Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

  /

  / Vanta for ISO 42001: AI Management System Certification Guide

Vanta for ISO 42001: AI Management System Certification Guide

ISO 42001 is the first international standard an organization can be certified against for how it builds, provides, and runs artificial intelligence.

It was published in December 2023 by ISO and IEC, and it defines an AI Management System (AIMS) that an accredited auditor can actually inspect. That single fact reshaped the compliance conversation for anyone shipping AI products.

A SOC 2 report tells a buyer your data handling is sound. It says nothing about whether your models are governed, your training data is documented, or your automated decisions can be explained. Enterprise procurement teams figured this out fast. AI-specific questionnaires now show up in deals that used to close on a SOC 2 report alone, and buyers increasingly want a recognized certification behind the answers. ISO 42001 is becoming that certification, and Vanta is the platform many AI companies reach for to get there without building a governance program from nothing.

What Is ISO 42001 and Why It Matters for AI Companies

ISO 42001 at a glance: the first AI management system standard

ISO/IEC 42001:2023 specifies the requirements for establishing, maintaining, and continually improving an AIMS. It follows the same Harmonized Structure as ISO 27001 and ISO 9001, so the backbone is familiar: context, leadership, planning, support, operation, performance evaluation, and improvement. The difference sits in the annexes.

  • Annex A defines roughly 38 AI-specific controls across nine areas, covering AI policy, internal roles, resources, impact assessments, lifecycle processes, data management, information for interested parties, use of AI systems, and third-party relationships.
  • Annex B gives implementation guidance, and
  • Annex C lists organizational objectives and risk sources.

What makes the standard distinct is that it addresses problems that generic management systems never had to. Model outputs are probabilistic. Training data governance is messy. Automated decisions are hard to explain. Risk does not sit still; it shifts every time a model is retrained or a vendor pushes an update.

Who in the AI ecosystem needs ISO 42001

The standard applies across the AI value chain. Providers that build and sell AI systems, developers that create models or components, and deployers that integrate AI into their own products or operations all fall within scope. A Series B startup shipping a generative feature, an enterprise embedding AI in hiring workflows, and a public agency using AI for citizen services can each build an AIMS against the same clauses.

For AI-native companies, the pull is commercial before it is regulatory. Certification is turning into a procurement filter. When a large customer’s security review asks how you govern model risk, “we have SOC 2” is no longer a complete answer.

How ISO 42001 fits alongside SOC 2, ISO 27001, and the EU AI Act

These frameworks are not competitors. They stack. ISO 27001 secures your information. SOC 2 proves your controls to customers. The EU AI Act is binding law with penalties. NIST AI RMF is voluntary guidance. ISO 42001 is the connective tissue that puts an auditable management system around AI specifically.

Insider Note: The reason ISO 42001 sells itself in enterprise deals is that it fills a gap SOC 2 was never designed to cover. SOC 2 examines security, availability, and confidentiality. It does not ask whether you ran an AI impact assessment, whether a human reviews high-stakes model outputs, or whether you track which third-party models touch customer data. Buyers now write those exact questions into vendor questionnaires, and a 42001 certificate answers most of them before the call even starts.

Need help implementing ISO 42001 in Vanta?

Axipro can guide you from setup to certification readiness.

The Unique AI Compliance Challenges Vanta Solves

Managing AI-specific risks across models, data, and vendors

Traditional GRC tooling was built for static controls. AI risk is not static. A model that passed review at launch can drift, a new data source can introduce bias, and a fine-tune can reclassify your legal obligations overnight. Vanta’s value for AI companies is treating these as continuous, monitored controls rather than one-time checkboxes, spanning the models you build, the data that feeds them, and the vendors whose models you embed.

Keeping pace with evolving global AI regulations

The regulatory floor keeps moving. The EU AI Act phases in over several years, US agencies are issuing guidance, and standards bodies are revising their work. Tracking this by hand across eight jurisdictions is not realistic for a lean team. A compliance platform that maps a single control set to multiple frameworks turns that sprawl into something maintainable.

