GRC and InfoSec
- Use your existing ISMS as the base.
- Connect AI requirements to one control estate.
- Keep AI and security risk comparable.
Includes eBook + 2 bonus tools
Instant indexed PDF eBook download 🔒 Secure checkout via Lemon Squeezy 7-day refund policy No access restrictions. Use across your internal team. Written for audit-oriented implementation work
Includes 2 practical bonus tools - direct only
Build Once. Comply Twice. - Stop building AI governance twice.
Most organisations responding to ISO/IEC 42001 build a second governance layer alongside their ISMS. Doubled overhead, fragmented evidence, a structure that fails under audit. This book gives you the integrated operating model that extends what you already have.
- Map ISO/IEC 42001 requirements into your existing ISMS controls - not alongside them
- Produce one evidence spine that supports both standards under audit
- Know what to build, in what order, and exactly what evidence to retain
Start on Monday
Instant PDF download. No app, no account, no wait. Open it in any PDF reader on any device.
Full index included
The PDF and paperback include a complete back-of-book index. The Kindle format does not - making it the weakest option for reference work.
Print and use
Appendix templates designed to be printed and used alongside live implementation work. Two bonus tools included.
The instinct
When ISO/IEC 42001 lands on the roadmap, the default response is to build AI governance alongside the ISMS. A second register. A new policy set. A parallel committee. A separate evidence approach. It looks thorough. It is not defensible.
The cost
Parallel governance structures fragment ownership, create evidence gaps, and produce two audit trails that contradict each other. When an auditor asks who owns a decision, neither structure gives a clean answer. The result is doubled overhead and a system that fails exactly when you need it to hold.
The integrated path
Reuse your ISMS spine. Extend only where AI creates a genuine new governance need. Produce one evidence trail, one risk register, one ownership model. Build Once. Comply Twice. That is what this book teaches.
The 30-day action sequence
| Day | Action | Output you should hold |
|---|---|---|
| 1 | Name the proof-slice AI systems and assign one named AI Owner. | Proof-slice list; AI Owner assignment log. |
| 2 | Create or update the AI Inventory entries. | AI system ID, status, supplier indicator, approved-use statement. |
| 3-4 | Write approved-use and prohibited-use boundaries. | Approved use; prohibited use; reassessment triggers. |
| 5-7 | Run AISIA triage or full AISIA. | AISIA record with tier rationale and approval path. |
| 8-9 | Record the material decision. | Decision Log entry with trigger, authority and evidence links. |
BONUS 1
Implementation Quick-Start Card
First 30 days action sequence for integrated AI governance
Use this card to prove one route end-to-end before scale. The goal is not a populated register; it is one AI system that can be traced from scope to evidence without reconstruction.
Bonus tool included
Bonus 1: Implementation Quick-Start Card
Your first 30 days. One AI system. Fully governed.
A day-by-day action sequence to implement one governed AI system from scope to evidence - with built-in stop rules so you know when to pause before scaling. The goal is not a populated register. It is one AI system traceable from scope to evidence that you can put in front of an auditor.
30-day action
sequence
sequence
Built-in stop rules
to de-risk
to de-risk
Minimum output
pack checklist
pack checklist
Designed for GRC,
InfoSec and Audit
InfoSec and Audit
Most teams try to govern everything at once and end up governing nothing properly. This card gives you one route, one AI system, done right - before you scale.
Case-to-control map
| Case / Source | What happened |
|---|---|
| Moffatt v Air Canada 2024 BCCRT 149 | A website chatbot gave wrong bereavement-fare information. |
| EEOC v iTutorGroup 2023 settlement | Hiring software automatically rejected applicants because of age. |
| FTC v Rite Aid 2023 order | AI facial recognition used for surveillance without reasonable safeguards. |
| FTC v IntelliVision 2025 final order | Unsupported claims about facial-recognition accuracy and bias. |
BONUS 2
Regulatory & Enforcement Reference Sheet
External pressure mapped to the Build Once. Comply Twice. control spine
Use this sheet when a sponsor asks: what failure are these controls actually preventing?
Bonus tool included
Bonus 2: Regulatory & Enforcement Reference Sheet
Real enforcement cases. Mapped to your controls.
