Risk Professionals

04/06/2026

Most organisations implementing ISO 42001 already have an ISO 27001 ISMS in place, or they're planning one. Running them as parallel programs is the default move. It's also the slowest, most expensive way to do it.

ISO 42001 was designed to integrate. Both standards sit on the Annex SL spine, which means the management system structure is identical: context, leadership, planning, support, operation, performance evaluation, improvement. The information security controls in ISO 27001 underwrite a good chunk of what ISO 42001 needs anyway. Building two separate programs duplicates policies, audit cycles, training, and the documentation effort that comes with all of it.

The integrated approach is faster to build, cleaner to audit, and easier to maintain. One IMS Manual instead of two. One set of policies covering both AI and information security. One management review cycle. Two Statements of Applicability, but documented in one place.

Our new IMS (ISO 42001 + ISO 27001) Document Kit gives you the integrated foundation. 120+ editable documents including the IMS Manual, an alignment guide, 24 integrated policies, 23 procedures, both Statements of Applicability, three years of implementation training decks, and a combined library of 50 incident playbooks (26 AI scenarios and 24 cyber scenarios). One-time AUD $999, instant download.

Available through Risk Professionals: riskprofs.com/templates

03/06/2026

Most organisations implementing ISO 42001 stall on the same question: who, specifically, is accountable for what?

The standard doesn't hand you four ready-made job titles. What it does require is that the roles and responsibilities for managing AI are defined, allocated, and documented under Annex A.3.2, with final accountability sitting at the top with management under Clause 5.3.

That translates, in practice, to four roles you need to define for your organisation:
An AI system owner, accountable end-to-end for one specific AI system, with the authority to halt it. An AIMS coordinator, who maintains the management system, owns the register of AI systems, and escalates non-conformities. An AI reviewer, who provides independent oversight of individual AI system decisions against defined acceptance criteria. And top management, who set policy, accept residual AI risk, and sign the management review.

The audit-failing pattern is consistent. The roles exist on paper. The authority to act on them doesn't. An owner who can't actually halt a system. A coordinator without the authority to enforce anything. A reviewer with no defined trigger events. A board that signs cyber risk minutes but never AI risk minutes.
Evidence the assignments through job descriptions, RACI matrices, or appointment letters. Verbal arrangements fail audits.

Available through Risk Professionals as a PECB Authorised Platinum Partner.

02/06/2026

ISO 42001 and the EU AI Act are not the same thing, and treating them as alternatives is one of the more common mistakes we see in AI governance programs.

ISO 42001 is a voluntary international management system standard. You adopt it by choice, run it through an Annex SL structure that integrates with ISO 27001, and ultimately certify your AIMS through an accredited audit. The consequence of falling short is losing the certificate.

The EU AI Act is binding European Union regulation. It applies automatically if your AI system reaches the EU market or affects EU persons, regardless of where you sit. It tiers AI systems by risk class and demands a demonstrated conformity assessment for each one. The consequence of falling short is a fine of up to €35 million or 7 percent of global turnover.
One is how you build the management system. The other is what the law requires you to demonstrate. They're complementary, not competing, and the strongest AI governance programs cover both.

Our ISO/IEC 42001 + EU AI Act Document Kit gives you the templates, procedures, registers and playbooks for both frameworks in one bundle. AIMS manual, policies and SOPs, Statement of Applicability, conformity assessment templates, 26 AI incident playbooks, full register set, and a three-year training program. Word, Excel and PDF. Instant download. One-time AUD $999.

Available through Risk Professionals: riskprofs.com/templates

01/06/2026

ISO/IEC 42001 is the global AI management system standard. Every organisation building, deploying, or governing AI is heading toward it, whether they know it yet or not.

Two PECB tracks. Lead Implementer for the people designing and deploying the AI management system. Lead Auditor for the people verifying it works.

US$599 per credential. Self-paced delivery. Certification exam included, with two attempts. PECB registration handled by us.

Available through Risk Professionals as a PECB Authorised Platinum Partner.

31/05/2026

ISO 27001 and ISO 42001 are easier to learn together than apart.

They sit on the same management system spine. Both follow Annex SL, so context, leadership, planning, support, operation, performance evaluation, and improvement work the same way in each. Both use risk-based thinking. Both produce a Statement of Applicability. Both run on an internal audit programme. Both certify on the same cycle.

The unique territory is genuinely unique. ISO 27001 brings 93 Annex A controls, information asset risk, and two decades of audit precedent. ISO 42001 brings AI impact assessments, model lifecycle controls, AI-specific data governance, and EU AI Act alignment.

But the shared spine is most of the work. Learn 27001 first and the second credential takes a fraction of the effort. The principles, the structure, the documentation patterns, the audit logic are already in your hands.

Two PECB Lead Implementer credentials at US$599 each. Online and self-paced. Exam included with two attempts and a free retake within 12 months.

Available through Risk Professionals as a PECB Authorised Platinum Partner.

29/05/2026

Most organizations implementing ISO 27001 never see Annex A as a complete structure, they work through controls one by one in spreadsheets, without the full picture.

Here it is mapped for clarity.

The ISO 27001:2022 revision restructured Annex A controls from 114 controls across 14 domains into 93 controls grouped under four themes. Many still reference the old structure, which creates confusion during implementation and audits.

The 93 ISO 27001 controls are divided into Organizational (A.5) with 37 controls, People (A.6) with 8 controls, Physical (A.7) with 14 controls, and Technological (A.8) with 34 controls. Organizational and Technological domains carry the highest weight in most ISO 27001 implementation projects.

The 2022 update also introduced 11 new ISO 27001 controls, reflecting modern security requirements such as cloud services security, threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding practices.

It is important to remember that ISO 27001 Annex A controls are not a checklist. They are reference controls selected based on risk assessment. Each organisation defines applicability in the Statement of Applicability (SoA), meaning the 93 controls are a menu of options, not mandatory requirements.

For ISO 27001 implementation support, documentation, and audit readiness, you can use our ISO 27001 document kit and templates:

https://riskprofs.com/templates/iso-iec-27001-document-kit-templates/

26/05/2026

25/05/2026

ISO 27001 Lead Implementer or Lead SOC 2 Analyst? It's one of the more common questions we get from people planning their next certification.

Both are PECB credentials. Both teach you to get an organization audit-ready. The difference is the framework and the market.

ISO 27001 Lead Implementer is about building and running an information security management system (ISMS) to an international standard. It prepares an organisation for ISO 27001 certification and is recognised globally. Best suited to implementers, consultants, and ISMS owners. Purchase training here: https://riskprofs.com/product-category/trainings/information-security/iso-iec-27001/

Lead SOC 2 Analyst is about managing SOC 2 compliance against the AICPA Trust Services Criteria. It prepares an organisation for a SOC 2 attestation by a CPA firm and is highly valued in North American SaaS, cloud, and tech procurement environments. Best suited to security analysts, compliance officers, and incident response coordinators. Purchase training here: https://riskprofs.com/product/lead-soc-2-analyst/

Both ISO 27001 Lead Implementer and Lead SOC 2 Analyst include 31 CPD credits, the exam, and PECB registration. Both are self-paced with a free retake.

Here's the honest answer though: you don't have to choose. ISO 27001 and SOC 2 share significant control overlap, and the strongest GRC professionals tend to hold both ISO 27001 certification knowledge and SOC 2 compliance expertise.

Available through Risk Professionals as a PECB Authorised Platinum Partner.