Proving trust to enterprise buyers procuring AI products

The end goal of most of this work is a shorter sales cycle. Enterprise buyers procuring AI want evidence, not assurances. A live, shareable view of your AI compliance posture answers the questionnaire before it becomes a bottleneck, which is exactly what a Trust Center is built to do.

Vanta for ISO42001

How Vanta Supports ISO 42001 Certification for AI Companies

Automated evidence collection mapped to ISO 42001 controls

The heaviest part of any certification is evidence. Vanta connects to your cloud, identity, and development stack and pulls control evidence automatically, then maps it to the relevant ISO 42001 clauses and Annex A controls. Instead of screenshotting configurations the week before an audit, you accumulate evidence continuously. That shifts the audit from a scramble into a review.

Pre-built policy templates for AI governance

ISO 42001 expects documented policies for AI use, roles, and risk management. Building these from a blank page is slow and error-prone. Pre-built AI governance policy templates give teams a defensible starting point they can adapt to their actual operations, which matters when an auditor asks not just whether a policy exists but whether it reflects what you really do.

Continuous control monitoring for AI systems

Certification is a snapshot. An AIMS is supposed to be alive. Continuous monitoring is where the platform earns its keep, flagging when a control drifts out of compliance so you can fix it before it becomes an audit finding or, worse, a real incident.

Cross-mapping ISO 42001 with SOC 2, ISO 27001, HIPAA, and GDPR

Most AI companies do not pursue one framework. They carry several. The efficiency argument for a platform is control overlap: a single access-control or vendor-management control can satisfy requirements across ISO 42001, ISO 27001, SOC 2, HIPAA, and GDPR at once. Cross-mapping means you implement a control once and reuse the evidence everywhere it applies, instead of duplicating the same work five times.

Pro Tip: Define Your AIMS Scope Before Anything Else

Before you touch a single control, define your AIMS scope in writing. List exactly which AI systems, models, and use cases are inside the boundary and which are out. Teams that skip this step end up either over-scoping, and drowning in evidence for systems that never needed it, or under-scoping and failing Stage 1 when the auditor finds a production model that was never governed. Scope is the cheapest decision to get right and the most expensive to get wrong.

Vanta’s AI Compliance Capabilities Beyond ISO 42001

EU AI Act readiness inside the platform

The EU AI Act is the binding counterpart to ISO 42001’s voluntary certification. A platform that tracks EU AI Act readiness inside the platform alongside your 42001 controls helps you avoid running two disconnected programs. The catch is that the AI Act’s timeline has shifted, and building against the wrong date is a real risk.

Important: The EU AI Act’s high-risk deadline has moved. The Act entered into force on 1 August 2024, prohibited practices have applied since February 2025, and general-purpose AI model rules since August 2025. But under the Digital Omnibus, a provisional agreement reached on 7 May 2026, obligations for standalone high-risk systems under Annex III were deferred from August 2026 to 2 December 2027, with product-embedded high-risk systems pushed to August 2028. Transparency obligations for deployers still land in August 2026, and the package is pending formal adoption. Plan against December 2027 for high-risk, but confirm final adoption before you bet a roadmap on it. You can track the current schedule through the European Commission’s AI Act implementation timeline.

NIST AI Risk Management Framework alignment

The NIST AI Risk Management Framework is voluntary US guidance built around four functions: Govern, Map, Measure, and Manage. Many Annex A controls in ISO 42001 map directly to NIST AI RMF subcategories, so aligning to one gives you a running start on the other. Treating NIST AI RMF as an overlay on your 42001 program, rather than a separate project, keeps the work coherent.

AI vendor and third-party risk management

Most AI companies do not train their own foundation models. They build on OpenAI, Anthropic, or Google Gemini. That makes third-party risk management (TPRM) central to AI governance, because a vendor’s model becomes part of your risk surface. Managing these relationships, tracking what data flows where, and documenting vendor controls is a first-class part of both ISO 42001 and a mature compliance platform.