The cases exist. The patterns are clear. This sheet maps real AI enforcement actions and regulatory pressure points to the controls in this book. When a sponsor or committee asks what failure your governance is preventing, this gives you a specific, evidenced answer - not a general one.
Regulatory pressure
points explained
points explained
Key enforcement
cases summarised
cases summarised
Mapped to control
spine
spine
Source references
for further reading
for further reading
Not a legal briefing. A practical reference that connects external enforcement reality to the governance decisions you are already making - and helps you explain why those decisions matter.
Why buy direct?
Three formats. One clear winner for implementation work.
|
Best value
Direct eBook£17.99 |
Amazon Kindle See Amazon |
Amazon Paperback See Amazon |
|
|---|---|---|---|
| Full back-of-book index | ✓ | – | ✓ |
| No dedicated reader app required | ✓ | – | ✓ |
| 30-Day Implementation Quick-Start Card | ✓ | – | – |
| Regulatory & Enforcement Reference Sheet | ✓ | – | – |
| Instant digital access | ✓ | ✓ | – |
| Searchable and device-portable | ✓ | ✓ | – |
The index makes a real difference.
A desk reference without an index means navigating by memory. The PDF edition includes a complete back-of-book index - every key term, control, artefact and concept indexed to the page. If you use this book in live implementation or audit work, you will use the index constantly. The Kindle format does not include it - a significant omission for a reference book. If you read on screen, the PDF is the only digital format with a proper index.
PDFs work the way this book should be used.
Open it alongside a live document without switching apps or reader software. Print the appendix templates and use them at your desk. Annotate your copy. Share a single page with a colleague. Drop it in a shared drive for the team. No ecosystem lock-in, no device restriction, no account required to access your own purchase. For a book designed to sit beside real implementation work, that matters.
One system. One evidence spine.
The book gives you one route of record for integrated AI governance: scope, ownership, AISIA, Model Card, Unified Risk Register, Evidence Index and supplier assurance.
What this book is
- A practical field manual for building one integrated AI governance operating model.
- A desk reference for live implementation, audit, supplier and evidence questions.
- An operator route for reusing your ISMS spine and extending only where AI changes the governance burden.
- A way to keep evidence, risk, approval and review in one defensible chain.
The integrated operating spine
AI System→
AI Inventory→
AISIA→
Model Card→
Reuse / Extend / New→
Unified Risk Register→
Evidence Index→
Unified Evidence Library→
Technology & Risk Committee
Built for operators, not theory readers.
Use the book when you need decisions, owners and evidence to hold under real operational pressure.
Internal audit and assurance
- Sample AI systems through one evidence route.
- Test owners, decisions and retrieval without reconstruction.
- Challenge supplier AI and embedded features with a clear spine.
AI governance leads
- Run AISIA as a proportionate decision record.
- Maintain Model Cards as live use-boundary records.
- Scale only after the proof slice survives pressure.
What is inside
Twelve chapters, worked examples, appendix templates, glossary and references. Use it end-to-end the first time. Use it selectively when a live question needs an answer. Every chapter closes with a concrete output list and named evidence artefacts - so you always know what to retain.
| Introduction | The integrated operating model | The route before the detail starts. |
| Chapter 1 | The Duplication Trap | Why bolt-on AI governance fails and what it costs. |
| Chapter 2 | What ISO/IEC 42001 Is Really Asking For | Translate management-system requirements into live controls. |
| Chapter 3 | AI System Scope | Inclusion logic for embedded, supplier and borderline AI systems. |
| Chapter 4 | AISIA - Proportionate Impact Assessment | Tiering, approval, conditions and reassessment triggers. |
| Chapter 5 | Governance Authority and Escalation | AI Owners, Decision Log, escalation route and committee boundary. |
| Chapter 6 | Reuse. Extend. New. | A classification method for integrating ISO/IEC 27001 and ISO/IEC 42001. |
| Chapter 7 | The Unified Evidence Spine and Retrieval | Evidence Index, Unified Evidence Library and retrieval testing. |
| Chapter 8 | Unified AI & Security Risk System | One register for material AI and security risk treatment. |
| Chapter 9 | Model Cards and Transparency in Practice | Approved use, prohibited use, limitations and live evidence links. |
| Chapter 10 | Responsible Use and Ethics Gates | Gate decisions that approve, condition, defer, reject or retire use. |
| Chapter 11 | Supplier AI and Embedded AI Assurance | Supplier opacity, renewal, embedded features and change triggers. |
| Chapter 12 | Implementation Roadmap | Proof slice, phase model, stop rules and scale decision. |
| Closing Note | What This Changes in Practice | The practical shift the integrated model creates under real operating pressure. |
| Appendix | Worked Examples and Templates | Evidence patterns, completed artefact templates and gap-logging structures for live use. |
| Glossary | Terminology Reference | Locked term definitions to prevent synonym drift across the operating model. |
Free preview
Not ready to buy yet? Read the opening chapters first.
