What is ISO 27001?
Privacy, security and identity
ISO 27001, formally ISO/IEC 27001, is the best-known international standard for information security management systems. It defines requirements for managing information security through risk assessment, controls, policies, roles, monitoring and continual improvement so information remains confidential, accurate and available when needed.
What this means
ISO 27001 is a management system standard for information security. It is not simply a cyber checklist, a penetration test, or a promise that no breach will ever happen. It asks whether an organisation has a structured way to identify information security risks, choose controls, operate them, monitor them and improve them.
The official name is ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements. ISO describes it as the world's best-known standard for information security management systems. In everyday business language, it is often shortened to ISO 27001.
For AI work, the relevance is direct. AI tools often depend on data access, supplier integrations, document stores, prompts, outputs, user permissions and logs. If the organisation does not know what information is sensitive, who can access it, how suppliers are reviewed, or how incidents are handled, AI adoption can increase the blast radius of ordinary security weaknesses.
The standard is especially relevant when AI is added to tools that people already trust. A platform may introduce summarisation, search or automation into an existing system, and the change may feel small because the supplier is familiar. Security review still needs to ask whether new data flows, permissions, logs or subprocessors have been introduced.
Why it matters
AI does not remove the need for ordinary information security. It makes it more visible. A workflow that previously involved one person reading one document may become a searchable knowledge base. A team that once copied text into a document may now paste material into a third-party tool. A customer service assistant may pull content from multiple systems. Each step raises questions about confidentiality, integrity and availability.
ISO 27001 matters because it gives leaders and buyers a familiar assurance language. It shows that information security is not being handled only through ad hoc technical fixes. The organisation has defined scope, risk management, controls, policies, roles, audit, management review and improvement.
It is also a procurement signal. Many buyers ask suppliers for ISO 27001 certification or equivalent evidence because they need confidence that entrusted information is managed securely. That does not mean certification answers every question, but it can reduce friction when combined with clear scope and current supporting evidence.
For smaller organisations, the practical lesson is not to copy a large enterprise security programme. It is to build a proportionate information security management system that protects the information the organisation actually holds and uses.
How it works
An ISO 27001-style information security management system begins with scope. The organisation defines which parts of the business, systems, locations, services and information assets are covered. Scope matters because a certificate or control set is only meaningful if people understand what it includes and what it excludes.
The next step is risk assessment. The organisation identifies information assets, threats, vulnerabilities, likelihood and impact. It then decides how to treat the risks: reduce them with controls, transfer them, avoid them, or accept them where justified. Controls may cover access management, supplier relationships, incident management, business continuity, physical security, asset management, encryption, logging, change management and staff awareness.
ISO 27001 is built around management discipline. Policies need owners. Controls need evidence. People need awareness. Incidents need response routes. Risks need review. Audits and management reviews check whether the system is operating, not just whether a folder of documents exists.
In AI-enabled workflows, ISO 27001 often connects to access control and supplier review. Leaders should ask whether AI tools have single sign-on, role-based permissions, logging, data retention settings, contractual commitments, incident notification terms and clear rules around confidential information. The question is not whether AI is exciting. It is whether the information security basics still hold when AI changes the workflow.
A useful ISMS also gives AI teams a place to put evidence. Supplier questionnaires, data classification decisions, security exceptions, access approvals, incident records and review notes should not be scattered across inboxes. They should sit inside an operating rhythm that can be checked and improved.
This is particularly important where AI search, summarisation or automation changes who can discover information, how quickly it can spread, and how easily a mistaken output can be reused in another workflow.
Examples
A consultancy wants to use an AI assistant to summarise client documents. ISO 27001 thinking would push the team to classify client information, restrict access, check the supplier's security posture, decide whether data is retained by the tool, log use, train staff and define what must not be uploaded.
A SaaS company selling to larger customers may use ISO 27001 to demonstrate that its own information security management system is mature enough for buyer due diligence. The certificate can support the trust conversation, but buyers will still ask about scope, cloud hosting, subcontractors, incident history and AI-specific controls.
