EU AI Act vs ISO 27001 and ISO 42001: how the standards stack

What ISO 27001 covers

ISO/IEC 27001 (2022 revision) is the international standard for Information Security Management Systems (ISMS). It defines requirements for establishing, implementing, maintaining, and improving an ISMS. Certification requires an accredited certification body to audit the organization's ISMS against the standard. The certificate is recognised internationally and is the de facto baseline for enterprise security procurement worldwide. Cost: €15,000 to €40,000 for initial certification, recurring annual audits.

What ISO 42001 covers

ISO/IEC 42001 (December 2023) is the international standard for AI Management Systems. It defines requirements for establishing, implementing, maintaining, and improving an AI management system that handles AI risks responsibly. It is the AI-specific complement to ISO 27001 (security) and ISO 27701 (privacy). ISO 42001 certification is becoming the international counterpart to EU AI Act compliance: a structured, auditable management system that demonstrates AI accountability.

What the EU AI Act covers

The AI Act governs AI system obligations directly: Article 5 prohibited practices, Annex III high-risk classification, Article 10 data governance, Article 14 human oversight, Article 43 conformity assessment, Article 50 transparency, Article 73 incident reporting. The Act is binding law applying to any AI system operating in the EU, regardless of whether the company holds ISO certifications.

Where they stack

ISO 27001 provides the security baseline that supports AI Act Article 14 (human oversight infrastructure), Article 15 (robustness), and Article 72 (post-market monitoring). ISO 42001 provides the management-system structure that supports AI Act Article 10 (data governance), Article 17 (quality management system requirements for providers), Article 43 (conformity assessment), and Article 73 (incident reporting). Together, ISO 27001 plus ISO 42001 satisfies perhaps 50 to 60 percent of AI Act documentation requirements for a non-high-risk SaaS.

Recommended compliance stack

For a SaaS targeting EU enterprise: ISO 27001 Type II as the security baseline (annual audit), ISO 42001 as the AI governance overlay (annual audit), EU AI Act audit report from a specialised practice as the legal compliance attestation. SOC 2 Type II adds value for US enterprise customers. The cost stack for a 50-person SaaS: €25,000 to €60,000 annually across all four. The procurement payoff: faster enterprise sales cycles, fewer vendor risk holds, demonstrably mature AI governance.

Frequently asked questions

Does ISO 27001 cover AI Act obligations?

Partially - ISO 27001 provides security infrastructure that supports AI Act Article 14, 15, and 72. But it does not address Article 5, Annex III, Article 50, or Article 10 directly.

Should I get ISO 42001 in 2026?

If you target EU enterprise procurement and ship AI features, yes. ISO 42001 is becoming the international gold standard for AI governance. Combined with EU AI Act audit, it shortens procurement reviews substantially.

Do I need ISO 27001 to do ISO 42001?

Not strictly, but practical. ISO 42001 references ISO 27001 controls. Most organisations get ISO 27001 first, then add ISO 42001 as an integrated extension.

How much overlap with EU AI Act?

ISO 27001 + ISO 42001 covers about 50-60 percent of AI Act documentation needs for non-high-risk SaaS. High-risk systems need substantially more (Article 43 conformity assessment) on top.

Will EU regulators accept ISO 42001 as AI Act compliance?

Not as a substitute. ISO 42001 is voluntary; AI Act is binding. But ISO 42001 certification documentation will be persuasive evidence of good-faith compliance effort in regulatory dialogues.

Sources

• https://www.iso.org/standard/27001
• https://www.iso.org/standard/81230.html
• https://eur-lex.europa.eu/eli/reg/2024/1689/oj