Trust Center for showcasing AI compliance to customers

A Trust Center turns your compliance posture into a sales asset. Rather than emailing certificates and answering the same questionnaire fifty times, you publish a live page that shows your certifications, controls, and security documentation. For AI vendors facing longer, more skeptical reviews, this shortens the distance between first contact and signed contract.

The Vanta Workflow

The Vanta Workflow for AI Companies Pursuing ISO 42001

Step 1: Scope your AIMS.
Decide which AI systems and use cases the management system covers. This defines everything downstream, from which controls apply to how much evidence you collect.

Step 2: Assign AI roles and responsibilities.
ISO 42001 expects clear ownership. Someone accountable for AI governance, someone for risk, someone for the technical controls. The platform gives you a place to document and track these assignments.

Step 3: Run an AI risk and impact assessment.
Clause 6 requires systematic identification and evaluation of AI risks and an AI impact assessment for the people your systems affect. This is the analytical core of the standard, not a formality.

Step 4: Implement controls and close gaps.
Work through the applicable Annex A controls, use policy templates and automated evidence to speed the build, and let continuous monitoring surface the gaps you still need to close.

Step 5: Select an auditor and certify.
ISO 42001 certification comes from an accredited certification body, not from the platform. Firms such as A-LIGN and Schellman are among the accredited auditors in this space. Expect a Stage 1 documentation audit followed by a Stage 2 operational audit.

Need help implementing ISO 42001 in Vanta?

Axipro can guide you from setup to certification readiness.

Benefits AI Companies Gain with Vanta for ISO 42001

Faster time to certification. Automated evidence and pre-built policies compress the slowest parts of the process. A mature AIMS can reach certification in roughly three to six months, versus six to twelve when starting from scratch.

Lower cost of managing multiple frameworks. Control overlap means the marginal cost of each additional framework drops sharply once the first is in place.

Real-time visibility into posture. Continuous monitoring replaces the annual panic with an always-current view of where you stand.

Customer and investor confidence. A recognized certification signals maturity to enterprise buyers and to investors evaluating how well you manage AI risk, which increasingly shows up in diligence.

 

Getting Started with Vanta for ISO 42001

The practical first move is not buying software. It is inventorying your AI systems and deciding what belongs inside your AIMS. From there, map what you already have from SOC 2 or ISO 27001, identify the AI-specific gaps, and use the platform to automate evidence and monitor controls as you build. Certification is the milestone, but the durable payoff is a governance program that keeps pace with how fast AI and its regulation keep changing.

ISO 42001 gives AI companies a credible, auditable way to prove they govern AI responsibly, and a platform like Vanta removes much of the manual weight of getting and staying certified. For teams that treat it as an ongoing program rather than a one-time audit, it becomes a durable advantage in every enterprise deal that now asks how you manage AI risk.

If this sounds overwhelming, book a call today; we offer certification starting at 4000$.

Frequently Asked Questions

Is ISO 42001 mandatory for AI companies?

No. ISO 42001 is a voluntary certification, not a law. What is making it feel mandatory is the market: enterprise buyers and partners increasingly ask for it as proof of responsible AI governance, and it helps demonstrate alignment with binding regulations like the EU AI Act.

Yes, and it matters more than teams expect. Under the EU AI Act you can still be a deployer with real obligations even if you never train a model, and substantial fine-tuning can reclassify you as a provider. ISO 42001’s third-party relationship controls exist precisely for companies building on foundation models, so vendor risk management becomes central rather than optional.

It depends on maturity. Organizations with an established AIMS often certify in three to six months. Building from scratch typically runs six to twelve. Existing ISO 27001 or SOC 2 programs shorten the path because much of the underlying evidence transfers.

