AI Act

Mapping the ISO Jungle: 27001, 27002, 27005, 31000, 42001

ISO standards can feel like an impenetrable jungle ; 27001, 27002, 27005, 31000, 42001… Here’s the clear, no-nonsense map GRC professionals actually need.

Christophe MazzolaChristophe Mazzola· Practicing CISO · Founder of Cyber Academy4 min read
Mapping the ISO Jungle: 27001, 27002, 27005, 31000, 42001

Most organisations don’t fail ISO projects because of controls or documentation. They fail because they don’t understand the relationship between the standards.

ISO 27001, 27002, 27005, 31000 and now 42001 all seem related ; but they each play a different role. Confuse them, and your governance collapses. Map them properly, and everything becomes simple.

Here is the sharp, field-tested map of the ISO jungle.

ISO standards are not competing books. They form a governance system, each covering a different layer:

  • 27001 → the requirements
  • 27002 → the how-to guide
  • 27005 → the risk methodology
  • 31000 → the enterprise risk philosophy
  • 42001 → AI governance requirements

Once you understand this hierarchy, ISO stops being paperwork and becomes a blueprint for security, risk and AI governance.

1. ISO 27001 ; The Core Requirements (The “What”)

ISO 27001 is your anchor. It defines what your Information Security Management System (ISMS) must achieve.

It provides:

  • Clauses (4–10) = governance requirements
  • Annex A = reference control set
  • Certification criteria
  • The mandatory management system structure

What it does NOT give you:

  • How to implement controls
  • How deep each control should go
  • A risk methodology
  • Technical guidance

This is why other standards exist around it.

Think of 27001 as the skeleton.

2. ISO 27002 ; The Implementation Manual (The “How”)

ISO 27002 is not a certification standard. It is the detailed control guidance supporting Annex A of 27001.

Every control in 27001 → explained in 27002.

What 27002 gives you:

  • Control objectives
  • Implementation guidance
  • Maturity expectations
  • Examples
  • Alignment with other frameworks (NIST, CIS, cloud, SaaS)

What 27002 does NOT give you:

  • Governance requirements
  • Risk methodology
  • Compliance criteria

27002 is your toolbox.27001 is your rulebook.

3. ISO 27005 ; The Risk Engine (The “How to Think About Risk”)

ISO 27001 requires you to perform risk assessments ; but it doesn’t tell you how.

ISO 27005 fills this gap.

27005 gives you:

  • A full risk management methodology
  • Steps for risk identification
  • Impact/likelihood models
  • Treatment options
  • Continuous risk monitoring
  • Alignment with 27001 Clause 6 and Clause 8

Why it matters in practice:

If your risk assessment is weak, your entire ISMS collapses during audit.

27005 = the brain of the ISMS.

4. ISO 31000 ; The Risk Governance Philosophy (The “Why”)

ISO 31000 is not specific to cybersecurity. It is the global standard for enterprise risk management.

Organisations use 31000 to:

  • align cyber risk with enterprise risk
  • build a consistent risk taxonomy
  • standardise governance
  • define risk appetite and tolerance
  • connect business risk → ICT risk → operational risk

In simple terms:

27005 = operational risk method 31000 = enterprise risk culture

27005 is your method. 31000 is your mindset.

5. ISO 42001 ; The New AI Governance System (The “AI ISMS”)

ISO 42001 is the first global AI management system standard. It works like ISO 27001 but for AI governance.

What 42001 introduces:

  • AI risk assessment methods
  • Data governance & dataset quality
  • Model lifecycle controls
  • Human oversight requirements
  • Bias & drift monitoring
  • Governance for AI suppliers
  • Incident handling for AI failures
  • Documentation for explainability
  • Alignment with the EU AI Act

42001 is the bridge between GRC and AI development.

How 42001 fits into the ISO jungle:

  • 27001 → security of information
  • 42001 → governance of intelligence

Together: the organisation becomes secure, resilient, AND accountable for AI.

6. The Real Map: How Each Standard Interacts

Here is the clean mental model used by top GRC leaders:

Layer 1 ; Governance Framework

ISO 27001 → Information Security ISO 42001 → AI Governance

These set the requirements and form the certifiable backbone.

Layer 2 ; Implementation Guidance

ISO 27002 → How to implement Annex A controls (security) ISO 42001 Annexes → How to operate AI governance

These are the manuals.

Layer 3 ; Risk Methodology

ISO 27005 → Operational risk method for security ISO 31000 → Enterprise-wide risk principles

These are the risk engines.

Layer 4 ; Controls, Evidence & Assurance

All standards feed into:

  • policies
  • procedures
  • evidence
  • risk registers
  • audit trails
  • continuous monitoring

This is the working system.

7. The Practical Takeaway: What You Actually Need to Apply

Here is how GRC teams should use the standards in real life:

  • Use 27001 as your governance blueprint
  • Use 27002 to define your controls
  • Use 27005 to run your risk assessments
  • Use 31000 to align cyber risk with enterprise risk
  • Use 42001 to prepare for AI Act obligations

This gives you a unified governance model that works for ISO audits, NIS2, DORA, GDPR and the AI Act.

Final Thought

The ISO jungle looks complicated until you understand one truth:

27001 and 42001 tell you what to build.27002 and 27005 tell you how to build it.31000 tells you why it matters.

Master this map, and ISO stops being a maze ; it becomes a governance engine that scales with your business, your risks, and your AI ambitions.

If you want to master ISO 27001, 27002, 27005, 31000 and 42001 ; and build a unified governance system ready for NIS2, DORA, GDPR and the AI Act ; that’s exactly what we teach in the Cyber Academy PECB Certification programs.

← Back to all articlesMore on AI Act

Want the next field note in your inbox?

The GRC Brief newsletter. Five links and one short take, every Monday at 8am CET. Three-minute read.

Subscribe to the newsletterBack to articles