How does ISO/IEC 42001 relate to ISO/IEC 27001 and can I reuse my ISMS?

ISO/IEC 42001 follows the standard Plan-Do-Check-Act management-system structure, similar to ISO/IEC 27001, and organizations can leverage their existing Information Security Management System (ISMS) framework by extending it with AI-specific controls. This allows for the reuse of established management system processes while integrating new requirements for AI governance.

ISO/IEC 42001 includes clauses 4-10 which define the management system requirements, such as context, leadership, planning, support, operation, performance evaluation, and improvement. These clauses are foundational for any management system and align with the structure of ISO/IEC 27001. For example, ISO/IEC 42001 Cl.5 Leadership requires top management to demonstrate leadership through an AI policy, a documented AIMS, and assigned roles and responsibilities for AI governance.

Additionally, ISO/IEC 42001 includes Annex A, which provides AI-specific controls. These controls address unique aspects of AI systems that would need to be integrated into an existing ISMS. Key areas covered by Annex A include:

• AI policy (ISO/IEC 42001 A.2): A documented AI policy aligned with business objectives and other policies.
• AI impact assessment (ISO/IEC 42001 A.5): Processes to assess impacts of AI systems on individuals, groups, and society across the lifecycle. This cross-maps to NIST-MAP-5.1.
• AI system lifecycle (ISO/IEC 42001 A.6): Responsible design, development, deployment, operation, and retirement of AI systems, with controls at each lifecycle stage.
• Data for AI systems (ISO/IEC 42001 A.7): Data governance covering provenance, quality, preparation, and management of data used by AI systems across its lifecycle. This cross-maps to OWASP LLM04 data poisoning.
• Third-party relationships (ISO/IEC 42001 A.10): Controls for suppliers and third parties in the AI value chain. This cross-maps to OWASP LLM03 supply chain.