Toolkit 2 - ISO 27001 & ISO 42001 Integration Engine
Build Once. Comply Twice.™ The REN methodology (Reuse / Extend / New) tells you exactly which existing controls already satisfy ISO/IEC 42001, which need AI-specific extension, and what is genuinely new. Every decision is documented, owned and audit-ready.
12 artefacts. Full integration workbook. Worked example. Auditor orientation. Evidence pack starter. Optional supplier assurance and CSA modules. This is a complete implementation system, not a template.
Available now
🔒 Secure checkout via Lemon Squeezy ⚡ Instant delivery to your email 📄 7-day refund policy 👤 Your governance data stays with you
Outputs may be shared with auditors, customers, regulators, and advisers for assurance.
After using this toolkit you will have
- A control-by-control REN decision map across the full ISO 27001 Annex A control set
- A unified Statement of Applicability covering both standards in one working view
- A single evidence spine with stable IDs, owners, frequency, and audit notes
- A register of genuinely new AIMS obligations with ownership, priority and lifecycle touchpoints
- Stakeholder-ready export outputs for management, auditors, and assurance reviewers
- An auditor orientation document ready to share before any review or certification conversation
- See example outputs: Download sanitised sample pack
Designed for
- ISMS leads and information security managers extending into AI governance
- GRC, compliance, and internal audit teams
- Organisations preparing for ISO/IEC 42001 certification or assurance readiness
- Risk and governance leads who need a defensible integrated control narrative
- Teams that want to avoid building a second parallel management system from scratch
The REN Methodology
Every control in the ISO 27001 Annex A set is assessed against one of three positions. This gives you a structured, defensible integration decision for every control without guesswork.
Reuse
An existing ISMS control already satisfies the ISO/IEC 42001 expectation with no AI-specific change needed. Keep the artefact. Link it to the evidence spine. Explain why it is sufficient.
Extend
An ISO 27001 anchor exists but needs AI-specific scope: supplier assurance, model monitoring, incident categories, transparency records or lifecycle evidence. Extend the control rather than duplicating it.
New
ISO/IEC 42001 introduces a genuine AI governance obligation with no sufficient ISO 27001 anchor. Record it separately. Assign it an owner, priority, lifecycle touchpoint and evidence expectation.
Sample output preview (sanitised)
See the structure and language of the workbook outputs before you buy. No workbook content, REN logic, or implementation mechanics are included.
The sample pack includes:
- Unified SoA extract - illustrative REN classifications, applicability, evidence pointers and owners
- REN Classification Summary extract - integration notes and audit impact prompts
- Evidence Spine extract - stable IDs, dual-standard coverage and ownership
- Executive Export format - the one-page management summary output
Everything included - 12 files
This is a complete implementation system. Core files, supporting guides, worked examples, and optional modules for supplier assurance and CSA alignment. File formats follow the go-live delivery manifest.
Core files
-
Start Here - Toolkit 2 PDF
Overview guide explaining the toolkit structure, file sequence and recommended implementation approach.
-
Product Master Guide - Toolkit 2 PDF
Full customer guide covering the workbook, REN methodology, working sheets, exports and implementation phasing.
-
Quickstart - 60 Minutes - Toolkit 2 PDF
Timed fast-start guide for completing the first working session and initial scoping pass.
-
Auditor Orientation Sheet - Toolkit 2 PDF
Concise briefing for auditors, assurance reviewers and governance stakeholders.
-
Toolkit 2 Integration Engine XLSX
Main workbook for unified SoA, AIMS new controls, evidence spine, performance evaluation, documentation library and RACI.
-
Evidence Index Starter XLSX
Starter workbook for organising, indexing and presenting audit and assurance evidence packs.
-
Evidence Library Structure PDF
Recommended evidence library and folder structure for integrated ISO 27001 and ISO/IEC 42001 documentation.
Worked examples
-
Worked Example - 3 Controls PDF
Focused example showing how Reuse, Extend and New decisions apply to selected controls.
Optional modules - supplier assurance and CSA alignment
-
Optional Supplier AI Assurance Decision Tree PDF
Decision-support guide for assessing whether supplier AI governance meets assurance expectations.
-
Optional Supplier AI Assurance Email Templates DOCX
Editable email templates for supplier AI assurance requests, information gathering and follow-up.
-
Optional CSA Reference Bridge PDF
Reference guide explaining the CSA bridge structure and how it aligns with the integration engine.
-
Optional CSA Bridge Templates XLSX
Workbook templates supporting CSA-aligned mapping and assurance activities.