The two are complementary, one a voluntary certification and one binding law, and platforms in this space increasingly track both together. Given the Digital Omnibus timeline changes, confirm how current the platform’s EU AI Act content is before relying on it for deadlines.

Through the AI-specific Annex A controls and supporting policy templates. Where ISO 27001 covers information security, ISO 42001 adds AI policy, impact assessments, model lifecycle governance, and responsible AI practices. Cross-mapping reuses what overlaps and flags what is genuinely new.

Increasingly, yes. The standard applies to organizations of any size, and automating evidence collection lowers the labor cost that used to make certification impractical for small teams. For many AI startups, the revenue unlocked by clearing enterprise procurement outweighs the cost of getting certified.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.

Blog Highlights

Explore More Articles

ISO 42001 is the first international standard an organization can be certified against for how it builds, provides, and runs artificial intelligence. It was published in December 2023 by ISO and IEC, and it defines an AI Management System (AIMS) that an accredited auditor can actually inspect. That single fact reshaped the compliance conversation for anyone shipping AI products. A SOC 2 report tells a buyer your data handling is sound. It says nothing about whether your models are governed, your training data is documented, or your automated decisions can be explained. Enterprise procurement teams figured this out fast. AI-specific questionnaires now show up in deals that used to close on a SOC 2 report alone, and buyers increasingly want a recognized certification behind the answers. ISO 42001 is becoming that certification, and Vanta is the platform many AI companies reach for to get there without building a governance program from nothing. What Is ISO 42001 and Why It Matters for AI Companies ISO 42001 at a glance: the first AI management system standard ISO/IEC 42001:2023 specifies the requirements for establishing, maintaining, and continually improving an AIMS. It follows the same Harmonized Structure as ISO 27001 and ISO 9001, so the backbone is familiar: context, leadership, planning, support, operation, performance evaluation, and improvement. The difference sits in the annexes. Annex A defines roughly 38 AI-specific controls across nine areas, covering AI policy, internal roles, resources, impact assessments, lifecycle processes, data management, information for interested parties, use of AI systems, and third-party relationships. Annex B gives implementation guidance, and Annex C lists organizational objectives and risk sources. What makes the standard distinct is that it addresses problems that generic management systems never had to. Model outputs are probabilistic. Training data governance is messy. Automated decisions are hard to explain. Risk does not sit still; it shifts every time a model is retrained or a vendor pushes an update. Who in the AI ecosystem needs ISO 42001 The standard applies across the AI value chain. Providers that build and sell AI systems, developers that create models or components, and deployers that integrate AI into their own products or operations all fall within scope. A Series B startup shipping a generative feature, an enterprise embedding AI in hiring workflows, and a public agency using AI for citizen services can each build an AIMS against the same clauses. For AI-native companies, the pull is commercial before it is regulatory. Certification is turning into a procurement filter. When a large