ISO management system standards share a common structure: context, leadership, planning, support, operation, performance evaluation, and improvement. Your ISO 27001 program already lives in that shape. ISO 42001 reuses it and adds the parts specific to governing AI.
Most of the effort in a fresh ISO 42001 program is not the paperwork skeleton. It is collecting evidence about AI that your ISO 27001 controls were never scoped to see. Here is the shape of it.
| Area | ISO 27001 today | ISO 42001 adds | Where Northbeams helps |
|---|---|---|---|
| Asset inventory | Information assets and systems | An inventory of AI systems in use | Live map of every AI tool across browser, desktop, CLI, and MCP |
| Risk assessment | Information security risk | AI-specific risk and impact | On-device classification with severity and estimated exposure value |
| Operational controls | Access, crypto, logging | AI use, oversight, and enforcement | One-click block, allow, and sandbox, plus Model Governance |
| Records | Security event logs | Records of AI activity over time | One immutable, signed log with per-user attribution |
The management system you already certified does the rest. Northbeams supplies the AI evidence layer, exported in one click and mapped to the controls your auditor tests.