Docs

Appearance

ISO 42001 (ISO/IEC 42001:2023) — AI Management System

ISO/IEC 42001:2023 AI Management System illustration

ISO 42001 — formally ISO/IEC 42001:2023 — is the world's first international management system standard for artificial intelligence. It specifies requirements for an AI Management System (AIMS) so organizations can develop, provide, or use AI systems responsibly and be audited against a certifiable standard.

Throughout this guide, we use ISO 42001, ISO 42001:2023, and ISO/IEC 42001:2023 interchangeably — they all refer to the same standard.

Key facts
Publisher
ISO/IEC (joint)
Version
ISO/IEC 42001:2023
Type
Certifiable management system standard
Scope
Organization‑level AI governance
Outcome
ISO 42001 certification (accredited)
Best for
Operationalizing Responsible AI

Authoritative resources

What is ISO 42001?

ISO 42001 is an AI Management System (AIMS) standard. It is not a checklist of AI controls — it is a structured operating model that expects an organization to:

  • define the scope, policy, and objectives of its AI management system
  • identify interested parties, legal, and ethical requirements
  • assess and treat AI risks and AI impacts systematically
  • operate controls across the lifecycle of AI systems
  • monitor effectiveness, run internal audits, and continually improve

ISO 42001 follows the Harmonized Structure (formerly Annex SL) shared by ISO 9001 (quality), ISO 27001 (information security), ISO 27701 (privacy), and other management-system standards. That makes it straightforward to integrate into an existing management system.

Why ISO 42001 matters

  • It is the first certifiable international standard for AI governance.
  • It is explicitly aligned with the EU AI Act, NIST AI RMF, and the OECD AI Principles.
  • It provides procurement teams, regulators, and customers with a defensible, third-party-verifiable signal of responsible AI practice.
  • It is the natural target for AI providers and deployers who already operate under ISO 27001/27701 and want one coherent management system.

ISO 42001 structure at a glance

Clauses 4–10 (the management system)

ClauseTitleWhat it requires
4Context of the organizationscope of the AIMS, interested parties, role in the AI system lifecycle
5LeadershipAI policy, roles, responsibilities, accountability
6PlanningAI risk assessment, AI impact assessment, treatment plan, objectives
7Supportresources, competence, awareness, documented information
8Operationoperational planning, AI system lifecycle, third-party and supplier governance
9Performance evaluationmonitoring, measurement, internal audit, management review
10Improvementnonconformity, corrective action, continual improvement

Go deeper: Clauses 4–10 (implementation guide).

Annex A (reference controls)

ISO 42001 Annex A contains 38 reference control objectives grouped into 9 areas (A.2 through A.10):

Annex A areaFocus
A.2 Policies related to AIAI policy, alignment with other policies
A.3 Internal organizationroles, reporting, AI ethics
A.4 Resources for AI systemsdata, tooling, compute, human
A.5 Assessing impacts of AI systemsimpact assessment process
A.6 AI system lifecycledesign, development, verification, deployment, operation, decommissioning
A.7 Data for AI systemsdata for AI, quality, data lineage
A.8 Information for interested partiessystem documentation, user information
A.9 Use of AI systemsintended use, responsible use
A.10 Third-party and customer relationshipssupplier, customer, downstream use

Go deeper: Annexes A–D (how to use them).

Annexes B, C, D (guidance)

  • Annex B — implementation guidance for the Annex A controls.
  • Annex C — suggested AI objectives and risk sources (useful input for Clause 6).
  • Annex D — how ISO 42001 integrates with other management systems (ISO 27001, ISO 27701, ISO 9001).

ISO 42001 certification

Yes — ISO 42001 is certifiable. An accredited certification body can audit your AIMS and issue a third-party ISO 42001 certificate.

The ISO 42001 certification process

1

Scope and gap analysis

Define the AIMS boundary and compare current state to clauses 4–10 and Annex A

2

Implement the AIMS

Policy, risk and impact assessment, controls, internal audit, management review

3

Operating window

Run the AIMS long enough to produce evidence (usually 2–3 months minimum)

4

Stage 1 audit

Documentation review by the accredited certification body

5

Stage 2 audit

On-site audit of AIMS effectiveness and evidence

6

Certification & surveillance

ISO 42001 certificate, annual surveillance audits, recertification every 3 years

ISO 42001 certification timeline (typical)

  • With mature ISO 27001 / ISO 9001 in place: 6–9 months to Stage 2
  • Starting from scratch: 9–15 months to Stage 2
  • Surveillance: annual
  • Recertification: every 3 years

The common failure mode is treating ISO 42001 certification as a documentation sprint. It is a governance program — auditors want to see a living management system, not a one-off artifact.

Go deeper: ISO 42001 scope and certification.

How to use this guide

Most teams use ISO/IEC 42001 in two ways:

  • Program layer: define the AIMS, roles, policies, and review cadence.
  • System layer: apply governance to each AI system in context (controls, evidence, monitoring, change).

This guide is written as an implementation playbook — what to decide, what to build, what evidence tends to exist, and where teams get stuck on the ISO 42001 certification path.

How ISO/IEC 42001 works in Modulos

Modulos scopes governance work into projects and uses frameworks to turn the ISO 42001 standard into executable work:

  • Requirements define what ISO 42001 clauses and Annex A controls need to be fulfilled.
  • Controls are the units you execute and review.
  • Evidence is linked to controls and preserved for auditability under ISO 42001.

Most organizations use:

  • One organization project for ISO/IEC 42001 management‑system work and shared governance artifacts.
  • AI system projects for product and deployment governance work where requirements become system‑specific.

