Integrated AI Security & Governance

preparation for ISO/IEC 27001 and ISO/IEC 42001 certifications and compliance with the AI Act

Methodology – PECB IMS2

(Integrated Implementation Methodology for Management Systems and Standards)

Objectif

Implement an integrated ISMS (ISO/IEC 27001) and AIMS (ISO/IEC 42001) (governance, risks, controls, evidence), produce a single evidence pack applicable to both standards, and develop an AI Act compliance roadmap (classification + requirements + compliance dossier), in order to be ready for certification audits.

1) Expected results (deliverable commitment)
At the end of the assignment, you will have :
  • An operational ISMS (governance, roles, processes, metrics) covering the defined scope and ready for ISO/IEC 27001 certification.
  • An operational AIMS (AI governance, lifecycle, monitoring, traceability) ready for ISO/IEC 42001 certification.
  • Integrated security and AI governance : committees, RACI, objectives, KPIs, trade-offs.
  • Unified risk management : IT risks + AI risks (methods, registers, treatments, acceptance criteria).
  • A consistent and streamlined ISO 27001 Statement of Applicability (SoA) and an ISO/IEC 42001 SoA (shared controls).
  • A registry of AI systems and a mapping of flows (data, models, services, suppliers).
  • An integrated document repository (policies/procedures) : security + AI (SDLC, vulnerabilities, incidents, changes, third parties, AI operations, decommissioning).
  • An evidence pack covering ISO 27001 and ISO/IEC 42001, ready for audit.
  • A combined internal audit (ISO 27001 + ISO 42001) and a management review conducted (minutes).
  • A certification readiness assessment (pre-audit) + corrective action plan.
  • An AI Act roadmap : system classification, mapping of obligations, list of evidence to be compiled, and compliance projects aligned with the ISMS/AIMS.
2) Scope (what the offer covers)
2.1 Scope of “ISO/IEC 27001”
  • Governance : leadership, responsibilities, objectives, KPIs, compliance, oversight.
  • IT Risk Management : methodology, registers, risk treatment, risk acceptance.
  • ISO 27001 Statement of Applicability (SoA) : selected controls/justification.
  • Policies and Procedures : access control/IAM, encryption, logging, backups, operational security.
  • Application security : SDLC, vulnerability management, hardening, reviews.
  • Incident management : detection, response, escalation, post-mortem.
  • Third-party/supply chain management : assessment, requirements, clauses, monitoring.
  • Document management, skills & awareness.
  • Monitoring, internal audit, management review, continuous improvement.
2.2 Scope of “SMIA ISO/IEC 42001”
  • AI Governance : roles, committees, AI policy, objectives, and metrics.
  • AI Registry & Mapping : use cases, data, models, services, vendors.
  • AI Risk Management : identification, analysis, mitigation, monitoring.
  • AI Lifecycle : Design/Selection, Validation, Deployment, Monitoring, Change Management, Decommissioning.
  • AI Operations : Human Oversight, Traceability/Logs, AI Incident Management, Deviations.
  • AI Vendor/Third-Party Management : Requirements, Evaluation, Contractual Clauses, Monitoring.
  • Documented Information Management : Policies, Procedures, Records.
  • Monitoring, internal audit, management review, continuous improvement.
2.3 Scope of the “AI Act” (compliance path)
  • Classification of AI systems (by use case / product / module).
  • Mapping of applicable requirements (transparency, documentation, human oversight, robustness/cyber, data, monitoring, traceability, etc.).
  • Compliance file : structure, responsibilities, expected evidence, remediation plan.
  • Alignment of AI Act evidence with ISMS/AIMS controls and documentation.

 

This offering aims to provide structured AI Act preparation. Full compliance depends on the type of system (e.g., “high-risk,” GPAI), the context, and technical choices. The engagement provides the roadmap, the compliance dossier, and the compliance plan.

3) Implementation Process (PECB IMS2 aligned with ISO/IEC 27001 & ISO/IEC 42001)
Phase 1 — Define & Establish

Objective : Provide a framework, gain buy-in, define the scope, establish integrated governance, and lay the groundwork for risk management and documentation.


Activities :

 

  1. Leadership & approval : sponsor, project governance, objectives, milestones.
  2. Roles & responsibilities : RACI (ISMS Owner, SMIA Owner, Risk, DPO, Security, Operations, Product/AI).
  3. Context & stakeholders : customer expectations, regulators, suppliers, risks.
  4. ISMS/AIMS Scopes : entities, products, environments, data, suppliers.
  5. Analysis of the Current State : security, AI, operations, SDLC/MLOps, documentation.
  6. Policies : information security policy + AI policy.
  7. Risk Management : IS risk methodology + AI risk methodology, integration, and acceptance criteria.
  8. Rtatements of Applicability : ISO 27001 SoA (v1) + ISO/IEC 42001 SoA (v1).


Phase 1 Deliverables

 

  • Project Charter + Governance + Integrated RACI
  • ISMS/AIMS Scopes
  • Initial IS Risk Register (v1) + Treatment Plan (v1)
  • AI risk methodology + AI risk register (v1)
  • AI register (v1) + initial mapping (flows, suppliers)
  • Security policy (v1) + AI policy (v1)
  • ISO 27001 SoA (v1) + ISO/IEC 42001 SoA (v1)
  • Project plan + evidence plan (structure)
Phase 2 — Implement & Operate

Objective : Deploy shared controls, formalize procedures, launch operations, and collect evidence.

