ISO 27001
Also: ISO/IEC 27001
ISO 27001 is an internationally recognised certification confirming that a company runs a formal information security management system (ISMS), an ongoing programme rather than a one-time checklist.
ISO/IEC 27001 is a standard published by the International Organization for Standardization that specifies requirements for an information security management system: how a company identifies risks, sets controls, assigns ownership, and continually reviews and improves its security practices. Certification is issued by an accredited third-party auditor after a formal audit, and requires periodic surveillance audits (typically annual) to stay valid; it isn't a badge earned once and kept forever.
How it compares to SOC 2
Where SOC 2 is common in the US and reports on specific control operation over a period, ISO 27001 is the more globally recognised standard and certifies the management system itself: the governance and process discipline around security, not just a snapshot of specific controls. Many enterprise buyers, especially outside the US, will ask for ISO 27001 specifically, and some now also look for the newer ISO/IEC 42001 standard, which extends the same management-system approach specifically to AI systems.
What it doesn't tell you
As with SOC 2, ISO 27001 says nothing on its own about whether a vendor trains on your data or signs a BAA; treat it as evidence of security-program maturity, and check the AI-specific data-handling questions separately and directly.
Check the scope
Certification is usually company-wide or scoped to specific product lines rather than universal, so it is worth confirming the certificate's scope actually covers the AI product you are evaluating, not just the vendor's other services. ModelCharter's ISO 27001 compliance hub lists AI tools that hold a current certificate.