ISO 27001:2022 and ISO/IEC 42001:2023: Applying International Security Standards to AI Systems in Regulated Industries
ISO Standards Reference
ISO 27001:2022: What Changed from 2013 and Why It Matters for AI
ISO/IEC 27001:2022 restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The 2022 version added 11 new controls that are particularly relevant to AI systems: threat intelligence (5.7), information security for cloud services (5.23), ICT readiness for business continuity (5.30), web filtering (8.23), secure coding (8.28), configuration management (8.9), data masking (8.11), data leakage prevention (8.12), monitoring activities (8.16), vulnerability management (8.8), and deletion of information (8.10).
For AI systems, the most impactful new control is 8.12 (Data Leakage Prevention) — requiring organizations to implement controls to prevent unauthorized disclosure of information. Applied to AI, this means monitoring AI outputs for sensitive data patterns (PII, financial data, PHI), implementing output filtering, and detecting when AI agents attempt to exfiltrate data through their tool use capabilities. DLP for AI is a distinct challenge from traditional DLP because AI outputs are natural language text, not structured data, requiring semantic content analysis rather than pattern matching.
Annex A 5.23: Cloud Services
New in 2022: information security for cloud services. Applies to AI API providers (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI). Requires security requirements in cloud service agreements and monitoring of cloud service security.
Annex A 8.12: Data Leakage Prevention
New in 2022: DLP controls for preventing unauthorized information disclosure. Critical for AI systems — requires monitoring AI outputs for sensitive data, implementing output filters, and detecting unauthorized data access via AI tool use.
Annex A 8.16: Monitoring Activities
New in 2022: continuous monitoring of networks, systems, and applications. For AI systems: real-time monitoring of model behavior, anomaly detection for unusual query patterns, and automated alerting for policy violations.
ISO/IEC 42001:2023: The First International AI Management System Standard
Published in December 2023, ISO/IEC 42001 is the first international standard specifically designed for AI management systems (AIMS). It follows the same high-level structure (Annex SL) as ISO 27001, ISO 9001, and ISO 14001, enabling organizations to integrate AI governance with existing management systems. ISO 42001 addresses the full AI lifecycle: planning and design, data management, model development, deployment, monitoring, and decommissioning.
ISO 42001 Annex A controls relevant to enterprise AI deployments include: A.2.2 (AI system impact assessment — assessing risks to individuals, society, and the environment), A.3.2 (AI policy — establishing organizational AI governance policies), A.4 (human oversight — ensuring appropriate human control over AI systems), A.6.1 (data governance — managing data quality, provenance, and fairness), A.6.2 (data acquisition — ensuring lawful and ethical data collection), A.8 (AI system impact assessment — assessing bias, explainability, and safety), and A.9 (AI system lifecycle — managing development, deployment, and decommissioning processes).
While ISO 42001 certification is not yet as universally required as ISO 27001 or SOC 2 Type II in enterprise procurement, it is increasingly mentioned in AI governance RFP criteria, particularly in Europe where the EU AI Act creates regulatory pressure for formal AI governance documentation. Organizations pursuing EU AI Act compliance for high-risk AI systems will find ISO 42001 a useful framework for documenting the technical documentation requirements of Article 11.
Implementing ISO 27001:2022 for AI: Key Control Areas
Risk assessment for AI systems (Clause 6.1): ISO 27001 requires systematic risk identification and treatment. For AI systems, the risk register must include AI-specific risks: prompt injection attacks (risk to confidentiality and integrity), model hallucination leading to harmful advice (risk to processing integrity), training data poisoning (risk to model reliability), supply chain risks from AI API providers (risk to availability and confidentiality), and regulatory non-compliance from AI decisions (legal and reputational risk).
Supplier security for AI APIs (Annex A 5.19-5.22): AI systems depend on external model providers (OpenAI, Anthropic, AWS, Google) as critical suppliers. ISO 27001:2022 requires documented supplier security requirements, security assessments of critical suppliers, and monitoring of supplier security performance. For AI API providers, this means: reviewing their SOC 2 Type II reports annually, confirming data processing agreements are in place, documenting model version control procedures, and understanding their security incident notification processes.
Cryptography and key management (Annex A 8.24): ISO 27001:2022 requires a cryptography policy covering algorithm selection, key management, and encryption implementation. For AI systems, this includes: encrypting AI conversation data at rest (AES-256) and in transit (TLS 1.3), managing encryption keys for multi-tenant AI deployments (per-tenant key isolation), and implementing secure key lifecycle management (generation, storage in HSM, rotation, deletion).
