Docs

Appearance

ISO/IEC 42001:2023 (AIMS)

ISO/IEC 42001 illustration

ISO/IEC 42001:2023 is an AI management system (AIMS) standard. It provides requirements for how an organization governs AI across its lifecycle — leadership, planning, operations, performance evaluation, and continual improvement.

In this guide, “ISO 42001” is shorthand for ISO/IEC 42001:2023.

Key facts
Type
ISO management system standard
Scope
Organization‑level governance
Outcome
Audit and certification path
Best for
Operationalizing Responsible AI

What ISO/IEC 42001 covers (in practice)

ISO/IEC 42001 is not a checklist of “AI controls.” It is a management system that expects you to:

  • define AI governance scope, policy, and objectives
  • assess and treat AI risks systematically (and repeatably)
  • operate controls across the lifecycle of AI systems
  • monitor effectiveness and continuously improve

In practice, many ISO/IEC 42001 requirements are organizational (policies, processes, oversight), while others become system‑specific when applied to individual AI systems.

How to use this guide

Most teams use ISO/IEC 42001 in two ways:

  • Program layer: define the AIMS, roles, policies, and review cadence.
  • System layer: apply governance to each AI system in context (controls, evidence, monitoring, change).

This guide is written as an implementation playbook — what to decide, what to build, what evidence tends to exist, and where teams get stuck.

How ISO/IEC 42001 works in Modulos

Modulos scopes governance work into projects and uses frameworks to turn standards into executable work:

  • Requirements define what needs to be fulfilled.
  • Controls are the units you execute and review.
  • Evidence is linked to controls and preserved for auditability.

Most organizations use:

  • One organization project for ISO/IEC 42001 management‑system work and shared governance artifacts.
  • AI system projects for product and deployment governance work where requirements become system‑specific.

This structure keeps the management system stable while allowing teams to run system‑level governance continuously.

In practice, most organizations only need one organization project to coordinate organization‑wide governance work. In that case, it’s common to put ISO/IEC 42001 alongside other frameworks (for example the EU AI Act) in the same organization project — and still use AI system projects for system‑specific execution.

Multiple organization projects are typically only needed in more complex setups (for example multinational organizations that need separate governance programs across regions or legal entities).

If you do everything in a single project, it can work — but it often increases noise: long‑lived policy work and fast‑moving system evidence end up mixed in the same review queues.

Integrated Management System (IMS): ISO/IEC 42001 + ISO/IEC 27001 + ISO/IEC 27701

ISO management system standards share a harmonized structure. This makes it realistic to operate ISO/IEC 42001 alongside:

  • ISO/IEC 27001 (security baseline and ISMS governance)
  • ISO/IEC 27701 (privacy extension to the ISMS)

In practice, you can integrate shared management processes (document control, internal audit, management review, corrective action) while keeping AI‑specific governance (AI risk and impact assessments, AI objectives, and AI lifecycle controls) explicit.

Related: ISO 27001 integration with AI governance.

Certification reality

Certification is usually a multi‑step process: gap analysis, implementation, internal audit, and external certification audit. The common failure mode is treating certification as a documentation sprint rather than a governance program.

Go deeper: Scope and certification and Operationalizing ISO/IEC 42001 in Modulos.

Explore ISO/IEC 42001 deeper

Scope and certification

How to define scope and prepare for internal and external audits

Clauses 4–10 (implementation guide)

Practical interpretation of the management system requirements (what to implement and what evidence exists)

Annexes A–D (how to use them)

How to use the reference controls, implementation guidance, and objective/risk source annexes without turning them into a checklist

Operationalizing in Modulos

A pragmatic workflow to execute controls, link evidence, run reviews, and export audit packs

Getting started

Organization settings and roles

Set up the org governance layer and assign responsibilities

Governance operating model

Use requirements, controls, evidence, and reviews as your execution system

From zero to audit ready

A pragmatic path to build an audit‑ready governance program

Disclaimer

This page is for general informational purposes and does not constitute legal advice.