Do Not Skip ISO 27001 to Chase ISO 42001
July 13, 2026
Most companies want ISO 42001 first because AI is trendy, which is the wrong order. We built AI agents for FEHA GRC in 2024, locked down ISO 27001 first, and only now in 2026 are going for 42001, because most AI problems are just security problems wearing a costume. Not competitors. You need both, just in that order.
.png)
FEHA keeps bumping into companies that want to jump straight into ISO 42001 because AI is the hot thing now and they've never touched ISO 27001. Not even looked at it.
The logic is usually "27001 is the old security one, 42001 is the new AI one, let's just do the new shiny one."
We get the appeal. But it's the wrong order and FEHA can say that with a bit of authority because we lived it ourselves.
We started building AI agents for FEHA GRC back in late 2024. By 2025, we could've gone for ISO 27001 and ISO 42001 at the same time. Some certification bodies will happily let you. We chose not to. We got our security management basics solid first. Only now, in 2026, are we going for ISO 42001.
Why wait?
- AI problems are usually security problems wearing an AI costume
- Training data leaking
- The wrong person having access to a model or its outputs
- A vendor mishandling data you handed them through an API. Nobody noticing until a customer does
All of that is security 101 and ISO 27001 is what builds the muscle for handling it: who can access what, how you classify and protect data, how you deal with vendors, what you do when something breaks.
If you skip straight to ISO 42001 without that muscle, you end up with a nice AI policy on paper and nothing solid underneath it. Looks good in a slide deck. Falls apart the moment an auditor, or a customer's security team, asks a real question like "how do you control access to your training data" and you don't have a real answer.
The part that actually surprised us?
Going through ISO 27001 first made building the AIMS afterward so much easier. Same team, same muscles, just pointed at a slightly different problem. Risk assessments, documentation habits, audit rhythm, all of it carried straight over. What would've been a slog from zero became mostly a matter of extending what we already had.
One thing worth being clear about: ISO 42001 doesn't replace ISO 27001, and 27001 doesn't replace 42001 either. They're not competing for the same job. One's about keeping your information secure in general. The other's about managing AI risk specifically. You genuinely need both if AI is a real part of what you do. They just work better in that order.
And yes, doing both audits is not cheap. Two certifications, two audit cycles, two sets of ongoing maintenance. For a lot of companies that's a real number to think about. But weigh it against what it opens up. Being able to say "yes we're certified for information security and for how we manage AI" is a very different conversation with an enterprise buyer than showing up with neither, or with just the trendy one and nothing behind it.
This is roughly the path we walk clients through at FEHA GRC when they come in wanting to "do AI compliance."
Happy to talk through where you actually stand today before deciding what to go for first.