 

Activities :

 

  1. Selection & design of measures : ISO 27001 controls, AIMS measures, supplier requirements, validation criteria, monitoring, logs.
  2. Implementation of measures : procedures + minimal tools (templates, workflows, tickets, logs).
  3. Management of documented information : document repository, versions, evidence.
  4. Communication : usage rules (security + AI), committees, decision-making processes.
  5. Skills & awareness : training (executives, product/AI, ops, security, compliance).
  6. Operations management : security operations (vulnerabilities/incidents/changes) + AI operations (monitoring, AI incidents, deviations, withdrawal).
  7.  

Phase 2 Deliverables

 

  • AI Registry (v2) + use case sheets + flow/supplier maps
  • IT Risk Registry (v2) + treatment plan + evidence of implementation
  • AI Risk Register (v2) + mitigation measures + evidence
  • Integrated Procedures : IAM/Access, encryption, logs, vulnerabilities, SDLC, third parties/supply chain, incident management, change management
  • AI Procedures : validation/release, monitoring, AI incidents, model changes, decommissioning
  • Evidence catalog + record templates (reviews, validations, logs)
  • KPI/OKR matrix + dashboard structure
  • Training plan + materials + certificates
Phase 3 — Monitor & Review

Objective : To demonstrate that the SMSI/AIMS is operational and effectively managed, through a combined internal audit and an integrated management review.


Activities :

 

  1. Monitoring, measurement, analysis, and evaluation : Security KPIs + AI KPIs, periodic reviews.
  2. Combined internal audit (ISO/IEC 27001 + ISO/IEC 42001) : plan, checklists, interviews, findings.
  3. Management review : decisions, trade-offs, resources, improvement plan.


Phase 3 Deliverables

 

  • Combined internal audit plan + internal audit report
  • Management review minutes + decisions + action plan
  • Update of SoA (27001/42001), risks (IS/AI), AI register, evidence
Phase 4 — Maintain & Improve

Objective : Address non-conformities, stabilize the system, and finalize preparations for the certification audit.


Activities :

 

  1. Handling non-conformities : corrective actions, verification of effectiveness.
  2. Continuous improvement : optimization of controls, maturity, automation, sustainability.


Phase 4 Deliverables

 

  • Non-conformity log + corrective actions + closure evidence
  • “Certification Readiness” package : final evidence file + audit transition plan + checklist (27001 + 42001)
4) AI Act component (integrated as work progresses)
4.1 AI Act Workshops
  • Inventory of relevant AI systems (aligned with the AI registry).
  • Classification (relevant categories based on use cases).
  • Mapping of obligations (by system) and responsibilities.
  • Alignment of AI Act evidence with ISO 27001/42001 controls and documentation.
4.2 AI Act Deliverables
  • Classification Matrix & Requirements
  • Compliance Roadmap (quick wins / structural initiatives)
  • Structure of the compliance dossier + list of supporting documents to be compiled
  • Contractual recommendations (AI providers / subcontractors) as needed
5) Project Organization
Workshops (typical)
  • Kick-off + Scope Definition for ISMS/AIMS
  • IT risk workshops + ISO 27001 SoA
  • AI registry workshops + AI risk workshops + ISO 42001 SoA
  • Integrated controls workshops (SDLC, IAM, logs, vulnerabilities, third parties)
  • AI operations workshops (monitoring, AI incidents, changes, decommissioning)
  • AI Act workshop : classification & obligations
  • Combined internal audit + management review + readiness
Client-side roles (minimum)
  • Sponsor (management)
  • ISMS Lead (owner)
  • AIMS Lead (owner)
  • Product/AI Lead (CTO/Head of AI or equivalent)
  • Risk/Compliance Lead and/or DPO
  • Security Lead (CISO) and operations managers
6) Duration (to be adjusted based on the scope)
  • Standard : 10 to 16 weeks, depending on existing maturity, the number of teams, and the scope of AI use cases.
  • Extended : 16+ weeks for projects involving multiple subsidiaries, multiple products, a broad scope, or critical AI applications.
7) What drives value (certification + compliance)
  • Accelerated sales to large accounts : increased trust, fewer audits and questionnaires, better compliance with security and AI requirements.
  • Reduced overall risk : IT and AI managed under a single framework, traceable decisions, and implemented controls.
  • Efficiency : shared controls, a single evidence plan, and combined internal audits → reduced cost of compliance.
  • AI Act-ready : classification, obligations, compliance documentation, and evidence aligned with ISO 27001/42001.
8) Options
  • “Architecture & Security” Package : architecture review, hardening, operational requirements, microservices.
  • “Penetration Testing & Remediation” Package : application/API penetration testing + remediation plan + evidence.
  • “AI Vendors” Package : due diligence, contractual clauses, third-party monitoring.
  • “Pre-Mock Audit” Package : 27001/42001 certification audit simulation (Phase 1/2).
  • “Scale” Package : extension of the ISMS/ISMSA to other products/use cases/subsidiaries.