ISO 42001 certification: a complete guide to the AI management system standard

In short: ISO/IEC 42001:2023 is the world’s first international standard for an AI management system (AIMS). Published in December 2023, it defines how organisations develop, provide and use artificial intelligence responsibly: through seven operative clauses (4 to 10), 38 controls across 9 areas, and a certifiable three-year audit cycle.

ISO 42001 at a glance

• Standard: ISO/IEC 42001:2023, full title "Information Technology - Artificial Intelligence - Management System".
• Published: December 2023, jointly by ISO and IEC.
• Type: the world’s first certifiable management-system standard for an AI management system (AIMS).
• Structure: seven operative clauses (4 to 10) following the Harmonized Structure (Annex SL).
• Controls: 38 controls across 9 areas (Annex A, A.2 to A.10), selected via a Statement of Applicability.
• Certification: voluntary, by accredited bodies. The certificate is valid for three years and maintained through annual surveillance audits.
• EU AI Act: ISO 42001 supports readiness but, as of 2026, is not a harmonised standard and confers no presumption of conformity.
• Who it is for: any organisation of any size or sector that develops, provides or uses AI systems.

What is ISO 42001?

ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence. Its full title is "Information Technology - Artificial Intelligence - Management System". It sets requirements to establish, implement, maintain and continually improve an Artificial Intelligence Management System (AIMS).

It was published in December 2023 jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is recognised as the world’s first AI management-system standard. That qualifier matters: earlier AI standards such as ISO/IEC 22989 (terminology) and ISO/IEC 23894 (risk-management guidance) already existed, but those are guidance documents. ISO 42001 is the first standard against which an AI management system can be certified.

The underlying idea mirrors established standards for information security (ISO/IEC 27001) or quality (ISO 9001): instead of testing a single piece of technology, it certifies the organisational framework in which AI is built and operated. ISO 42001 makes accountability, risk assessment, transparency and oversight of AI systems systematic and auditable.

What is an AI management system under ISO 42001?

An AI management system is the sum of all policies, roles, processes and controls an organisation uses to govern the full lifecycle of its AI systems, from initial idea through development and operation to decommissioning. "AI management system", "AIMS" and "KI-Managementsystem" all denote the same concept.

Rather than treating AI governance as a one-off project, ISO 42001 establishes a durable, auditable cycle based on the Plan-Do-Check-Act principle. An AIMS answers concrete questions: who is accountable for an AI system? How are risks to affected individuals assessed? How do you ensure training data is appropriate, that models are monitored, and that humans can intervene? The standard structures exactly these questions.

Importantly, an AI management system under ISO 42001 is technology-neutral. It does not prescribe a particular model architecture or platform; it prescribes the governance framework. It therefore applies equally to classic machine-learning models, generative AI, and third-party AI services you procure. In practice, however, many of the controls are geared more toward data- and learning-based AI than toward purely rule-based systems.

Why ISO 42001 matters now

AI is already in production in most organisations, and with that comes rising demand for traceability and accountability. Customers, partners and regulators increasingly ask how a company governs its AI: how is bias detected, how is transparency ensured, who is accountable when a model gets a decision wrong?

At the same time the regulatory landscape is tightening. The EU AI Act (Regulation (EU) 2024/1689) introduces binding European AI law with tiered obligations, especially for high-risk AI. ISO 42001 provides exactly the organisational scaffolding a company needs to meet such obligations in a structured way. Certification is also an outward trust signal in a market where "responsible AI" is becoming a selection criterion.

For the strategic angle, read: AI compliance as a competitive factor: How AI Act & ISO 42001 strengthen your market position

The key benefits of ISO 42001

The value of ISO 42001 certification goes beyond the certificate itself. It works both inward and outward:

• Trust and credibility: an independently audited AI management system is a robust signal to customers, partners and regulators that AI is governed responsibly.
• Systematic risk management: AI-specific risks such as bias, lack of explainability, model drift or data quality are captured, assessed and treated in a structured way rather than ad hoc.
• Regulatory readiness: the standard builds exactly the structures the EU AI Act and other frameworks require anyway, shortening the path to compliance.
• Market access and differentiation: "responsible AI" is increasingly a criterion in tenders and supplier assessments. A certificate lowers procurement hurdles.
• Operational efficiency: clear roles, processes and documentation reduce friction in AI operations and speed up approvals.
• Integration, not a parallel system: thanks to the shared structure, the AIMS embeds into existing management systems such as ISO 27001.

The standard’s structure: clauses 4 to 10

ISO 42001 follows the Harmonized Structure (formerly Annex SL) shared by all modern ISO management-system standards. Clauses 1 to 3 cover scope, normative references, and terms and definitions. The actual requirements sit in the seven operative clauses 4 to 10:

Clause 4, Context of the organization: determine internal and external context, interested parties and their needs, and define the scope of the AI management system.

Clause 5, Leadership: top-management commitment, an AI policy, and clear roles, responsibilities and authorities.

Clause 6, Planning: addressing risks and opportunities, AI risk assessment and treatment, AI system impact assessment, and setting AI objectives.

Clause 7, Support: resources, competence, awareness, communication and documented information.

