Do we need an AI policy for ISO 27001?

It’s a question I’m hearing more and more.

And on the face of it, the answer is pretty straight forward: No.

Nowhere in ISO/IEC 27001 does it say “thou shalt have an AI policy.” 

So, if that’s the question you’re asking, congratulations, you already have your answer. 

But that’s where things get interesting. Because if that is the question, I’d argue you’re probably asking the wrong one. 

"Now That, Detective, Is the Right Question"

There’s a moment in I, Robot where Will Smith’s character realises he’s been focusing on the wrong detail. The rules weren’t broken, the interpretation of them was. That’s exactly what’s happening with AI and ISO 27001.

ISO27001 is deliberately technology agnostic. It doesn’t care whether you’re using: 

·        AI,

·        spreadsheets,

·        mainframes from the 80s,

·        or a bloke named Dave who “just knows where everything is”.  

‍

What it does care about is this: Do you understand the risks to your information assets, and are you managing them appropriately?

So maybe the better question isn’t “Do I need an AI policy?”

Maybe the right question is: “Do I need to assess the impact to my information assets if we use AI within the business?” 

‍Now that, detective, is the right question. 

ISO 27001 Has Always Been About Risk, Not Artefacts.

One of the most common traps with ISO 27001 is treating it as a document collection exercise. 

Policies, Procedures, Registers, Templates.

They’re important, but they’re not the point. ISO27001 requires you to: 

·        identify your information assets,

·        assess risk to those assets,

·        apply controls where they make sense,

·        or accept the risk as it stands.

‍

If AI is being used in your organisation, whether that’s:

·        staff pasting data into public LLMs,

·        embedded AI features in SaaS platforms,

·        internal agents trained on company data,

·        or automated decision-making systems 

then AI isn’t “a future consideration”, It’s already inscope. And once it’s in scope, the standard is very clear, you assess the risk.

After a proper risk assessment, you might conclude that: 

·        certain uses of AI are acceptable,

·        certain data types must never be used with AI tools,

·        logging, monitoring, or contractual controls are needed,

·        or staff need clearer guidance on what’s allowed. 

At that point, an AI policy might be a sensible control. But notice the order, Risk first, Controls second, Documents last. 

If you start with “we need an AI policy because auditorswill ask for it”, you’ve already missed the spirit of the standard. Auditors don’t certify documents; they certify systems of management. The real risk isn’t failing an audit because you don’t have an AI policy. 

The real risk is: 

·        AI being used informally,

·        sensitive information leaving your control,

·        decisions being influenced by opaque systems,

·        and none of it being reflected in your risk assessment. 

That’s the sort of thing auditors do care about, because it shows the ISMS isn’t keeping up with how the business actually operates. 

So… Do You Need One? 

If you’re asking: “Do, we need an AI policy for ISO27001?” The answer is still no. But if you’re asking: “Do we understand how AI affects our information risks, and have we addressed that within our ISMS?” 

That question might lead you to a policy, or it might lead you to training, technical controls, supplier assurances, or usage restrictions instead. And that’s exactly how ISO 27001 is supposed to work. 

‍