Toolkit 4 - Unified ISO 27001 & ISO 42001 Policy System

A complete integrated policy suite designed to support both ISO 27001 and ISO 42001 in one governance spine. Replace duplicated or conflicting documents with a single coherent set of policies that map cleanly to both standards.

Seven ready-to-use policy templates plus implementation guidance - written once for both standards to improve auditability, simplify evidence gathering, and reduce long-term maintenance.

Designed for organisations extending an existing ISO 27001 ISMS into AI management.

Build Once. Comply Twice.™ - one policy framework, two standards, no duplication.

Toolkit 4 - Unified ISO 27001 & ISO 42001 Policy System output view
Illustrative output view.

Available now

Instant digital download
13 artefacts. No subscription. One-off purchase.
£699inc. VAT
Purchase - £699 inc. VAT

🔒 Secure checkout via Lemon Squeezy ⚡ Instant delivery to your email 📄 7-day refund policy 👤 Your governance data stays with you

Outputs may be shared with auditors, customers, regulators, and advisers for assurance. Decision support only - not certification or legal advice.

After implementing this toolkit you will have

  • A single policy framework that satisfies both ISO 27001 and ISO/IEC 42001 - without running two separate policy sets
  • Consistent policy-to-control alignment that supports Toolkit 2 control mappings and your audit narrative
  • Audit-ready evidence: approval records, communication logs, review cadence, and exception handling processes
  • Safe customisation - the Master Guide tells you what you can change without breaking alignment to the standards

Designed for

  • ISO 27001 certified or aligned organisations extending into AI management
  • Governance, risk, InfoSec, internal audit, data, and AI leads
  • Teams under audit or customer pressure to demonstrate formal governance
  • Organisations who want policy coverage without policy bloat

What this replaces

Most ISO 27001-aligned organisations have an established policy set. When AI governance requirements arrive, the default response is to write new AI-specific policies alongside the existing ones.

The result is duplication: two risk policies, two supplier policies, two governance frameworks - each pulling in a slightly different direction, each requiring separate review and approval cycles.

This toolkit replaces that with a unified suite written to satisfy both standards in one document per policy area - with clear control references and implementation notes so you do not have to reverse-engineer alignment yourself.

Specifically, it eliminates:

  • Duplicated or conflicting policy documents across ISMS and AIMS
  • Inconsistent policy wording that creates gaps in audit narratives
  • Separate review and approval overhead for security and AI policies
  • Time spent writing policies from scratch and mapping them to standards

It is not a certification scheme and does not guarantee certification outcomes. It supports practical governance and audit-ready evidence.

How it works

Recommended implementation sequence

  1. Read the Master Implementation Guide and Start Here document
  2. Review your existing policies against the unified templates
  3. Adopt or adapt each template, working through the sequence below
  4. Get each policy approved and record the approval date in the Version Control Sheet
  5. Communicate policies to relevant staff and record distribution
  6. Schedule annual review dates in the Version Control Sheet

Policy implementation sequence

  1. Unified Governance Policy - establish decision rights and accountability first
  2. Unified Risk Management Policy - align risk methodology across security and AI
  3. Unified Change Management Policy - control changes to systems, models, and processes
  4. Unified Supplier Management Policy - embed AI assurance into supplier governance
  5. Unified Information Classification Policy - extend classification to cover AI data use
  6. AI Management & Lifecycle Policy - formalise AI system governance from design to retirement
  7. AI Ethics & Responsible AI Policy - set principles and accountability for responsible use

The Master Guide explains how the policies fit together, how to customise safely without breaking alignment, and what evidence to retain for each policy area.

Everything included - 13 files

A lean unified policy baseline written once for both standards. File formats follow the go-live delivery manifest.

  1. Toolkit 4 Start Here PDF
    Orientation, pack contents, implementation sequence and connection to the wider governance spine.
  2. Master Implementation Guide PDF
    Read-only guide for implementing, adapting and governing the policy system.
  3. Build Once. Comply Twice. Notes PDF
    Reference notes explaining the integrated policy approach.
  4. Toolkit 4 Auditor Orientation Sheet PDF
    Read-only briefing for auditors and assurance stakeholders.
  5. Licensing Terms PDF
    Read-only licence and permitted-use reference.
  6. Unified Governance Policy DOCX
    Editable policy for integrated governance ownership, decision rights and oversight.
  7. Unified Risk Management Policy DOCX
    Editable policy for one risk method across information security and AI governance.
  8. Unified Change Management Policy DOCX
    Editable policy for change control across security and AI lifecycle governance.
  9. Unified Supplier Management Policy DOCX
    Editable policy for supplier assurance and third-party AI governance.
  10. Unified Information Classification Policy DOCX
    Editable policy for classification, handling and information protection.
  11. AI Management and Lifecycle Policy DOCX
    Editable AI management and lifecycle policy aligned to operational controls.
  12. AI Ethics and Responsible AI Policy DOCX
    Editable policy for responsible AI rules, approval gates and exceptions.
  13. Version Control Sheet XLSX
    Workbook for policy version tracking, review cadence and ownership.

