Why businesses embracing AI need to take ISO 42001 and ISO 27001:2022 seriously, and how to prepare for the audit that proves it.
The AI Opportunity Comes With a Responsibility
Artificial intelligence is no longer a future technology. It is here, it is being adopted at speed, and it is changing the way businesses operate, make decisions, and serve customers. From automating workflows to generating content, analysing data, and powering intelligent products, AI is creating real competitive advantage.
But here is the question that does not get asked often enough: as your organisation embraces AI, how are you managing the risks that come with it?We are not just talking about AI going wrong in a technical sense. We are talking about the broader risks: data privacy, bias, transparency, accountability, security, and the trust of the people your AI systems affect.
These are not hypothetical concerns. They are the kinds of issues that regulators, customers, and partners are increasingly asking about.This is exactly why two international standards are becoming essential for businesses with AI ambitions: ISO 42001:2023 and ISO 27001:2022.
ISO 42001 and ISO 27001: Two Standards, One Strong Foundation
ISO 42001 is the world’s first international standard for AI Management Systems. Published in 2023, it provides a framework for organisations to develop, deploy, and govern AI responsibly. It covers things like AI risk assessment, ethical principles, transparency, and the ongoing oversight of AI systems throughout their lifecycle.
ISO 27001:2022, on the other hand, is the internationally recognised standard for Information Security Management Systems (ISMS). It provides the framework for identifying, managing, and reducing the risks around the information your organisation holds and processes.The two standards are not in competition, they are complementary. AI systems depend on data. And the security, integrity, and governance of that data is exactly what ISO 27001 addresses. If you are pursuing ISO 42001, having ISO 27001 in place is not just helpful, it is the security bedrock your AI management framework needs to stand on.
Think of it this way: ISO 42001 answers the question “how do we use AI responsibly?” and ISO 27001 answers the question “how do we protect the information that AI depends on?” Together, they give your organisation a credible, auditable answer to both.
This issue focuses on preparing for an ISO 27001:2022 audit, the security foundation that every AI-driven business should have in place.
What Is ISO 27001:2022?
ISO 27001 is the internationally recognised standard for managing information security. It gives organisations a framework for building and maintaining an Information Security Management System or ISMS, which is essentially a structured way of identifying, managing, and reducing the risks around the information your business holds.
The 2022 version is the most current edition. It updated and reorganised the controls compared to its predecessor, placing greater emphasis on cloud security, threat intelligence, and the way modern businesses actually operate today, including businesses that are integrating AI into their operations.
ISO 27001 is not just a technical standard. It covers people, processes, and technology. It is as much about governance and culture as it is about firewalls and encryption, which makes it a natural partner for the governance-focused requirements of ISO 42001.
Why Does the Audit Matter?
Achieving ISO 27001:2022 certification signals to customers, partners, and regulators that your organisation takes information security seriously and has the systems in place to back that up. For businesses deploying AI, this signal is even more important — because AI systems handle data at scale, often sensitive data, and the stakes of getting security wrong are higher.
For many organisations, ISO 27001 certification is increasingly a prerequisite for winning contracts, particularly in sectors like finance, healthcare, legal, and technology. And as AI regulation matures globally, having demonstrable security governance in place will become an expectation rather than a differentiator.
Beyond the commercial advantages, going through the audit process genuinely improves your security posture. It forces you to identify gaps you may not have known existed and to put proper controls in place.
What the Audit Actually Looks For
ISO 27001:2022 auditors are assessing whether your ISMS is properly established, effectively implemented, and continuously maintained. They are not just looking for documents — they are looking for evidence that your controls actually operate in practice.
The audit is split into two stages:
Stage 1 is a documentation review. The auditor checks that your ISMS is designed correctly and that you have the required policies, procedures, and records in place.
Stage 2 is an on-site (or remote) assessment where the auditor tests whether your controls are working as described. They will interview staff, review logs, and verify evidence.This is why preparation is everything. You cannot pass Stage 2 if your controls only exist on paper.
The Key Areas You Need to Prepare
1. Define Your ISMS Scope
Before anything else, you need to clearly define what falls inside your ISMS and what does not. This includes the systems, locations, people, and processes that are in scope. For AI-driven businesses, this should include any systems where AI tools process, access, or generate information. Auditors will hold you accountable to the boundaries you set, so be deliberate and document your reasoning.
Many organisations make the mistake of scoping too broadly at the start. A tightly defined, well-controlled scope is far easier to certify than a loose, sprawling one.
2. Conduct a Thorough Risk Assessment
A risk assessment is the heart of ISO 27001. You need to systematically identify what information assets you hold, what threats and vulnerabilities exist, and what the potential impact of a breach or loss would be. For organisations using AI, this includes the data pipelines feeding your AI systems, the outputs those systems generate, and the third-party AI tools or platforms you rely on.
