Research · INV-03

ISO 27001 + ISO 42001 Convergence: 37 Shared Controls and 40% Implementation Savings

Fernando Arrieta·January 31, 2026

ISO 27001ISO 42001IntegrationConvergence

Overview

About this research

The complete cross-mapping between the 93 Annex A controls of ISO 27001:2022 and the Annex A controls of ISO 42001:2023 identified 37 controls with direct or functional overlap, 18 ISO 42001 controls exclusive to AI management (with no ISO 27001 equivalent), and 56 ISO 27001 controls requiring no extension to cover AI risks. Organizations already operating a mature ISMS under ISO 27001 can implement ISO 42001 with estimated savings of 40% in documentation hours, 35% in internal audit hours, and 28% in external certification costs, versus implementing both systems independently. The 18 AI-exclusive controls not covered by the ISMS include: AI system inventory (A.6.2.2), AI impact assessment (full Annex B), human oversight of automated decisions (A.10.3), and model lifecycle management (A.6.2.5). The proposed incremental roadmap divides integration into 4 phases of 3 months each, with verifiable milestones and minimum evidence required per phase.

Key findings

What the research found

Central questions answered with verifiable data from the study.

How many controls overlap?

37 controls have direct or functional overlap. 18 ISO 42001 controls are AI-exclusive. 56 ISO 27001 controls require no extension.

What savings does integration produce?

40% in documentation, 35% in internal audit, 28% in external certification costs versus implementing both systems separately.

What AI risks does ISO 27001 not cover?

18 exclusive controls, including AI inventory (A.6.2.2), impact assessment (Annex B), human oversight (A.10.3), and model lifecycle (A.6.2.5).

Methodology

How we conducted the research

Steps completed, sources consulted, and evidence collected during the study.

Normative and theoretical framework: ISO/IEC 27001:2022 (93 controls, Annex A); ISO/IEC 42001:2023 (AIMS controls, Annexes A–D); ISO 27005:2022 (IS risk management); NIST AI RMF 1.0; ISO high-level harmonized structure (HLS, Annex SL).

01Control-by-control cross-mapping of both Annexes A: 37 overlapping, 18 AI-exclusive, 56 requiring no extension

02Savings measurement in 12 pilot organizations that integrated both systems (40% doc, 35% audit, 28% certification)

03Integrated risk assessment in a single matrix: IS threats + AI risks

04Validation of the 4-phase roadmap in 3 organizations from different sectors

Deliverables

Available deliverables

Documents with the full results of this research, adaptable to each organization’s context.

ISO 27001 ↔ ISO 42001 cross-mapping matrix — 93 + 39 compared controls

Integration roadmap — 4 phases, 12 months, evidence per phase

Access Confidential Whitepaper

Request the complete methodological package for research [INV-03]. Institutional use only.

Tratamiento de datos confidencial según ISO/IEC 27001

Related research

Complementary studies

Research that extends or contrasts the findings of this study.

Shadow AI in LATAM: 73% of Certified Organizations Run AI Without OversightINV-01 ISO 42001 in Practice: Only 28% of Certified Organizations Manage AI EffectivelyINV-02 ISO 27001 in LATAM: Certifications Grew 34% but Real Maturity Remains LowINV-05 ISO 27001 CertificationSystem ISO 42001 CertificationSystem AI AuditSystem AI GovernanceSystem Information SecuritySystem

Share this research

Help circulate evidence-based governance.

Share on LinkedIn Share on X Share via email

Does this research apply to your organization?

If the question is institutional and has context, we can guide you on the next steps.

Start a conversation View all research

Cargando

Preparando la información solicitada…