What this toolkit is - and is not
- Is: a complete operational integration system built for real governance, real audits, and real evidence
- Is: designed to work alongside your existing ISMS tools, SharePoint, Microsoft 365 or GRC platform - no migration needed
- Is: suitable for both certified ISO 27001 organisations and those operating aligned controls
- Is not: a policy pack, academic crosswalk, or generic ISO explainer
- Is not: a parallel AI governance framework that runs alongside your ISMS
- Is not: certification, legal advice or external assurance
Procurement justification
This purchase supports alignment between existing ISO 27001 governance structures and ISO/IEC 42001 AI governance expectations.
The toolkit provides integrated control mappings, reuse/extend/new implementation logic, evidence-spine structures and auditor-orientation materials intended to reduce duplication between information security management and AI governance activity.
The materials can be reviewed and adapted internally by information security, GRC, AI governance, risk, compliance and internal audit teams to identify where existing ISMS controls can be reused, where controls require extension, and where new AI-specific governance is required.
This is a one-off digital toolkit purchase. The supplier does not require access to our existing ISMS evidence, audit records, AI systems, datasets, prompts, models, customer records, source code, production environments, internal systems, risk registers or completed evidence to fulfil this purchase.
The purchase is proportionate because it supports the Build Once. Comply Twice. approach and can reduce the cost, time and inconsistency associated with maintaining separate ISO 27001 and ISO/IEC 42001 governance structures.
Designed for internal approval and assurance-led procurement.
Frequently asked questions
Do I need to be ISO 27001 certified to use this?
No. The toolkit is suitable for organisations operating ISO 27001-aligned controls, whether certified or not. If you have an ISMS in place or in progress, this toolkit can extend it.
Does this replace ISO 27001?
No. It extends and integrates ISO 27001 to support ISO/IEC 42001 without creating a parallel system. The goal is one management system, not two.
How long does implementation take?
The 60-minute quickstart guide gets you through the first working session. Full implementation depends on your organisation's scope and maturity - most teams work through the core integration over a series of structured sessions. The phased implementation guide in the Product Master Guide explains a seven-phase approach.
Will this help with audits?
Yes. The toolkit is explicitly designed to support clean audit narratives and efficient evidence review. The Auditor Orientation Sheet is included specifically to reduce audit friction and briefing time.
Is this overkill for smaller organisations?
No. The REN methodology is proportional by design - you reuse existing controls where they already work, and only create new obligations where ISO/IEC 42001 genuinely requires them. Smaller organisations typically have a higher Reuse ratio, which means less new work.
What is the worked example and how do I use it?
The Meridian HR Solutions worked example is a fully populated fictional implementation for a 60-staff SaaS organisation with three supplier AI platforms. Open it alongside the blank workbook to see how REN decisions are made and documented in practice before editing at scale.
Do I need the optional modules?
Only if they are relevant to your scope. Use the supplier assurance module if you rely on third-party AI platforms. Use the CSA bridge if CSA alignment is part of your governance requirements. They are included at no extra cost.
How does payment work and who processes it?
Payment is processed securely by Lemon Squeezy, who act as merchant of record for AIBI Systems. Your payment, VAT collection, and any post-sale compliance are handled directly by Lemon Squeezy. Your download link is delivered to your email immediately after payment. All prices shown are inclusive of VAT.
Do I have to upload my governance data to AIBI Systems?
No. The toolkit is a downloadable file you use inside your own organisation. AIBI Systems does not host, access, process or monitor your completed working sheets, evidence records, or governance outputs. Your data stays with you.
Can I use this with our existing tools?
Yes. The workbook runs in desktop Microsoft Excel and works alongside SharePoint, Microsoft 365, your existing ISMS evidence folders, GRC platforms, and internal governance processes. There is no requirement to move your controls or evidence into a new system.
Does AIBI replace consultants or auditors?
No. AIBI provides structured implementation materials. You can use them independently, with your internal team, with a consultant, or as preparation for audit and assurance conversations.
Better value: ISO 27001 & ISO 42001 Dual Engine
Pair the integration engine with the unified policy system so control coverage and policy evidence move together.
Or get Toolkit 1 through Toolkit 6 in the Complete System Bundle.
Toolkit 2 - ISO 27001 & ISO 42001 Integration Engine
One control framework. One evidence spine. One audit narrative. 12 artefacts. One-off purchase.
Instant digital download. One-off purchase. Outputs may be shared with auditors, customers, regulators, and advisers for assurance.