Outputs and evidence you can generate

  • A single policy framework aligned to both ISO 27001 and ISO/IEC 42001
  • Policy approval records with named approvers and dates
  • Version history and review cadence evidence for each policy
  • Staff communication and distribution records
  • Exception handling logs where policy deviations are approved
  • A clean audit narrative: one policy set, two standards, consistent control alignment throughout

Where it fits in the system

Toolkit 4 is your governance backbone. Once your policy set is unified, risk management (Toolkit 5), inventory and lifecycle controls (Toolkit 6), and audits all become easier to implement and explain.

It sits downstream of Toolkit 2 (Toolkit 2 - ISO 27001 & ISO 42001 Integration Engine), which defines the reuse / extend / new control logic that these policies implement. If you have Toolkit 2, the Build Once. Comply Twice. Notes in this toolkit connect directly to your control mapping outputs.

Licence summary (plain English)

  • Licensed to a single legal entity (the purchasing organisation)
  • Authorised users include employees and individual contractors acting on your behalf
  • Outputs (completed, approved policies) may be shared with auditors, customers, regulators, and advisers for assurance
  • Toolkit template files may not be shared, resold, or reused as a commercial method across other organisations
  • Customisation for your own internal use is permitted
  • Modification for commercial reuse or redistribution requires written permission from AIBI Systems

When this is not for you

  • You want generic policy statements without ISO alignment logic or implementation guidance
  • You are not willing to own, review, and maintain policies - policies require ownership and a review cadence to be effective
  • You need legal drafting reviewed by counsel - these templates may require legal review depending on your context
  • You want certification guarantees rather than alignment artefacts

Procurement justification

This purchase supports consolidation and rationalisation of overlapping information security and AI governance policy requirements.

The toolkit provides reusable unified policy structures intended to reduce duplicated policy drafting, simplify maintenance and support consistent governance documentation across ISO 27001 and ISO/IEC 42001 aligned programmes.

The materials can be adapted internally by information security, AI governance, policy, risk, compliance and internal audit teams to create a leaner policy baseline and clearer ownership model.

This is a one-off digital toolkit purchase. The supplier does not require access to our existing policies, AI systems, internal controls, source code, confidential data, customer data, production environments, internal systems, risk registers or completed governance evidence to fulfil this purchase.

The purchase is proportionate because it reduces policy sprawl and helps our organisation avoid maintaining separate security and AI policy sets where a unified approach is more efficient.

Designed for internal approval and governance workflows.

Frequently asked questions

Do these policies replace our current policies?

They can replace or rationalise them. Most organisations adopt them as the new standard for both standards and retire the separate documents they were maintaining previously.

Are the policies mapped to ISO 27001 and ISO/IEC 42001?

Yes. Each policy is designed to satisfy requirements across both standards. The Build Once. Comply Twice. Notes document shows the specific control and clause references for each policy.

Can we customise the policies?

Yes. The Master Implementation Guide provides safe customisation rules so you can adapt content to your organisation without breaking alignment to the standards.

Will auditors accept unified policies?

Unified policies can support audit review where they are properly scoped, approved, implemented, evidenced and mapped to the relevant requirements. The Auditor Orientation Sheet helps explain the structure and mapping logic.

Do we need Toolkit 2 first?

Toolkit 2 strengthens the control mapping logic that these policies implement, but Toolkit 4 can be used independently. If you have Toolkit 2, the integration notes in this pack connect directly to your control mapping outputs.

Is this a certification scheme?

No. It supports ISO 27001 and ISO/IEC 42001 alignment and produces audit-ready artefacts, but it does not constitute certification or guarantee certification outcomes.

How does payment work and who processes it?

Payment is processed securely by Lemon Squeezy, who act as merchant of record for AIBI Systems. Your payment, VAT collection, and any post-sale compliance are handled directly by Lemon Squeezy. Your download link is delivered to your email immediately after payment. All prices shown are inclusive of VAT.

Do I have to upload my governance data to AIBI Systems?

No. The paid toolkits are downloadable files that you use inside your own organisation. When you use them internally, AIBI Systems does not host, access, process or monitor your completed AI inventories, risk registers, assessments, policies or evidence records. Your governance evidence remains under your control.

Is AIBI a GRC platform?

No. AIBI is a practical toolkit and implementation system. It helps you structure AI governance, evidence and ISO 27001 to ISO/IEC 42001 alignment without requiring a new platform.

Can I use AIBI with our existing systems?

Yes. The toolkits can be used to support or inform your existing ISMS, SharePoint library, Microsoft 365 environment, GRC platform, audit evidence folder or internal governance process. There is no requirement to migrate your controls, risks or documents into a new system.

Does AIBI replace consultants or auditors?

No. AIBI provides structured implementation materials. You can use them independently, with your internal team, with a consultant, or as preparation for audit and assurance conversations.

Better value: ISO 27001 & ISO 42001 Dual Engine

Pair the unified policy baseline with the integration engine so policies, controls, and evidence stay aligned across ISO 27001 and ISO/IEC 42001.

£1,395 inc. VAT bundle price£1,694 inc. VAT individuallySave £299
View ISO 27001 & ISO 42001 Dual Engine

Or get Toolkit 1 through Toolkit 6 in the Complete System Bundle.

Toolkit 4 - Unified ISO 27001 & ISO 42001 Policy System

One policy framework, two standards, no duplication.

Purchase - £699 inc. VAT Compare toolkit bundles

Instant download. One-off purchase. Outputs may be shared with auditors, customers, regulators, and advisers for assurance.