customer’s security review asks how you govern model risk, “we have SOC 2” is no longer a complete answer. How ISO 42001 fits alongside SOC 2, ISO 27001, and the EU AI Act These frameworks are not competitors. They stack. ISO 27001 secures your information. SOC 2 proves your controls to customers. The EU AI Act is binding law with penalties. NIST AI RMF is voluntary guidance. ISO 42001 is the connective tissue that puts an auditable management system around AI specifically. Insider Note: The reason ISO 42001 sells itself in enterprise deals is that it fills a gap SOC 2 was never designed to cover. SOC 2 examines security, availability, and confidentiality. It does not ask whether you ran an AI impact assessment, whether a human reviews high-stakes model outputs, or whether you track which third-party models touch customer data. Buyers now write those exact questions into vendor questionnaires, and a 42001 certificate answers most of them before the call even starts. Need help implementing ISO 42001 in Vanta? Axipro can guide you from setup to certification readiness. Schedule Free Assessment The Unique AI Compliance Challenges Vanta Solves Managing AI-specific risks across models, data, and vendors Traditional GRC tooling was built for static controls. AI risk is not static. A model that passed review at launch can drift, a new data source can introduce bias, and a fine-tune can reclassify your legal obligations overnight. Vanta’s value for AI companies is treating these as continuous, monitored controls rather than one-time checkboxes, spanning the models you build, the data that feeds them, and the vendors whose models you embed. Keeping pace with evolving global AI regulations The regulatory floor keeps moving. The EU AI Act phases in over several years, US agencies are issuing guidance, and standards bodies are revising their work. Tracking this by hand across eight jurisdictions is not realistic for a lean team. A compliance platform that maps a single control set to multiple frameworks turns that sprawl into something maintainable. Proving trust to enterprise buyers procuring AI products The end goal of most of this work is a shorter sales cycle. Enterprise buyers procuring AI want evidence, not assurances. A live, shareable view of your AI compliance posture answers the questionnaire before it becomes a bottleneck, which is exactly what a Trust Center is built to do. How Vanta Supports ISO 42001 Certification for AI Companies Automated evidence collection mapped to ISO 42001 controls The heaviest part of any certification is evidence. Vanta connects to your cloud, identity, and development stack and pulls control evidence automatically, then maps it to the relevant ISO 42001 clauses and Annex A controls. Instead of screenshotting configurations the week before an audit, you accumulate evidence continuously. That shifts the audit from a scramble into a review. Pre-built policy templates for AI governance ISO 42001 expects documented policies for AI use, roles, and risk management. Building these from a blank page is slow and error-prone. Pre-built AI governance policy templates give teams a defensible starting point they can adapt to their actual operations, which matters when an auditor asks not just whether a policy exists but whether it reflects what you really do. Continuous control monitoring for AI systems Certification is a snapshot. An AIMS is supposed to be alive. Continuous monitoring is where the platform earns its keep, flagging when a control drifts out of compliance so you can fix it before it becomes an audit finding or, worse, a real incident. Cross-mapping ISO 42001

