How to integrate ISO 42001 with your existing management systems 

If you already operate one or more ISO management systems, there’s no need to treat ISO 42001 as a standalone add-on. It was developed using the ISO Harmonised Structure (sometimes known as Annexe SL), so it aligns with other management system standards that follow this, including ISO 27001, ISO 9001, ISO 14001, ISO 45001 and more. 

This article explains how to integrate ISO 42001 into your existing management system(s). The objective here is to extend your existing governance model to cover your artificial intelligence (AI) management system (AIMS), rather than adding something new.  

Why integration is the right approach 

ISO 42001 defines the requirements for an AI management system. Like the other ISO standards mentioned in the introduction, it uses the same clause framework defined by the Harmonised Structure:   

• Context 
• Leadership 
• Planning 
• Support 
• Operation 
• Performance evaluation 
• Improvement 

 Because of that shared structure, you can apply most of the core elements of your existing management systems to your use of AI, rather than rebuilding them from scratch. If, instead, you create a separate AIMS programme with its own governance cycle, risk framework and audit rhythm, you’d just be duplicating your efforts and weakening clear lines of accountability. 

Although we mentioned ISO 14001 (environmental management) and 45001 (occupational health and safety management) in the introduction, you’re more likely to be integrating an AIMS into your existing information security management system (ISO 27001), quality management system (ISO 9001), or even a privacy information management system (ISO 27701). These systems, especially ISO 27001 and 27701, have a lot of structural overlap with ISO 42001. 

Regardless of your approach and your business’s needs, proper integration allows you to embed AI governance into your existing risk, audit and review processes.  

How to integrate ISO 42001 into your existing ISO management system 

So, how do you approach integrating ISO 42001 into your management systems?  

Here’s a structured outline so you can get an idea. You’ll notice a clear and consistent theme of integration and expansion here, rather than replacement or reinvention.  

Start with a clear integration vision 

Before drafting any new procedures, decide how ISO 42001 will sit within the structure of your current management system(s). 

For example, if you already operate ISO 27001, the most efficient approach is usually to extend your ISMS. AI governance can sit within your established risk management, incident management, supplier control and internal audit processes. 

If you already operate ISO 9001, you can reuse your existing process discipline. You already have your change control, corrective action and performance monitoring mechanisms. They now need to incorporate AI-specific considerations. 

In short, if you already run any kind of integrated management system, you can expand the scope to include AI governance, rather than creating a new, parallel system. 

Extend governance and risk management (but don’t duplicate them) 

Under ISO 42001, you must define your AI governance responsibilities and who has oversight. If you already have an existing management system in place, you should already have defined leadership accountability. 

So, instead of creating a separate AI governance committee, incorporate AI risk and performance into your existing reporting lines. Include AI governance as a standing agenda item within your management review meetings. Importantly, this doesn’t mean that your management team must have expertise in data science or AI. But they must be able to set the strategy and have a basic understanding of your AIMS and how it operates within your business. 

All ISO standards that use the Harmonised Structure are built on risk-based thinking. This means you don’t need a new risk methodology for ISO 42001. 

For instance, if you operate ISO 27001, you can extend your risk criteria to include AI-specific considerations like lifecycle risk, bias, foreseeable misuse, model limitations and the severity of its impacts.  

The goal here is to develop a single risk framework, applied through multiple lenses. While it’s technically possible to keep separate risk registers, it usually creates confusion and inefficiency due to siloing.  

Integrate AI lifecycle controls into your existing operations 

Under ISO 42001, your organisation needs to stay in control across the entire AIMS lifecycle, starting at design and validation, and running through deployment, operation, monitoring and retirement. 

If you already run an existing management system, you likely already have development processes, change management controls and incident escalation pathways in place. Now, the task is to map the AI lifecycle checkpoints into these existing processes. 

So, treat your AIMS updates like any other controlled change in your organisation. Handle any AI-related incidents through your existing incident management process. Include AI performance checks within your normal monitoring and review activities.  

Create visibility through an AI inventory 

Ensure your AI systems are formally identified, documented and brought within the defined scope of your management system, as required under ISO 42001. 

If you already maintain an asset register under ISO 27001 or an optional service catalogue as part of your ISO 9001 QMS, expand it to classify your AI systems. 

Your AI inventory should clearly record what you use each AI tool or system for, how important its decisions are, who oversees it, what data it uses and produces, and how you monitor it. This will give you a solid base for applying the right level of control, while tying AI into your existing governance processes.  

Operate one audit, review and documentation cycle 

Like everything else we’ve touched on so far, you don’t need a separate audit programme for ISO 42001. 

Instead, expand your internal audit criteria to include your requirements for AI governance. Include AI performance, risks and incidents within your existing management system review process. Use your established corrective action framework for AI-related nonconformities. 

One of the most common integration mistakes is creating an entirely separate set of AI policies and procedures. Instead, maintain one document control system. In most cases, it’s far more effective to update your existing policies so they reference AI where relevant. 

For example, your risk management procedure can include your AI risk criteria. Your supplier management process can include AI vendor evaluation. Your incident management procedure can reference AI system failures.  

How ISO QSL can help 

Integrating ISO 42001 into your existing management systems isn’t as complicated as you might think. The challenge is identifying which elements you can inherit from other standards, and where AI introduces new requirements. 

At ISO QSL, we can help you align ISO 42001 with ISO 27001 and ISO 9001, and build the AI-specific controls that you can’t inherit or transfer from the other standards. 

So, if you want ISO 42001 to strengthen your existing governance, speak to our team of expert ISO consultants today to explore the most practical and efficient route to get your organisation ISO 42001 certified.