Appearance
ISO/IEC 42001:2023 — AI Management System
ISO/IEC 42001:2023 — published December 2023 — is the world's first international AI management system (AIMS) standard. It specifies requirements for an organisation to develop, provide or use AI systems responsibly under a certifiable management-system framework, with the same Annex SL backbone as ISO/IEC 27001, ISO/IEC 27701 and ISO 9001.
Throughout this guide we use ISO 42001, ISO 42001:2023 and ISO/IEC 42001:2023 interchangeably — all refer to the same standard.
Quick decision
- You need a certifiable AI-governance signal for procurement, regulators or customers → ISO 42001 is the certifiable management-system option. See Scope and certification.
- You already operate ISO 27001 and want to extend the management system to AI → integrate the AIMS into the existing ISMS using the shared Annex SL clauses; see Operationalizing in Modulos.
- You need to satisfy EU AI Act high-risk obligations and want a structured way to produce the evidence → run an ISO 42001 AIMS as the management-system spine; the AI risk and impact assessments map onto EU AI Act Article 9 and Article 27.
- You want a deep read of the management-system clauses → see Clauses 4–10.
- You want to understand the reference controls → see Annex A and informative annexes.
TL;DR
- First international AIMS standard. ISO/IEC 42001:2023 — published December 2023 by ISO and IEC jointly.
- Certifiable. Two-stage audit by an accredited certification body; annual surveillance; recertification every three years.
- Annex SL backbone. Clauses 4–10 share the harmonized structure with ISO 27001, 27701 and 9001 — integration with an existing management system is straightforward.
- AIMS-specific additions. AI policy (Clause 5.2), AI risk assessment (6.1.2), AI risk treatment (6.1.3), AI impact assessment (6.1.4), AI system lifecycle and data controls (Annex A).
- Annex A is informative. Reference controls are selected based on the AI risk assessment and recorded in a Statement of Applicability.
- Complements rather than replaces the EU AI Act. A certificate is not regulatory conformity, but the AIMS produces the documented evidence regulators expect for high-risk AI systems.
- Modulos operationalises ISO 42001 through the OFF-7 / MFF-7 (legacy) and OFF-10 / MFF-10 (clause-aligned) framework templates.
Primary source
ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. © ISO/IEC. Available via the ISO Online Browsing Platform.
Key facts
Publisher
ISO/IEC (joint)
Edition
ISO/IEC 42001:2023 (Dec 2023)
Type
Certifiable management-system standard
Scope
Organisation-level AI governance (AIMS)
Backbone
Annex SL (Clauses 4–10)
Outcome
Accredited ISO 42001 certification
What ISO 42001 actually requires
ISO 42001 is not a checklist of AI controls — it is a structured operating model that expects the organisation to:
- define the scope of its AIMS (Clause 4.3), informed by its role in the AI lifecycle (provider, producer, customer, partner, subject, regulator);
- determine interested parties and their needs and expectations (4.2);
- maintain an AI policy (5.2) and assign roles, responsibilities and authorities (5.3);
- perform a structured AI risk assessment (6.1.2), an AI risk treatment plan (6.1.3) and an AI system impact assessment (6.1.4);
- set and pursue AI objectives (6.2);
- operate controls across the AI system lifecycle (Clause 8 + Annex A);
- monitor, measure, internally audit and review (Clause 9) and continually improve (Clause 10).
Annex A is a reference control set the organisation selects from based on its AI risk and impact assessment. Selection is documented through AI risk-treatment records and an SoA-equivalent control-selection record; unlike ISO/IEC 27001, ISO 42001 treats Annex A as informative rather than a mandatory Annex A checklist.
Go deeper: Clauses 4–10 (implementation guide) · Annex A and informative annexes.
Annex SL backbone — shared with ISO 27001, 27701 and 9001
ISO 42001 follows the Annex SL harmonised structure. The headline-level clauses (4 Context, 5 Leadership, 6 Planning, 7 Support, 8 Operation, 9 Performance evaluation, 10 Improvement) are the same across the Annex SL family. That means:
- the management-system processes (document control, internal audit, management review, corrective action) can be operated jointly with an existing ISO 27001 ISMS or ISO 27701 PIMS;
- the AIMS-specific additions (AI policy, AI risk assessment, AI impact assessment, AI lifecycle controls) sit on top of the shared backbone rather than alongside it;
- procurement and audit teams familiar with ISO 27001 recognise the structure immediately.