Vanta Implementation Checklist

Most companies configure Vanta backwards. They connect integrations first, watch tests turn green, and only then ask which framework they are actually being audited against. By the time the auditor asks for the observation window start date, half the account needs to be rebuilt. The order you set things up in Vanta matters almost as much as what you set up, and getting it wrong costs weeks you do not have before a first audit. This checklist walks through the sequence that actually holds up under audit: the decisions to make before you touch the platform, the sequence of configuration inside it, and the final readiness checks before you hand the account to an auditor. Why a Vanta Implementation Checklist Matters Before Your First Audit Vanta is compliance automation software, not a compliance program. It monitors, syncs, and flags. It does not decide your scope, pick your framework, or tell you when your observation window can safely begin. Those calls are yours, and if you make them after connecting integrations rather than before, you end up rescoping mid-implementation, which resets test history and pushes your audit timeline back by weeks. A first-time implementation typically runs six to twelve weeks from account creation to a fully passing test suite, depending on how much of the underlying control environment already existed. Companies that skip the pre-implementation planning stage and jump straight into connecting AWS and Okta tend to discover, three weeks in, that half their integrations are out of scope, their policies do not match their actual operations, and their observation window needs to restart. Ready for your first audit? Get audit-ready with expert Vanta implementation support. Schedule Pre-Implementation: Foundational Decisions to Make First Define Your Target Framework (e.g., SOC 2, ISO 27001, HIPAA) Every downstream Vanta setting, from which integrations you connect to which policies you publish, depends on the framework you are pursuing. SOC 2 Type II evaluates your controls against the AICPA’s five Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy, with security as the only mandatory category. ISO 27001 asks you to build a full Information Security Management System (ISMS) under a structured set of clauses, backed by a broader set of technical, physical, and organizational controls in Annex A. HIPAA and PCI DSS bring their own control sets tied to specific data types, protected health information and cardholder data, respectively. If your customers are asking for a specific report, let that drive the decision rather than defaulting to whichever framework has the most templates in Vanta’s library. A fintech company with enterprise banking customers may need SOC 2 first and PCI DSS second. A healthcare SaaS vendor almost always needs HIPAA regardless of what else it pursues. Mapping frameworks to actual customer and contractual requirements before configuration saves you from scoping controls you will never use. Important: Choosing multiple frameworks at once is common, but sequencing them wrong creates duplicate work. Configure your primary framework fully, get through a full observation cycle if pursuing Type II, and add secondary frameworks once your evidence collection habits are established. Vanta will map shared controls across frameworks automatically, but only once both are active in the account. Set Your Audit Timeline and Observation Window If you are pursuing SOC 2 Type I, there is no observation window. The audit evaluates whether your controls are designed correctly as of a single point in time, and you can move to audit as soon as your tests pass. SOC 2 Type II is different: the observation window, also called the audit window or monitoring period, is the span during which the auditor samples evidence to confirm your controls actually operated, not just that they existed on paper. For a first Type II audit, a three to six month window is standard. Mature organizations settling into an annual cadence typically move to a full twelve-month window once they have proven consistent operation. Do not start the observation window until you are confident your controls are actually running as designed. Auditors can sample any event from the first day of the window forward, and a control failure in week two of a six-month window is just as damaging to your report as one in week twenty. This is the single most common timeline mistake first-time customers make in Vanta: they start the clock the day they finish connecting integrations, before policies are published, before HR sync is confirmed, and before access reviews have actually happened once. Identify Internal Owners and Stakeholders Every control needs a named owner inside Vanta, not a department. “Engineering” is not a control owner. The engineering manager who reviews production access quarterly is. Before you start configuring, map out who owns identity and access management, who owns vendor risk, who owns HR onboarding and offboarding, and who owns policy publication and employee acknowledgment. If your organization is small enough that one person wears several of these hats, that is fine, but it needs to be explicit in the tool, because Vanta’s task assignments and reminder emails route based on these ownership fields. Choose Your Auditor Before You Configure Vanta Auditor selection affects configuration choices that are expensive to reverse. Different CPA firms and ISO certification bodies have different tolerances for exceptions, different expectations around evidence formatting, and different preferences on how granular your control mapping should be. Get your auditor engaged, or at minimum shortlisted, before you finalize your framework scope and observation window in Vanta. Some firms will do a pre-audit readiness call that surfaces scoping issues Vanta’s automated checks will not catch, like whether a particular subprocessor needs to be in scope. Step 1: Configure Company Settings in Vanta Add Company Details and Business Information Start with the basics: legal entity name, headquarters address, description of the service you provide, and the systems that process customer data. This becomes the backbone of your system description, the narrative document that accompanies your SOC 2 report and explains what your company does and how the in-scope systems support

