ISO/IEC 42001:2023 is the world's first international standard for AI Management Systems. For AI companies, it requires a documented governance framework covering AI risk management, responsible AI practices, human oversight controls, transparency policies, and continual monitoring of AI systems — verified by an accredited certification body.
What Is ISO 42001?
ISO/IEC 42001:2023 is the first international standard published by the International Organisation for Standardisation specifically for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides organisations that develop, deploy, or use AI systems with a structured framework for responsible AI governance.
Like ISO 9001 (quality) and ISO 27001 (information security), ISO 42001 follows the Annex SL common management system structure — meaning organisations already certified to other ISO standards can integrate ISO 42001 without starting from scratch.
The standard addresses a gap that has grown significantly as AI becomes embedded in enterprise operations: the absence of a verified, internationally recognised way for an organisation to demonstrate that its AI systems are governed responsibly.
Who Needs ISO 42001?
ISO 42001 is most immediately relevant to:
- AI software developers and SaaS companies building AI-powered products sold to enterprise or regulated markets
- Enterprises deploying AI in high-stakes decisions — hiring, credit scoring, healthcare triage, legal research
- Companies selling to government or regulated buyers where AI governance requirements are increasingly written into procurement
- Organisations operating under the EU AI Act or similar national AI regulations, where documented governance supports compliance demonstrations
- Companies preparing for enterprise sales cycles where security questionnaires now regularly include AI governance questions
Early-mover advantage is real. In 2024–2025, enterprise procurement teams began requiring documented AI governance as a vendor qualification criterion. Companies with ISO 42001 certification can respond to these requirements with a third-party-verified credential rather than a self-attested questionnaire.
What Does ISO 42001 Require?
ISO 42001 requires organisations to establish, implement, maintain, and continually improve an AI Management System. The core requirements cover:
| Area | What It Requires |
|---|---|
| AI Policy | A documented organisational policy for responsible AI development and use, approved by top management |
| AI Risk Management | A process for identifying, assessing, and treating risks specific to AI systems (bias, opacity, misuse, security) |
| AI Objectives | Measurable objectives for responsible AI performance, aligned with the policy |
| AI System Inventory | Documentation of AI systems in scope, their intended use, and risk classification |
| Human Oversight | Controls ensuring appropriate human review of AI-generated outputs in high-risk contexts |
| Transparency | Processes for communicating AI system capabilities, limitations, and intended use to affected parties |
| Data Governance | Controls for data quality, provenance, and bias management throughout the AI lifecycle |
| Internal Audit | Periodic audits of the AIMS against the standard's requirements |
| Management Review | Regular top-management review of AIMS performance |
| Continual Improvement | Processes for corrective action and ongoing AIMS improvement |
ISO 42001 vs. ISO 27001: How They Relate
ISO 27001 (information security) and ISO 42001 (AI management) address related but distinct concerns. Both use the Annex SL structure and integrate well together:
- ISO 27001 — Governs data and information security: confidentiality, integrity, availability. Focused on protecting information assets from unauthorised access and breaches.
- ISO 42001 — Governs AI system behaviour and governance: fairness, transparency, human oversight, AI-specific risk management. Focused on ensuring AI systems perform as intended and are accountable.
Companies with ISO 27001 certification typically find ISO 42001 implementation faster and more straightforward because the management system infrastructure (policies, internal audit, management review, corrective action) is already in place. Havaya's implementation approach for ISO 27001-certified companies typically saves 30–40% of the effort required for a greenfield AIMS build.
The ISO 42001 Certification Process
- AI system inventory and risk classification — Document all in-scope AI systems; classify each by risk level based on intended use and affected parties.
- Gap analysis — Assess current AI governance practices against ISO 42001 requirements. Identify gaps in policy, process, controls, and documentation.
- AIMS design — Develop the AI Management System: AI policy, risk management process, objectives, controls framework, and documentation structure.
- Implementation — Deploy controls across relevant teams (product, engineering, data science, legal). Train staff on their roles within the AIMS.
- Internal audit — Conduct a full internal audit of the AIMS. Identify and address nonconformities.
- Management review — Hold a formal management review to evaluate AIMS performance.
- Stage 1 audit — Certification body reviews documentation and confirms Stage 2 readiness.
- Stage 2 audit — On-site or remote audit verifying effective implementation across all in-scope AI systems and processes.
- Certification issued — Certificate valid for 3 years, with annual surveillance audits.
Frequently Asked Questions
What is ISO 42001?
ISO/IEC 42001:2023 is the first international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for organisations that develop, provide, or use AI systems to govern AI responsibly, manage AI-related risks, and demonstrate trustworthiness to customers and regulators.
Is ISO 42001 required by the EU AI Act?
ISO 42001 is not directly mandated by the EU AI Act, but it aligns closely with the Act's requirements for high-risk AI systems. Certification provides documented evidence of responsible AI governance — increasingly demanded by enterprise procurement and potentially useful in regulatory compliance demonstrations.
How long does ISO 42001 certification take?
Most AI companies achieve ISO 42001 certification in 4 to 9 months. Companies already certified to ISO 27001 typically move faster due to the shared management system structure. Working with an experienced consultant reduces implementation time by 30–50%.
Do we need ISO 27001 before pursuing ISO 42001?
No. ISO 42001 can be implemented independently. However, organisations that hold ISO 27001 have a significant head start because the management system infrastructure (internal audit, management review, corrective action, documentation controls) already exists.
Does ISO 42001 cover all AI systems we build?
The scope of your AIMS — which AI systems are included — is defined by your organisation based on relevance and risk. You can start with a narrow scope (specific products or use cases) and expand over time as your AIMS matures.