ISO 27001 is the international standard for information security management systems (ISMS). It does not mention ChatGPT, Claude, or Gemini — it was not written for them. But its controls, particularly those governing supplier relationships, information classification, access control, and risk assessment, apply to AI tools used in certified or certification-seeking organizations. The 2022 revision (ISO/IEC 27001:2022) strengthened several controls most relevant to AI, including supplier service management, threat intelligence, and information deletion. This guide maps the ISO 27001:2022 controls that AI tools implicate most directly, explains what auditors look for, and outlines the evidence an organization needs to maintain certification while using AI tools productively.

ISO 27001:2022: what changed that affects AI

ISO 27001:2022 (replacing the 2013 version) introduced 11 new controls and reorganized Annex A into four themes. The new controls most relevant to AI tool use:

5.23 — Information security for use of cloud services. Explicitly addresses cloud service selection, use, management, and exit. AI tools are cloud services. This control requires organizations to establish a policy for cloud service use, assess cloud service providers' security controls, and define security requirements for cloud services handling the organization's information.

5.30 — ICT readiness for business continuity. Addresses resilience of ICT systems. If AI tools are integrated into critical workflows (clinical documentation, financial analysis, customer support), their unavailability is a resilience concern.

8.10 — Information deletion. Requires that information stored in systems be deleted when no longer required. For AI tools that retain conversation history, this control requires the organization to confirm deletion is possible and that retention periods are defined.

8.11 — Data masking. Requires data masking (including pseudonymization) where appropriate based on risk. For AI workflows that process personal data, data masking or local-first redaction before submission is a concrete implementation of this control.

8.12 — Data leakage prevention. Requires DLP measures applied to networks, systems, and devices. AI tool traffic is a data exfiltration vector; DLP policies extended to AI endpoints are a direct implementation.

The Annex A controls that AI tools implicate

5.19–5.22: Supplier management

ISO 27001:2022 has four supplier-related controls:

5.19 — Information security in supplier relationships: Policies for managing information security risks from supplier relationships.
5.20 — Addressing information security within supplier agreements: Security requirements in supplier contracts.
5.21 — Managing information security in the ICT supply chain: Security requirements for ICT supply chain suppliers.
5.22 — Monitoring, review and change management of supplier services: Ongoing monitoring of supplier service delivery.

AI tools are suppliers. Before using an AI tool that processes organizational information, ISO 27001 requires:

A supplier security assessment — evaluate the AI vendor's security posture (using their SOC 2 report, ISO 27001 certificate, or security questionnaire).
Contractual requirements — a Data Processing Agreement or equivalent that specifies security requirements, incident notification obligations, and data handling restrictions.
Ongoing monitoring — periodic review of the vendor's security posture (typically at contract renewal or annually).

For most major AI vendors (OpenAI Enterprise, Anthropic, Google Cloud, Microsoft Azure), SOC 2 Type II reports and ISO 27001 certificates are available. For smaller AI tool vendors, security questionnaires or independent assessments may be required.

5.12–5.13: Information classification and labeling

ISO 27001 requires organizations to classify information and apply handling requirements based on classification. For AI tool use:

Confidential or restricted information should not be submitted to AI tools on consumer accounts without contractual protections.
Organization's classification policy should be updated to specify which AI tools are appropriate for each classification level.
Practical implementation: "Confidential" and above → enterprise AI tools only; "Internal" → enterprise preferred, consumer permissible with training opt-out; "Public" → any tool.

8.2: Privileged access rights

AI tools that have privileged access to organizational systems (e.g., AI coding assistants with codebase access, AI agents integrated with ERP systems) should be managed under access control policies. Privileged access rights should be allocated on a need-to-use basis and time-limited where possible.

6.3: Information security awareness, education and training

ISO 27001 requires workforce training on information security. Add AI-specific modules covering:

Classification of information before AI submission.
Approved AI tools and the accounts that are approved.
What to do if confidential information is accidentally submitted to an AI tool.
Incident reporting procedure.

8.15–8.16: Logging and monitoring

Audit logging requirements under ISO 27001 apply to systems processing organizational information. Enterprise AI tools typically provide interaction logs; configure log retention and review cadence in your ISMS documentation.

The risk assessment requirement

ISO 27001 Clause 6.1 requires organizations to identify information security risks and assess their likelihood and impact. AI tools introduce specific risks that should be included in the risk assessment:

| Risk | Likelihood | Impact | | --- | --- | --- | | Employee submits confidential data to consumer AI tool | High (without controls) | High (confidentiality breach, regulatory exposure) | | AI vendor suffers breach exposing customer prompts | Low (major vendors have strong controls) | High | | AI-generated output contains inaccurate information acted upon | Medium | Medium-High depending on context | | AI tool becomes unavailable affecting dependent workflows | Medium | Medium (depends on workflow criticality) | | Prompt injection attack via AI-integrated system | Low-Medium | Medium | | AI coding assistant introduces vulnerabilities in production code | Medium | High for critical systems |

For each identified risk, the ISMS must document risk treatment: accept, mitigate, transfer, or avoid. Most organizations will choose to mitigate by implementing the controls described above.