ISO 27001 Business Continuity Plan

Two controls decide whether your ISO 27001 business continuity plan survives an audit: Annex A 5.29 and Annex A 5.30. One keeps your security controls working while everything else is failing. The other gets your systems back online before the damage becomes permanent. Plenty of teams write a continuity policy that satisfies neither in the way a certification auditor expects, and they discover the gap during the Stage 2 audit, when it is expensive to fix. This article covers what ISO 27001:2022 actually requires for business continuity, the components an auditor will ask to see, the step-by-step build, and the mistakes that turn a continuity plan into a non-conformity. What Is an ISO 27001 Business Continuity Plan? An ISO 27001 business continuity plan is the documented set of procedures that keeps information security effective and critical ICT services available during a disruption. It is not a generic “keep the lights on” binder. Under ISO 27001, the plan protects the confidentiality, integrity, and availability of information when normal operations break down: a ransomware event, a cloud outage, a data center failure, or a supplier collapse. The plan lives inside your Information Security Management System (ISMS). It draws on your risk assessment, your asset register, and your Business Impact Analysis (BIA), and it feeds your disaster recovery procedures. Scope is the part people get wrong. ISO 27001 cares about the information security aspects of continuity, not every operational hiccup a full business continuity program might cover.   Why You Need a Business Continuity Plan for ISO 27001 Compliance Downtime is expensive, and the bill arrives fast. For most organizations, the question is not whether a disruption will happen, but how quickly they recover when it does. There is also a hard compliance reason. You cannot certify to ISO 27001 while ignoring continuity. The standard requires you to maintain information security during disruption and to keep ICT able to support recovery, and an auditor will ask for the evidence. A continuity plan is where availability stops being a promise and becomes a tested capability. Let Axipro help you build a business continuity plan that’s practical, compliant, and audit-ready. Strengthen Your Business Continuity Strategy Schedule A Consultation ISO 27001 Requirements Related to Business Continuity Planning ISO/IEC 27001:2022 carries 93 Annex A controls across four categories: organizational, people, physical, and technological. Continuity sits in the organizational set, and two controls do the heavy lifting, supported by two more on the technical side. Annex A 5.29 – Information Security During Disruption A.5.29 requires you to maintain information security at an appropriate level when a disruption hits. The point is that security controls have a habit of degrading under pressure. People disable multi-factor authentication to “speed things up,” logging stops on a failover system, or access controls loosen while everyone scrambles. A.5.29 says the confidentiality and integrity of your information must be maintained even while availability is under threat. It is classed as both a preventive and a corrective control, meaning it should reduce the chance of an incident and also help resolve one already underway. Annex A 5.30 – ICT Readiness for Business Continuity A.5.30 is the technical engine. It requires that your ICT readiness is planned, implemented, maintained, and tested against business continuity objectives and ICT continuity requirements. In plain terms, your servers, networks, applications, and cloud services need a defined recovery path, each with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and you need to prove the path works. This control is entirely new in the 2022 revision. It has no precedent in ISO 27001:2013, which is exactly why teams migrating from the older version so often have a gap here. Important: A.5.30 did not exist in ISO 27001:2013. If your continuity documentation was written against the old Annex A 17 cluster and never updated, you are missing a control the auditor will specifically test. Treat ICT readiness as a fresh requirement, not a relabel. Two technological controls back these up. Annex A 8.13 (Information Backup) requires backups to be taken and tested in line with an agreed policy, and Annex A 8.14 (Redundancy of Information Processing Facilities) covers the failover and redundancy that let critical systems keep running when a component dies. Relationship Between ISO 27001 and ISO 22301 This is where confusion is common. ISO 27001 requires the information security aspects of continuity. ISO 22301 is the dedicated standard for a full Business Continuity Management System (BCMS), covering people, facilities, supply chain, and operations far beyond information security. An ISO 27001 certificate does not certify your wider continuity program. The good news: both standards share the Annex SL high-level structure, so risk assessment, internal audit, management review, and document control carry across. Teams that already run ISO 27001 can layer ISO 22301 on top with far less effort than starting from scratch. Key Components of an ISO 27001 Business Continuity Plan Business Impact Analysis (BIA) The BIA is the foundation. It identifies your critical business processes, the ICT systems they depend on, and the cost of losing each one over time. It is where your recovery objectives come from, not from a vendor datasheet. A BIA also sets the Maximum Tolerable Period of Disruption (MTPD): the point beyond which an activity’s failure causes unacceptable damage. Risk and Disruption Scenario Assessment Your risk assessment identifies what could cause a disruption and how likely it is, feeding the Risk Treatment Plan and the Statement of Applicability (SoA) that records which controls apply. Continuity planning then runs concrete scenarios: ransomware, a regional outage, a key supplier failure, the loss of a data center. Response and Recovery Strategies For each critical system, you define how you will respond and recover: failover to a secondary site, restore from backup, or switch to a manual workaround. This links incident response to crisis management, the executive-level decision-making that kicks in when an incident escalates beyond a routine fix. Roles and Responsibilities Name real people, not departments. “IT will handle it” is the single most common