The free preview includes the Preface and Chapter 1 - The Duplication Trap. Enough to know whether the book is written at the right level for your work, and whether the integrated operating model is what you need.
Read the first chapter free
PDF - no email required
About the author
Raf Rafaqut is an ISO/IEC 42001 Lead Auditor with an MSc in Data Analytics and an AI Programme background from Saïd Business School, University of Oxford. He writes for practitioners who need governance to work under audit pressure, not just on paper.
Field-tested, not theoretical
The book comes from the position of someone who has had to make the ISMS spine work in practice - with real ownership questions, imperfect evidence, and an auditor in the room.
ISO/IEC 42001 Lead Auditor
MSc Data Analytics
AI Programme - Saïd Business School, Oxford
Not for you if...
- You want generic AI awareness material or a principles overview.
- You want jurisdiction-by-jurisdiction legal guidance.
- You are looking for automated technical tooling rather than a governance-led operating model.
- You already operate a fully embedded and audited integrated AI governance framework.
Procurement justification
This purchase supports internal understanding of practical AI governance implementation approaches, including alignment between information security governance and ISO/IEC 42001 related AI governance expectations.
The eBook provides implementation-oriented guidance for governance planning, programme development, control reuse, evidence design and internal awareness activity.
The material can be reviewed and used internally by governance, information security, AI, risk, compliance, data and internal audit teams to support a shared understanding of the Build Once. Comply Twice. approach.
This is a one-off digital PDF eBook purchase. The direct purchase includes the indexed PDF eBook, the Implementation Quick-Start Card (PDF) and the Regulatory & Enforcement Reference Sheet (PDF), delivered through the checkout provider. The supplier does not require access to our AI systems, production environments, confidential data, customer data, source code, or internal systems to fulfil this purchase.
The purchase is proportionate because it provides a low-cost desk reference and implementation guide that can support internal planning before, alongside or after purchase of the practical toolkit materials.
For internal approval and procurement conversations.
Frequently asked questions
What is included when I buy direct?
The direct purchase includes the indexed PDF eBook plus two bonus tools: the Implementation Quick-Start Card and the Regulatory & Enforcement Reference Sheet.
What is the price?
The direct eBook bundle is £17.99. The price is shown plainly because this is a professional B2B purchase, not a discount-led consumer offer.
Is this aligned with ISO/IEC 42001?
Yes. The book is built around ISO/IEC 42001 management-system requirements and their integration with ISO/IEC 27001. It is not a certification guide and does not guarantee certification outcomes.
Is this legal, regulatory or audit advice?
No. The book and bonus materials are informational resources. You remain responsible for applying them in your context and for taking competent professional advice where required.
Who is this best for?
The primary reader is an implementer: GRC, InfoSec, AI governance, internal audit, risk and control leads. It also supports executive sponsors, Technology and Risk Committee members and supplier assurance teams.
Can I still buy on Amazon?
Amazon availability can be used for Kindle and paperback formats. The direct-purchase bonus pack is positioned as the stronger value route for buyers who want the eBook and implementation resources together.
Build Once. Comply Twice.
If you are scoping an AI governance programme, preparing for ISO/IEC 42001 readiness, or explaining to an audit committee why your existing controls are sufficient - this is the book to have before that conversation. One operating model. One evidence spine. Both standards.
Full back-of-book index
30-Day Quick-Start Card
Regulatory Reference Sheet
Instant PDF download