ISO 42001 Compliance

The global standard for AI management systems

Build trustworthy, accountable AI with the world's first international standard for AI Management Systems. ISO/IEC 42001:2023 provides a proven governance framework for organizations that develop, provide, or use AI.

International Standard AI Management System

Standard Overview

Designation ISO/IEC 42001:2023

Published December 2023

Certification Cycle 3 Years + Surveillance

Why Get Certified?

ISO 42001 is more than a badge. It is a systematic approach to managing AI systems responsibly. By implementing an AIMS, your organization transitions from informal AI adoption to a structured, auditable governance program built on international consensus.

Risk-Based AI Governance

Systematic identification and treatment of AI-specific risks across the full model lifecycle, from data sourcing and training through deployment and retirement.

Trustworthy AI by Design

Embed accountability, transparency, and human oversight into every AI initiative from the outset. ISO 42001 makes responsible AI a structured discipline, not an aspiration.

Regulatory Readiness

ISO 42001 supports the EU AI Act Article 9 obligations, giving certified organizations a defensible, third-party-validated compliance posture with regulators.

Annex A Control Categories

ISO 42001 Annex A organizes 38 controls across six thematic categories. Each category addresses a distinct dimension of responsible AI governance.

Policies for AI

6 controls

Organizational commitment and governance structures for responsible AI use.

Internal Organization

5 controls

Roles, responsibilities, and oversight mechanisms for AI governance.

Resources for AI Systems

5 controls

Compute, data, and tooling management across the AI lifecycle.

AI System Impact Assessment

4 controls

Evaluating societal, safety, and security impacts before and after deployment.

AI System Lifecycle

10 controls

Requirements covering design, development, testing, monitoring, and decommissioning.

Data for AI Systems

8 controls

Data quality, provenance, bias management, and privacy protection.

Overview of ISO/IEC 42001:2023

Understanding AI Management Systems

An AI Management System provides a structured framework for governing how an organization develops, deploys, and operates AI systems. ISO/IEC 42001:2023 specifies the requirements for establishing, implementing, maintaining, and continually improving an AIMS. The standard was developed by ISO/IEC JTC 1/SC 42 and published in December 2023, making it the world's first international standard dedicated to AI governance.

The standard follows the High-Level Structure (HLS) used by ISO 27001 and ISO 9001, which means organizations already certified under those standards will find the clause structure familiar. Clauses 4 through 10 define the mandatory AIMS requirements, while Annex A provides a catalog of 38 controls organized into six categories that an organization selects and applies based on its AI risk profile.

Who Needs ISO 42001

The standard applies to any organization in the AI supply chain: companies building AI products, organizations deploying AI services from third-party providers, and enterprises integrating AI into internal operations. Size and sector are not limiting factors. The AIMS scope is defined by the organization, meaning a company can certify against a specific AI system, product line, or the full portfolio.

For B2B organizations, ISO 42001 certification creates immediate commercial value. Enterprise buyers and public sector clients are beginning to include AI governance certifications in procurement requirements, mirroring how ISO 27001 became a baseline expectation for security. Early certification positions you ahead of this curve.

The Certification Pathway

Certification follows the same structured phases as ISO 27001, adapted for AI systems.

Phase 1: Gap Assessment and Scoping

Define the AIMS boundary: which AI systems, products, or use cases fall within scope. Compare current governance practices against ISO 42001 clauses 4-10 and Annex A controls. This produces the initial remediation roadmap and Statement of Applicability (SoA).

Phase 2: AI Risk Assessment and Treatment

Catalog AI systems within scope, identify impact risks (bias, safety, security, privacy), evaluate likelihood and severity, and apply Annex A controls as risk treatments. Document the AI system impact assessments required by Annex A.

Phase 3: Stage 1 Audit (Document Review)

An accredited external auditor reviews your AIMS documentation: policies, risk assessments, impact assessments, and procedures. They confirm the design of your AIMS structurally satisfies the standard's requirements.

Phase 4: Stage 2 Audit (Certification)

The auditor verifies that your organization operates its AIMS as documented. They interview staff, review AI system records, and sample evidence. A successful audit grants the ISO 42001 certificate.

Phase 5: Surveillance Audits

The certificate is valid for three years. Annual surveillance audits confirm the AIMS remains operational and is continuously improved as AI systems evolve.

Alignment with the EU AI Act

The EU AI Act (EU 2024/1689) requires high-risk AI systems to implement a risk management system (Article 9) and a quality management system (Article 17). ISO 42001 provides the internationally recognized, certification-backed implementation path for both requirements. Organizations with a live ISO 42001 AIMS hold documented, third-party-audited evidence of compliance with the most demanding operational obligations in the Act.

This creates a direct "test once, comply many" opportunity. The AI system impact assessments, data governance controls, and lifecycle documentation produced during ISO 42001 implementation supports the technical documentation requirements under Article 11 and the data governance obligations under Article 10. Organizations already on the EU AI Act compliance path save significant effort by anchoring their program in ISO 42001 from the start.

What You Get

Our ISO 42001 implementation delivers the governance artifacts and certification evidence needed to demonstrate responsible AI management.

AIMS Gap Analysis Report

Current governance state vs ISO/IEC 42001:2023 requirements with a prioritized remediation roadmap

AI Risk Register

Documented AI system impacts, control mitigations, and residual risk acceptance records

Statement of Applicability

Tailored Annex A control selection and justification matched to your AI portfolio

AIMS Documentation Suite

Complete policies, procedures, and AI system records ready for Stage 1 and Stage 2 audits

Internal Audit Support

Pre-certification readiness assessment and audit preparation to maximize first-pass success

ISO 42001 Implementation Insights

What is an AI Management System (AIMS)?

An AI Management System (AIMS) is a structured framework of policies, processes, and controls that governs how an organization develops, deploys, and operates AI systems responsibly. ISO/IEC 42001:2023 provides the exact specifications for establishing, implementing, maintaining, and continually improving an AIMS.

Who does ISO 42001 apply to?

Any organization that develops AI products, provides AI services, or integrates AI into its operations. It applies regardless of organization size or sector. This includes companies building internal AI tools, SaaS providers with AI features, and enterprises deploying third-party AI systems.

How does ISO 42001 relate to the EU AI Act?

The EU AI Act mandates risk management and quality management systems for high-risk AI under Article 9. ISO 42001 provides the certification-backed framework to satisfy those obligations. Certified organizations hold documented, audited evidence of a functioning AIMS, which is precisely what conformity assessors and regulators expect.

How long does ISO 42001 certification take?

Typically 6 to 12 months from gap assessment to certification, depending on the size of the AI portfolio and maturity of existing governance practices. The certificate is valid for three years with annual surveillance audits to confirm the AIMS is actively maintained.

Lead with Certified AI Governance

Our experts guide you through every phase of ISO 42001 implementation, from AI risk assessment to certification audit.

Book Discovery Call