FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorycompliancegovernanceISO 27001

ISO 27001 and ISO 42001: The AI Information Security Management Standard Pair

By Basel IsmailMay 30, 2026

ISO 27001 and ISO 42001: The AI Information Security Management Standard Pair

ISO 42001 was published in December 2023, and it filled a gap that had been widening for years. Organizations deploying AI systems had been trying to shoehorn AI governance into existing frameworks, mostly ISO 27001, and finding that the fit was awkward. ISO 42001 gives AI management systems their own dedicated standard, but it was explicitly designed to integrate with ISO 27001 rather than replace it. Understanding how these two standards interact is becoming essential for any regulated organization that builds, deploys, or procures AI.

What ISO 42001 Actually Covers

ISO/IEC 42001:2023 specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It follows the same Annex SL high-level structure that ISO 27001 and other management system standards use, which is the key architectural decision that makes integration feasible.

The standard addresses several areas that ISO 27001 was never built to handle:

AI risk assessment specific to machine learning and autonomous systems. This goes beyond information security risk to cover bias, fairness, transparency, and the unique failure modes of AI systems like model drift, adversarial attacks, and hallucination.
AI system lifecycle management. From data collection and model training through deployment, monitoring, and retirement. ISO 27001 covers information assets broadly; ISO 42001 gets specific about training data provenance, model validation, and ongoing performance monitoring.
Responsible AI principles. The standard requires organizations to define and implement policies around fairness, transparency, explainability, and accountability. These concepts simply do not exist in ISO 27001's control set.
AI impact assessments. Annex B of ISO 42001 provides guidance on conducting impact assessments that evaluate potential effects on individuals, groups, and society. Think of these as a structured cousin to the Data Protection Impact Assessments required under GDPR Article 35, but scoped specifically for AI.

Annex A of ISO 42001 contains 38 controls organized across domains including AI policy, internal organization, resources, development, and operations. Some of these controls will look familiar if you have worked with ISO 27001's Annex A controls (which were restructured into 93 controls in the 2022 revision). Others are entirely new territory.

How the Two Standards Fit Together

The integration story here is genuinely well thought out. Because both standards use the Annex SL structure, the core management system clauses (4 through 10) are nearly identical in structure: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. If you already have an ISO 27001 ISMS, you have roughly 60 to 70 percent of the management system scaffolding you need for ISO 42001.

Where they diverge is in the specifics. ISO 27001 Clause 6.1.2 requires an information security risk assessment process. ISO 42001 Clause 6.1.2 requires an AI risk assessment process that accounts for a fundamentally different risk landscape. You are not just worried about confidentiality, integrity, and availability anymore. You are also assessing risks related to model accuracy, bias amplification, lack of explainability, and downstream societal impacts.

The control sets (Annex A in both standards) are complementary. ISO 27001's controls around access management, cryptography, network security, and incident response remain fully relevant for AI systems. ISO 42001 adds controls around data quality for AI, model testing and validation, AI system documentation, and third-party AI component management. An organization running both systems would maintain a single integrated management system with a combined Statement of Applicability that maps controls from both standards.

Practical Integration Considerations

A few things to think about if you are planning an integrated implementation:

Single internal audit program. You can audit both management systems together, which saves significant time and reduces audit fatigue. Certification bodies like BSI, Bureau Veritas, and DNV are already offering combined audits.
Unified risk register. Maintaining separate risk registers for information security and AI is a recipe for gaps. AI systems process data, so information security risks and AI risks frequently overlap. A single register with clear categorization works better.
Shared governance structure. ISO 42001 Clause 5.1 requires top management commitment, just like ISO 27001. Rather than creating a parallel governance committee for AI, extend your existing information security governance to include AI oversight. Some organizations are creating a dedicated AI governance subcommittee that reports into the same structure.
Supplier management alignment. ISO 27001 Annex A control 5.19 covers information security in supplier relationships. ISO 42001 extends this to AI-specific supply chain concerns, including third-party model provenance, training data licensing, and SLA requirements around model performance. These should be managed through a single supplier assessment process.

The Regulatory Context

ISO 42001 did not emerge in a vacuum. The EU AI Act, which entered into force on August 1, 2024, creates binding obligations for high-risk AI systems that align closely with ISO 42001's control objectives. Article 9 of the AI Act requires risk management systems for high-risk AI; Article 10 addresses data governance; Article 13 covers transparency. These map naturally to ISO 42001's Annex A controls.

The European Commission has already signaled that harmonized standards under the AI Act will likely reference ISO 42001. CEN and CENELEC are developing European standards (expected in 2025) that will draw heavily from it. For organizations operating in the EU, implementing ISO 42001 now is a reasonable hedge against future compliance requirements.

In the U.S., the NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) shares significant conceptual overlap with ISO 42001. The NIST framework's four core functions (Govern, Map, Measure, Manage) correspond loosely to ISO 42001's management system clauses and Annex A controls. Organizations that have already aligned with NIST AI RMF will find ISO 42001 certification a shorter lift than starting from scratch.

For defense contractors, the intersection with CMMC is worth noting. CMMC 2.0 Level 2 aligns with NIST SP 800-171, which focuses on Controlled Unclassified Information. As DoD increasingly procures AI-enabled systems, expect supplementary requirements that look a lot like ISO 42001's controls layered on top of existing CMMC obligations.

Who Should Care About This Right Now

If your organization is deploying AI in any regulated context, the combined ISO 27001/42001 framework is worth serious consideration. Healthcare organizations using AI for clinical decision support, financial institutions deploying algorithmic trading or credit scoring models, legal teams using AI for document review, and education technology companies using adaptive learning systems all fall squarely in scope.

The certification market is still early. As of mid-2024, relatively few organizations hold ISO 42001 certification compared to the roughly 70,000 organizations certified to ISO 27001 globally (per the ISO Survey 2022). Early movers get the advantage of demonstrating AI governance maturity to regulators, customers, and partners before it becomes table stakes.

How FirmAdapt Addresses This

FirmAdapt's platform architecture was built around the principle that AI governance and information security governance need to operate as a single integrated system. The platform's compliance mapping engine covers both ISO 27001 and ISO 42001 control sets, allowing organizations to manage a unified Statement of Applicability, maintain a combined risk register, and generate audit evidence that satisfies both standards simultaneously.

For organizations that already hold ISO 27001 certification and are evaluating ISO 42001, FirmAdapt provides gap analysis tooling that identifies which existing controls satisfy ISO 42001 requirements and where new controls need to be implemented. The platform also maps these controls against the EU AI Act's requirements and the NIST AI RMF, so you are not solving the same compliance problem three different ways.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free