A charity using AI for operations may not need certification, but it can still use the pattern. Sensitive beneficiary records, donor information and staff data should not be thrown into informal AI workflows without access controls, data minimisation and review.
An operations team enabling AI inside a ticketing system should check whether the feature can read all tickets or only selected queues, whether old attachments are included, whether outputs are logged, whether administrators can limit use by role and whether the supplier uses customer content to improve its service. Those are ISO 27001-style questions applied to a modern AI workflow.
Common misunderstandings
ISO 27001 is only for IT teams. No. ISO frames information security as a management system involving people, policies and technology.
Certification means there is no security risk. No. It gives assurance that a scoped management system has been assessed. Risk still needs ongoing management.
ISO 27001 is the same as ISO 42001. No. ISO 27001 focuses on information security management. ISO 42001 focuses on AI management. They can support each other.
AI security is separate from information security. Not really. AI introduces new patterns, but many controls still depend on familiar basics such as access, logging, supplier review and incident response.
Risks and boundaries
The main risk is over-reading the certificate. A supplier may be certified, but the scope may not cover the product, region, data flow or AI feature you are buying. Buyers should ask for the scope statement, certificate details, recent audit evidence where appropriate and how AI-related services are handled.
Another risk is treating ISO 27001 as a static project. Information security changes as systems, suppliers, staff, threats and data use change. AI can accelerate that change because teams may adopt new tools quickly or activate AI features inside platforms they already use.
ISO 27001 is also not a privacy framework on its own, although security and privacy often overlap. Personal data workflows may still need DPIAs, data processing agreements, privacy notices and data minimisation controls.
A further boundary is evidence freshness. A certificate, policy or questionnaire from last year may not reflect today's AI feature set. When AI capabilities are added quickly, security evidence needs to be checked against the current service, not only against the supplier's historic assurance pack.
What to do next
For an AI project, start by listing the information involved. Separate public, internal, confidential, client, employee, financial and personal data. Then ask which systems will touch that information, who will have access, what the supplier can see, where data is stored, how long it is retained and what happens if something goes wrong.
If your organisation already has ISO 27001, connect AI governance to the existing ISMS rather than creating a separate island. If you do not, borrow the discipline: define scope, classify data, assess risk, choose controls, train people, keep evidence and review regularly. That is often enough to improve AI safety before formal certification is considered.
When reviewing suppliers, do not ask only "Are you ISO 27001 certified?" Ask what the certification covers, when it was last assessed, which services are in scope, how subcontractors are managed and what commitments apply to customer data used in AI features.
If the organisation is not ready for a full ISMS, start with the controls that reduce immediate AI risk: approved-tool list, data classification, access review, supplier register, incident route and staff guidance on confidential information. These are practical stepping stones towards a stronger security management system.
FAQs
Is ISO 27001 the same as cybersecurity?
It is broader than a technical cybersecurity checklist. ISO describes ISO 27001 as an information security management system covering people, policies and technology.
What does ISO 27001 have to do with AI?
AI workflows often increase data access, supplier use and information movement. ISO 27001 helps manage the security controls around that information.
Does every AI supplier need ISO 27001?
Not always, but it is a useful assurance signal for suppliers handling sensitive, confidential or business-critical data. The right requirement depends on the risk and context.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international information security management system standard. SOC 2 is an attestation report for service organisations against trust services criteria. Buyers often see both in supplier diligence.
Can a small business use ISO 27001 principles without certification?
Yes. A smaller organisation can use the structure to improve information security even if certification is not immediately necessary.
Sources
ISO: ISO/IEC 27001:2022 - official ISO page describing ISO/IEC 27001 as the best-known information security management system standard and outlining core benefits.
ISO: information security management for SMEs - ISO material noting practical guidance for SMEs developing and implementing an ISMS.
ISO: ISO/IEC 42001:2023 - related AI management system standard for organisations developing, providing or using AI systems.
NIST Cybersecurity Framework - supporting security risk management context for confidentiality, integrity and availability.