ISO 27001, with Annex A mapped onto your AI.
The 2022 Annex A update aligned ISO 27001 with the way modern cloud and AI systems are actually built. We design ISO-conformant AI architectures that share evidence with your SOC 2 program where possible — cutting roughly 30-40% of the standalone effort.
The European-and-global standard. Increasingly required by enterprise buyers globally.
ISO 27001 certification is the de-facto requirement for European enterprise sales, and an increasingly common requirement in Canada, Asia-Pacific, and Latin America. For AI vendors and AI- embedded products serving global enterprises, ISO 27001 is no longer optional.
Where SOC 2 emphasizes service-level controls and audit attestation, ISO 27001 emphasizes the information security management system (ISMS) and continuous improvement. For AI deployments, this difference matters: ISO conversations naturally cover model lifecycle management, AI vendor risk, and evaluation-driven improvement — areas SOC 2 sometimes leaves implicit.
The Annex A controls we map most often for AI deployments.
Threat intelligence
Includes AI-specific threats: prompt injection patterns, model jailbreaks, data poisoning. Active monitoring of threat-intelligence feeds for AI-specific advisories.
Supplier relationships
Particularly relevant: AI model providers, vector database vendors, observability tools that see prompts. Each requires due diligence and contractual security expectations including no-training and no-retention clauses.
Privileged access rights
Model weights, inference infrastructure, and audit log destinations are privileged. Separation of duties between AI ops, security ops, and development.
Information deletion
Right-to-deletion across vector stores, conversation history, and any cached model context. Verified deletion, not just soft-delete.
Monitoring activities
Audit log delivery to SIEM with AI-specific event types: agent decisions, model calls, escalations, refusals, anomalies.
Use of cryptography
Encryption of model weights at rest, inference traffic in transit, conversation storage. Key management via customer KMS.
Secure coding
Includes prompt-injection mitigations, output filtering, allowlisted tool destinations, and dependency review for agent frameworks.
The full Annex A set has 93 controls. The map produced during the Discovery Sprint covers all applicable controls; the highlights above are where AI-specific design decisions get exercised most.
ISO 27017 and 27018 added cleanly.
For AI workloads in cloud (which is most of them), we add ISO 27017 (cloud security) and 27018 (PII in public cloud) to the base 27001 control set. The certification treats them as extensions, not separate audits.
The 27017 controls focus on the shared responsibility model between the cloud provider and the customer — particularly relevant when the AI vendor is itself a cloud-hosted service (Bedrock, Azure OpenAI, Vertex AI). 27018 adds PII-specific expectations on consent, transparency, and right-to-deletion.
For customers serving the EU market, this same layer double-counts toward GDPR compliance — the control set satisfies most Article 32 (security) requirements directly.
Frequently asked questions
ISO 27001 or SOC 2 — do we need both?
Depends on your buyer base. SOC 2 is the North American norm; ISO 27001 is the European and global norm. Customers serving both markets typically pursue both. The good news: most of the controls overlap. We design control sets that satisfy both standards with single evidence streams where possible, saving roughly 30-40% of the standalone effort for each.
How does ISO 27017 / 27018 relate?
27017 (cloud security) and 27018 (PII in cloud) extend the base 27001 control set with cloud-specific guidance. For AI deployments running in cloud — most of them — we routinely include 27017 and 27018 controls in the compliance map. The conformity assessment treats them as an extension, not a separate audit.
What's unique about ISO 27001 for AI?
The 2022 update aligned Annex A with the way modern cloud and AI systems are actually built. Controls around supplier relationships (A.5.19 - A.5.23), threat intelligence (A.5.7), and information security for cloud services (A.5.23) translate directly to AI vendor management. The control set is broader and more contemporary than older versions of Annex A.
Are auditors familiar with AI workloads in ISO 27001?
Increasingly yes, but ask before engaging. We have referral relationships with audit firms that specifically understand AI systems — model deployment, vendor management for model providers, prompt and output handling — and can walk a system through certification efficiently. Going with a firm that's never seen an AI workload triples the audit time.