ISO 27001:2022 AI System Implementation Checklist
- Verify certificate versionConfirm vendor's ISO 27001 certificate references 2022 version (not deprecated 2013); check expiry date and certifying body accreditation
- AI risk assessmentInclude AI-specific risks in ISMS risk register: prompt injection, model hallucination, training data poisoning, supply chain AI risks
- Annex A 5.23 cloud securityDocument security requirements for all AI API providers (OpenAI, Anthropic, AWS Bedrock); review their security certifications annually
- Annex A 8.12 DLP for AIImplement output monitoring for sensitive data patterns in AI responses; configure semantic DLP rules for PII, PHI, and financial data
- Annex A 8.16 monitoringDeploy real-time AI behavior monitoring; configure anomaly detection for unusual query patterns or policy violations
- Cryptography policy (8.24)Implement AES-256 encryption at rest, TLS 1.3 in transit; per-tenant key isolation; HSM-based key management; annual key rotation
- Supplier management (5.19-5.22)Execute DPAs with all AI sub-processors; review SOC 2 reports annually; document supplier security monitoring program
- ISO 42001 gap assessmentConduct ISO 42001 gap assessment to identify AI governance gaps; plan certification or self-assessment program
- EU AI Act alignmentMap ISO 27001 and ISO 42001 controls to EU AI Act technical documentation requirements (Article 11) for high-risk AI systems
- Annual ISMS reviewConduct annual management review of ISMS covering AI-specific incidents, risk updates, and control effectiveness metrics
Frequently Asked Questions
What is the difference between ISO 27001 and ISO 42001 for AI?
ISO 27001:2022 is an information security management system (ISMS) standard covering confidentiality, integrity, and availability of all information assets including AI systems. ISO 42001:2023 is specifically an AI management system (AIMS) standard covering AI governance, responsible AI practices, bias assessment, and the AI lifecycle. For AI vendors, ISO 27001 demonstrates security credentials and ISO 42001 demonstrates AI governance maturity. Both are increasingly relevant for enterprise AI procurement.
Do I need ISO 27001 certified AI vendors or just SOC 2 Type II?
Enterprise procurement most commonly requires SOC 2 Type II (North America) or ISO 27001 (Europe and global enterprises). In practice, many enterprise AI vendors pursue both. SOC 2 Type II is typically required in US financial services contracts; ISO 27001 is more common in European contracts and global Fortune 500 requirements. For regulated industries in Europe (GDPR compliance, EU AI Act high-risk systems), ISO 27001 certification is often a hard requirement in vendor contracts.
How does ISO 27001:2022 address AI-specific risks like prompt injection?
ISO 27001:2022 does not mention prompt injection by name, but several Annex A controls apply: A.8.16 (monitoring activities) requires monitoring for anomalous AI behavior including injection attempts; A.8.12 (data leakage prevention) requires preventing unauthorized information disclosure via AI outputs; A.8.7 (protection against malware) can be interpreted to include malicious prompt content; and A.5.7 (threat intelligence) requires monitoring for emerging AI-specific threats. Organizations should explicitly address AI threats in their ISMS risk register.
What is the cost of ISO 27001:2022 certification for an AI company?
ISO 27001:2022 certification typically costs $15,000-$50,000 for initial certification depending on company size and scope, plus $5,000-$15,000 for annual surveillance audits. Gap assessment and remediation (before formal certification) often costs $20,000-$80,000 in consulting fees and control implementation. The certification process takes 6-18 months. Larger organizations (100+ employees) with complex AI infrastructure may incur higher costs.
Does Claire have ISO 27001:2022 certification?
Claire maintains ISO 27001:2022 certification (current version, not the deprecated 2013 standard) from an IAF-accredited certification body. Our ISMS scope covers the Claire AI platform infrastructure, development processes, operations, and sub-processor management. Certification documentation is available to enterprise prospects under NDA as part of our vendor security assessment process.
How Claire Addresses ISO 27001 Compliance
Claire maintains ISO 27001:2022 certification and is pursuing ISO/IEC 42001 certification as the AI governance standard gains enterprise adoption. Our ISMS covers AI-specific controls: DLP for AI outputs (Annex A 8.12), cloud security for AI APIs (Annex A 5.23), and continuous AI behavior monitoring (Annex A 8.16). Schedule a security briefing to review our certification documentation.