesses make the mistake of waiting until it’s a common requirement within their market, which can leave you lagging behind the curve. Instead, strive to be one of the early adopters as that will give you a strategic advantage in the market.

This is especially the case if you already have ISO 27001 in place. You already have the foundational knowledge to implement ISO 42001, so just make a start on looking at risks relevant to ISO 42001.

Many businesses opt to implement certain Standard due to the demands of their clients, and ISO 42001 is likely to be added to that list. So it’s better to get a head start!

Bas also recommends finding sources of guidance on ISO 42001 implementation. Whether that’s sourcing training or an external party to advise, it’s good to have other sources of knowledge of you’re not familiar with the Standard or ISO implementation as a whole.

[21:30] Bas’s favourite quote: We don’t rise to the level of our expectation, but we fall to the level of the systems that we use.

If you’d like to find out more TUV Nord or are looking for ISO 27001 and ISO 42001 certification, check out their website.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO Download

Download the ISO Standards Blueprint

A step-by-step checklist for getting ISO certified

Resources

Visit the isologyhub website

Share this Podcast:

Subscribe to keep up-to-date with our latest episodes:

SoundCloud Spotify iTunes Stitcher Stitcher YouTube Amazon Music