This structure keeps the management system stable while allowing teams to run system‑level governance continuously.

In practice, most organizations only need one organization project to coordinate organization‑wide governance work. In that case, it's common to put ISO/IEC 42001 alongside other frameworks (for example the EU AI Act) in the same organization project — and still use AI system projects for system‑specific execution.

Multiple organization projects are typically only needed in more complex setups (for example multinational organizations that need separate governance programs across regions or legal entities).

If you do everything in a single project, it can work — but it often increases noise: long‑lived policy work and fast‑moving system evidence end up mixed in the same review queues.

Integrated Management System (IMS): ISO/IEC 42001 + ISO/IEC 27001 + ISO/IEC 27701

ISO management system standards share a harmonized structure. This makes it realistic to operate ISO/IEC 42001 alongside:

  • ISO/IEC 27001 (security baseline and ISMS governance)
  • ISO/IEC 27701 (privacy extension to the ISMS)

In practice, you can integrate shared management processes (document control, internal audit, management review, corrective action) while keeping AI‑specific governance (AI risk and impact assessments, AI objectives, and AI lifecycle controls) explicit.

Related: ISO 27001 integration with AI governance.

ISO 42001 vs. other AI governance frameworks

  • ISO 42001 vs NIST AI RMF — NIST AI RMF is a voluntary U.S. risk-management framework; ISO 42001 is a certifiable international management system. Many programs run NIST AI RMF inside the ISO 42001 AIMS. See NIST AI RMF guide.
  • ISO 42001 vs EU AI Act — ISO 42001 is voluntary; the EU AI Act is binding regulation. An ISO 42001 certificate does not replace EU AI Act conformity, but it is one of the most efficient ways to produce the evidence the EU AI Act requires. See EU AI Act guide.
  • ISO 42001 vs ISO 27001 — ISO 27001 is the information security management standard; ISO 42001 extends the same management-system logic to AI. Both can be operated as a single integrated management system. See ISO 27001 guide.

Full side-by-side: AI governance frameworks comparison.

Explore ISO/IEC 42001 deeper

Scope and certification

How to define AIMS scope and prepare for internal and external ISO 42001 audits

Clauses 4–10 (implementation guide)

Practical interpretation of the ISO 42001 management system requirements

Annexes A–D (how to use them)

How to use the reference controls, implementation guidance, and objective/risk source annexes

Operationalizing in Modulos

A pragmatic workflow to execute controls, link evidence, run reviews, and export audit packs

Getting started

Organization settings and roles

Set up the org governance layer and assign responsibilities

Governance operating model

Use requirements, controls, evidence, and reviews as your execution system

From zero to audit ready

A pragmatic path to build an audit‑ready ISO 42001 governance program

Frequently asked questions about ISO 42001

What is ISO 42001?

ISO 42001 — formally ISO/IEC 42001:2023 — is the world's first international management system standard for artificial intelligence. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) so that organizations govern AI responsibly across its lifecycle. ISO 42001 is certifiable by an accredited third-party body.

What is the difference between ISO 42001 and ISO/IEC 42001?

There is no difference. ISO 42001 is the short form of ISO/IEC 42001:2023. The standard is jointly published by ISO and IEC, which is why the formal name is ISO/IEC 42001. In everyday use, ISO 42001, ISO 42001:2023, and ISO/IEC 42001:2023 all refer to the same standard.

How do I get ISO 42001 certified?

ISO 42001 certification is a multi-step process:

  1. Scope the AIMS and perform a gap analysis against clauses 4–10 and Annex A.
  2. Implement the AIMS: policies, AI risk assessment, AI impact assessment, controls, internal audit, management review.
  3. Generate evidence over a defined operating window (usually 2–3 months minimum).
  4. Engage an accredited certification body for a two-stage audit (Stage 1 documentation review, Stage 2 on-site audit).
  5. Maintain with annual surveillance audits and recertification every 3 years.

See ISO 42001 scope and certification for the full path.

Who needs ISO 42001 certification?

ISO 42001 certification is voluntary, but it is increasingly expected for organizations that develop, provide, or use AI systems and want to demonstrate responsible AI governance to customers, regulators, or procurement teams. Typical adopters include AI providers (SaaS and on-prem), enterprises deploying AI in regulated contexts, and vendors that need to satisfy EU AI Act or NIST AI RMF expectations with certifiable evidence.

What is ISO 42001 Annex A?

Annex A of ISO/IEC 42001:2023 is a reference control set — 38 objectives grouped into 9 control areas (A.2 through A.10) that organizations can select from to treat AI risks. Unlike Annex A of ISO/IEC 27001, ISO 42001 Annex A controls are not mandatory by default — the organization justifies which controls apply based on its AI risk assessment and produces a Statement of Applicability.

How long does ISO 42001 certification take?

  • With mature ISO 27001 / ISO 9001 in place: 6–9 months to Stage 2 audit.
  • Starting from scratch: 9–15 months to Stage 2 audit.
  • Surveillance: annual.
  • Recertification: every 3 years.

The time is driven primarily by the evidence window: the AIMS has to run long enough to produce credible records of internal audit, management review, and continual improvement.

Is ISO 42001 the same as the EU AI Act?

No. ISO 42001 is a voluntary international management system standard. The EU AI Act is binding European regulation with prohibited uses, high-risk obligations, and GPAI duties. They are complementary: an ISO 42001-certified AIMS is one of the most efficient ways to produce the documented risk management, quality management, and post-market monitoring that the EU AI Act requires for high-risk AI systems.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.