From your assessment, you create a risk treatment plan that documents how you intend to address each risk, whether by implementing a control, accepting the risk, avoiding it, or transferring it (for example through insurance).
Auditors will scrutinise your risk assessment process closely. It needs to be methodical, documented, and directly linked to the controls you have chosen to implement.
3. Build Your Statement of Applicability (SoA)
The Statement of Applicability is one of the most important documents in your ISMS. It lists every control from ISO 27001:2022 Annex A, states whether each control is applicable to your organisation, and provides justification for any controls you have excluded.
The SoA also needs to reference where evidence of each control can be found. Think of it as the master map of your entire control environment.
4. Get Your Policies and Procedures in Order
You need documented policies covering areas such as information security, access control, acceptable use, incident management, business continuity, and supplier relationships, among others. These policies need to be approved by leadership, communicated to staff, and reviewed regularly.
Do not fall into the trap of copying generic templates without tailoring them to your organisation. Auditors ask staff about the policies. If employees are unaware of them, that is a finding.
5. Demonstrate Leadership Commitment
ISO 27001:2022 places significant emphasis on leadership. Senior management must be visibly involved in the ISMS, not just by signing a policy document, but by actively overseeing security objectives, allocating resources, and participating in management reviews.
Auditors will look for evidence of this engagement, including meeting minutes, reviews, and records of decisions made at a leadership level.
6. Train and Embed Security Awareness
Across Your TeamYour people are both your greatest asset and your biggest risk. All staff need to understand what the ISMS is, why it matters, and what is expected of them. For teams using AI tools, this training should also address how to handle data responsibly when working with those tools. Security awareness training should be documented, tracked, and repeated regularly.
Auditors may speak to employees at any level of the business. A well-prepared team reflects positively on your entire programme.
7. Implement and Evidence Your Controls
ISO 27001:2022’s Annex A contains 93 controls across four categories: organisational, people, physical, and technological. Not every control will apply to every organisation, but for those that do, you need to demonstrate that they are genuinely operating.
Evidence might include access control logs, patch management records, incident reports, backup verification tests, supplier contract reviews, and configuration audit trails. The key word is evidence, if you cannot show it happened, in the eyes of an auditor, it did not.
8. Test Your Incident Response and Business Continuity Plans
Having a plan is not enough. You need to be able to show that you have tested it. Conduct tabletop exercises, simulate incidents, and verify that your recovery procedures actually work. Document everything, including what you learned and how you improved as a result.
9. Conduct an Internal Audit
Before the External AuditAn internal audit is a rehearsal. It lets you identify gaps before the external auditor does. It should be conducted by someone with sufficient independence from the areas being reviewed, and the findings should feed into a corrective action plan.
This step is often underestimated. Organisations that skip it tend to receive more nonconformities in their external audit.
10. Perform a Management Review
Before your external audit, senior leadership must conduct a formal management review of the ISMS. This review should assess audit results, risk treatment progress, security objectives, and opportunities for improvement. The outcome must be documented.
The management review is evidence that your ISMS is not just a compliance exercise but an active, governed programme.
A Word on Continuous Improvement
ISO 27001:2022 is not a one-and-done certification. Once you achieve it, you must demonstrate that your ISMS is continuously improving. Annual surveillance audits and a recertification audit every three years are part of the ongoing commitment.
This aligns closely with the spirit of ISO 42001, which also requires organisations to continuously monitor and improve how they govern AI. The two standards share the same underlying philosophy: good governance is not a project, it is a practice.
Build monitoring, review, and improvement activities into your regular operations rather than treating them as periodic events. Organisations that do this find recertification far less stressful than their initial audit.
The Bottom Line
If your business is using AI or planning to, information security governance is not optional. It is the foundation on which responsible AI adoption is built. ISO 27001:2022 gives you that foundation, and ISO 42001 builds the AI-specific governance layer on top of it.
Preparing for an ISO 27001:2022 audit is a significant undertaking, but it is entirely achievable with the right structure and the right support. The audit itself is simply a verification of what should already be in place.Start early. Document everything. Test your controls. And make sure your entire organisation understands why this matters, not just the IT team.
Need help getting audit-ready?
If your organisation is preparing for an ISO 27001:2022 audit, especially if you are also thinking about ISO 42001 and AI governance, we can help.
We work with businesses at every stage of their ISO 27001 journey, from scoping and risk assessments through to internal audit preparation and evidence reviews. We understand the unique considerations that come with AI-driven businesses.
Reach out today and let’s make sure you walk into your audit with confidence.