Statement of Applicability (SoA) — AI-relevant entries

The SoA documents which Annex A controls apply to the organization and whether they are implemented. For AI tool use, ensure these controls are included in the SoA with implementation status:

5.19 (Supplier security in relationships): Applicable — AI tool vendor assessment process.
5.20 (Supplier agreements): Applicable — DPA and contractual commitments for AI tools.
5.22 (Supplier monitoring): Applicable — annual AI vendor review.
5.23 (Cloud services): Applicable — AI tools are cloud services; policy and assessment documented.
8.10 (Information deletion): Applicable — AI tool data retention and deletion policy.
8.11 (Data masking): Applicable — masking/redaction before AI submission for sensitive data.
8.12 (Data leakage prevention): Applicable — DLP policies extended to AI endpoints.

What auditors look for in AI tool governance

ISO 27001 auditors are increasingly asking about AI tool use during certification audits. Common audit inquiries:

"What AI tools does the organization use, and are they in the supplier inventory?"
"How does the organization assess the security of AI tool vendors?"
"What contractual commitments do AI tool vendors provide for data handling?"
"What policies govern employee use of AI tools with organizational information?"
"How does the organization prevent unauthorized disclosure of classified information to AI tools?"
"What logging and monitoring is in place for AI tool usage?"

Organizations that cannot answer these with documented evidence — supplier register entries, DPA copies, policy documentation, training records — will receive nonconformities.

Building the ISMS AI addendum

Rather than rewriting existing ISMS documentation, most organizations add an AI-specific addendum or procedure that covers:

AI tool inventory: List of approved AI tools, vendor details, classification level each is approved for, and DPA status.
AI tool procurement process: How new AI tools are evaluated and approved before use.
Acceptable use rules: Specific rules for which information can be submitted to which tools.
Incident response: How AI-related information security incidents are reported and handled.
Training requirements: AI-specific security awareness training cadence and records.

Link the addendum to the supplier management procedure (5.19-5.22), information classification policy (5.12-5.13), and DLP procedure (8.12).

Frequently asked questions

Do AI tool vendors need their own ISO 27001 certificate to satisfy supplier requirements?

No — ISO 27001 does not require suppliers to be ISO 27001 certified. What it requires is that the organization assess supplier security and include security requirements in supplier agreements. A SOC 2 Type II report, ISO 27001 certificate, or a detailed security questionnaire with management's risk acceptance are all acceptable approaches. Most major AI vendors (OpenAI, Anthropic, Google Cloud, Microsoft) have both SOC 2 and ISO 27001 certifications.

How does ISO 27001 interact with GDPR for AI tools?

ISO 27001 certification does not confer GDPR compliance, and GDPR compliance does not require ISO 27001 certification. But they overlap significantly in their requirements for supplier management, risk assessment, and security controls. Organizations that implement ISO 27001 controls for AI tools (DPA, vendor assessment, data minimization, access controls) are simultaneously implementing controls that satisfy GDPR Article 28 (processors), Article 32 (security), and Article 35 (DPIA) requirements for AI. See GDPR and AI: A 2026 Compliance Guide for the GDPR-specific analysis.

Does ISO 27001 require us to prohibit consumer AI tools?

No — ISO 27001 requires risk-appropriate controls, not categorical prohibition. An organization can choose to permit consumer AI tools for low-classification information while requiring enterprise tools for confidential information. The choice must be documented in the risk assessment and the acceptable use policy, with controls that enforce the classification-appropriate use.

How do we handle AI tools used by remote workers on personal devices?

Remote worker device policies should address AI tool use consistently with office policies. If personal devices are used for organizational work, the BYOD policy should specify which AI tools are approved and on which accounts. Technical controls (mobile device management, endpoint DLP, browser extension policies) should be applied to the extent the device is used for organizational work.

We are pursuing ISO 27001 certification for the first time. How do we handle AI tools in the initial implementation?

Include AI tools in the asset inventory, risk assessment, and SoA from the start. The supplier management controls are mandatory, and AI tools are suppliers. Build the AI addendum procedure as part of the initial ISMS implementation rather than retrofitting it later. Auditors will ask about AI tools; having a documented approach from day one is preferable to explaining a gap.

The bottom line

ISO 27001 certification and productive AI tool use are fully compatible — the standard does not prohibit AI tools, and AI tools used with appropriate supplier management, classification-based controls, and technical safeguards satisfy the relevant controls. The gap most organizations face in 2026 is not between the standard and AI — it is between their existing ISMS documentation (which predates widespread AI adoption) and the current state of employee AI tool use. Adding AI tools to the supplier register, executing DPAs, extending DLP to AI endpoints, and updating training is the practical remediation. Getting ahead of the auditor's questions is far easier than explaining shadow AI after a nonconformity.

ISO 27001 and AI Tools: Which Controls Apply and What Auditors Look For in 2026