Clause 8, Operation: operational planning and control, where risk assessment, risk treatment and impact assessment are carried out in practice.

Clause 9, Performance evaluation: monitoring and measurement, internal audit and management review.

Clause 10, Improvement: continual improvement, and handling of nonconformities and corrective actions.

Annex A: the 38 controls across 9 areas

Alongside the clauses, ISO 42001 includes four annexes. The normative Annex A lists a catalogue of 38 controls organised into 9 areas (A.2 to A.10). From this catalogue the organisation selects the controls relevant to its context, much like ISO 27001, via a Statement of Applicability, justifying any exclusions. The 9 areas are:

• A.2: Policies related to AI
• A.3: Internal organization
• A.4: Resources for AI systems
• A.5: Assessing impacts of AI systems
• A.6: AI system life cycle
• A.7: Data for AI systems
• A.8: Information for interested parties
• A.9: Use of AI systems
• A.10: Third-party and customer relationships

The other three annexes are informative: Annex B provides implementation guidance for the Annex A controls, Annex C describes potential AI-related objectives and risk sources, and Annex D explains using the AI management system across domains and alongside other management-system standards.

ISO 42001 certification: step by step

ISO 42001 certification is voluntary and carried out by accredited, independent certification bodies. Note: ISO itself does not certify organisations. It only publishes the standard. The typical path runs through several steps:

1. Gap analysis and scope: define the scope and compare the current state against the standard’s requirements.
2. Build the AIMS: create the AI policy, run risk and impact assessments, select controls and produce the Statement of Applicability.
3. Operate and internal audit: run the management system, train staff, and conduct an internal audit and management review.
4. Stage 1 audit: the certification body reviews documentation and audit readiness (typically 1-2 days).
5. Stage 2 audit: assessment of the operational effectiveness of the implemented AI management system (often several days, depending on size and complexity).
6. Certificate and maintenance: on success the certificate is issued. It is valid for three years, maintained through annual surveillance audits, and renewed by a recertification audit in year three.

Total time to first certification depends heavily on the maturity of existing governance and is typically several months. This is an experience-based estimate, not a duration mandated by the standard.

Common misconceptions about ISO 42001

A few persistent myths circulate around the standard. The most important, set straight:

• "ISO 42001 is mandatory." No, the standard is voluntary. What is binding is AI law such as the EU AI Act; ISO 42001 helps meet its requirements in a structured way.
• "Certification automatically satisfies the EU AI Act." No. ISO 42001 supports readiness but is not a harmonised standard and confers no presumption of conformity.
• "ISO 42001 certifies my AI model." No, what is audited is the management system (processes, roles, controls), not a single model or product.
• "The standard is only for AI developers." No. It also applies to organisations that merely use AI or rely on third-party services.
• "ISO 42001 replaces ISO 27001." No, the two address different objects of protection and complement each other.

ISO 42001 vs ISO 27001: the difference

Because both standards use the same Harmonized Structure, they look similar at first glance. The decisive difference is what they protect:

• Object of protection: ISO 42001 governs an AI management system (AIMS); ISO 27001 an information security management system (ISMS).
• Focus: ISO 42001: responsible AI, impacts on affected individuals, transparency and oversight. ISO 27001: confidentiality, integrity and availability of information.
• Controls: ISO 42001: 38 controls across 9 areas (Annex A). ISO 27001: 93 controls in 4 themes (Annex A of the 2022 edition).
• Structure: both follow the Harmonized Structure (Annex SL) and can be operated in an integrated way.
• Certification: both are certifiable; the certificate is valid for three years with annual surveillance audits.
• Published: ISO 42001: 2023. ISO/IEC 27001: current edition 2022.

In practice the two complement each other. An organisation already certified to ISO 27001 can extend its existing management system with an AIMS without rebuilding the framework (context, leadership, planning) twice. ISO 42001 closes the gap ISO 27001 leaves: a pure ISMS does not address AI-specific risks such as discrimination, lack of explainability or uncontrolled model drift.

ISO 42001 and the EU AI Act

Precision matters here, because a lot of half-knowledge circulates. ISO 42001 supports EU AI Act readiness and demonstrates mature AI governance, but as of 2026 the standard is not a harmonised standard under the AI Act and does not confer a presumption of conformity. ISO 42001 certification therefore does not replace the conformity evidence required for high-risk AI.

• Nature: ISO 42001 is a voluntary international standard; the EU AI Act is a binding EU regulation (Regulation (EU) 2024/1689).
• Applicability: ISO 42001 applies worldwide and voluntarily; the AI Act applies on a risk-based, mandatory basis for the EU market.
• Certification: ISO 42001 is certifiable by accredited bodies; the AI Act requires a conformity assessment depending on the risk class.
• Relationship: ISO 42001 supports AI Act readiness but, as of 2026, is not a harmonised standard and confers no presumption of conformity. The harmonised standard is being developed via CEN-CENELEC JTC 21 (draft prEN 18286).

The harmonised standards for the AI Act are being developed by the European standardisation body CEN-CENELEC JTC 21. The relevant draft, prEN 18286, a quality management system for EU AI Act regulatory purposes, entered public enquiry on 30 October 2025 and is explicitly designed to be compatible with ISO 42001. Until such a standard is listed in the Official Journal of the EU, ISO 42001 remains a voluntary governance tool: valuable as a foundation, but not a legal shield.

This reflects the picture as of early 2026. Once prEN 18286 is published in the Official Journal of the EU, the relationship between ISO 42001 and the EU AI Act will shift materially, because only a harmonised standard can confer a presumption of conformity.

The correct framing is therefore: ISO 42001 builds the structures the AI Act requires anyway (risk management, documentation, oversight), accelerating compliance without guaranteeing it.

On the high-risk obligations specifically: EU AI Act High Risk: What companies must implement by August 2026

ISO 42001 within the ISO AI standards family

ISO 42001 does not stand alone, it sits at the centre of a growing family of AI standards. ISO/IEC 22989 provides the foundational terminology and AI concepts on which ISO 42001 relies, and ISO/IEC 23894 is the companion guidance for AI risk management that supports the risk requirements in clauses 6 and 8. ISO/IEC 42005, published in 2025, gives guidance on AI system impact assessment and operationalises a core requirement of ISO 42001, while ISO/IEC 42006:2025 sets the requirements for bodies that audit and certify AI management systems, ensuring consistent and credible certification.

Beyond the ISO world, the NIST AI Risk Management Framework (NIST AI 100-1) is the dominant voluntary counterpart in the US market. It organises AI risks through the Govern, Map, Measure and Manage functions and combines well with an AI management system under ISO 42001.

Who should adopt ISO 42001?

ISO 42001 is sector- and size-neutral. It is aimed at any organisation that develops, provides or uses AI systems, from start-up to enterprise, from technology vendor to a pure user of procured AI. It is particularly relevant for:

• Providers of AI products and services who want to demonstrate trust and auditability to customers.
• Highly regulated sectors such as financial services, healthcare or critical infrastructure that must evidence AI governance anyway.
• Organisations within scope of the EU AI Act that want to build a solid governance foundation early.
• Companies using third-party AI services that need to manage the associated supply-chain and third-party risk.

First steps toward ISO 42001

A pragmatic start begins not with the audit but with clarity about the status quo:

1. Define the scope: which AI systems and organisational units should the AIMS cover?
2. Gap analysis: map the current state against clauses 4-10 and the 38 controls.
3. AI inventory and risk picture: which AI systems exist, and what impact do they have on affected individuals?
4. Reuse existing management systems: build on existing ISO 27001 structures rather than running a parallel system.
5. Roadmap and accountability: define the sequence to audit readiness and name owners.

What a structured AI roadmap looks like: Building an AI roadmap: The 4-phase method for enterprise AI transformation

Frequently asked questions about ISO 42001

What is ISO 42001?

ISO/IEC 42001:2023 is the world’s first international standard for an AI management system (AIMS). Published in December 2023, it sets requirements to develop, provide and use AI responsibly through seven operative clauses and 38 controls.

What is an AI management system under ISO 42001?

An AIMS is the sum of all policies, roles, processes and controls an organisation uses to govern the full lifecycle of its AI systems, from idea through development and operation to decommissioning. It follows the Plan-Do-Check-Act principle and is technology-neutral.

When was ISO 42001 published?

ISO/IEC 42001 was published in its first edition in December 2023 by ISO and IEC.

How many controls does ISO 42001 have?

The normative Annex A contains 38 controls organised into 9 areas (A.2 to A.10), from AI policies through the AI lifecycle and data to third-party relationships. The organisation selects the relevant controls via a Statement of Applicability.

How does ISO 42001 certification work?

Through a Stage 1 audit (documentation and readiness review) and a Stage 2 audit (effectiveness review) by an accredited certification body. The certificate is valid for three years, maintained through annual surveillance audits, and recertified in year three. ISO itself does not certify.

Is ISO 42001 mandatory?

No. ISO 42001 is a voluntary standard. However, it can help meet regulatory requirements such as the EU AI Act in a structured way, and is increasingly expected by customers and partners as a trust signal.

ISO 42001 vs ISO 27001: what is the difference?

ISO 27001 is the information security management system (protecting confidentiality, integrity, availability). ISO 42001 is the AI management system (responsible AI, impacts on affected individuals, transparency, oversight). Both share the same structure and can be operated in an integrated way.

Does ISO 42001 satisfy the EU AI Act?

Not automatically. ISO 42001 supports EU AI Act readiness and demonstrates mature AI governance, but as of 2026 it is not a harmonised standard and confers no presumption of conformity. The harmonised standard is being developed via CEN-CENELEC JTC 21 (draft prEN 18286, compatible with ISO 42001).

How long does ISO 42001 certification take?

It depends heavily on the maturity of existing governance and is typically several months from gap analysis to the Stage 2 audit. The standard mandates no fixed duration; the Stage 1 audit usually takes 1-2 days and the Stage 2 audit several days depending on scope.

Which organisations should adopt ISO 42001?

Any organisation of any size or sector that develops, provides or uses AI systems. It is especially relevant for AI providers, highly regulated sectors, companies within EU AI Act scope, and users of procured AI services.