ISO 42001 certification path
1
Scope + gap analysis
Define the AIMS boundary; compare current state against Clauses 4–10 and the relevant Annex A controls
2
Implement the AIMS
AI policy, AI risk and impact assessments, controls, internal audit, management review
3
Operating window
Run the AIMS long enough to produce evidence — typically 2–3 months minimum
4
Stage 1 audit
Accredited certification body reviews documentation and readiness
5
Stage 2 audit
On-site audit of operational effectiveness and evidence
6
Certification + surveillance
ISO 42001 certificate; annual surveillance audits; recertification every 3 years
Typical timeline: 6–9 months to Stage 2 with mature ISO 27001 / 9001 in place; 9–15 months starting from scratch. The constraint is the evidence window — auditors want to see a living management system, not a one-off documentation sprint.
Go deeper: ISO 42001 scope and certification.
How to operationalise ISO 42001 in Modulos
Modulos models ISO 42001 through two framework template pairs in modulos_platform:
| Template | Scope | Mapped requirements |
|---|---|---|
| OFF-7 (org) + MFF-7 (app) | Legacy ISO 42001 template — Clauses 4–10 + selected Annex A controls | ORF-65…ORF-94 (28 org) + MRF-66…MRF-110 (38 app) |
| OFF-10 (org) + MFF-10 (app) | Clause-aligned ISO 42001 template — full Clauses 4–10 inventory + Annex A area coverage | ORF-162…ORF-195 (34 org) + MRF-213…MRF-220 (8 app) |
Both template pairs record and link ISO/IEC 42001:2023 requirements. OFF-10 / MFF-10 has clause-aligned requirement names that match the OBP titles; OFF-7 / MFF-7 has the original mix of Clauses 4–10 governance plus Annex A control areas. Check modulos_platform for which pair your tenant is on; the substantive obligations are the same.
The standard AIMS rollout in Modulos:
- One organisation project for the AIMS itself — AI policy, scope statement, risk-management process, internal audit, management review. Apply OFF-7 or OFF-10.
- AI-system projects for the per-system governance work (AI impact assessment, lifecycle controls, monitoring evidence). Apply MFF-7 or MFF-10.
- Where an organisation already operates ISO 27001 / 27701, the AIMS shares Clauses 4–10 management-system processes with the ISMS / PIMS; only the AI-specific clauses and Annex A controls are AIMS-only.
Go deeper: Operationalizing in Modulos.
Framework mapping
Four layers, one reusable spine.
Frameworks
EU AI Act
ISO 42001
Requirements
Art. 9.1Risk management
Art. 10.2Data governance
6.1.1Risk assessment
Components
Risk identification
Impact analysis
Evidence
Risk register
Test results
Controls
The reusable spine
One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.
Risk assessment process
Data validation checks
Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.
Cross-framework mapping (preview)
| ISO 42001 element | Adjacent framework |
|---|---|
| Clause 6.1.2 AI risk assessment | EU AI Act Article 9 (high-risk RMS); NIST AI RMF MAP / MEASURE / MANAGE; ISO 31000 |
| Clause 6.1.4 AI impact assessment | EU AI Act Article 27 FRIA (deployer-side); algorithmic-impact-assessment frameworks |
| Clause 5.2 AI policy | EU AI Act Article 17 QMS; ISO 27001 Clause 5.2 policy |
| Annex A.6 AI system lifecycle | EU AI Act Articles 8–15 substantive obligations; NIST AI RMF GenAI Profile |
| Annex A.7 Data for AI systems | EU AI Act Article 10 data governance; GDPR Articles 5, 6, 9, 10; ISO/IEC 27701 PIMS |
| Annex A.8 Information for interested parties | EU AI Act Article 13 transparency; Article 50 transparency duties |
| Annex A.10 Third-party and customer relationships | EU AI Act Article 25 value chain; NIS2 Article 21(2)(d) supply-chain security |
| Clause 9.1 Monitoring | EU AI Act Article 72 post-market monitoring; ISO 27001 Clause 9.1 |
Related pages
Scope and certification
Define the AIMS scope, the Statement of Applicability, and the path to an accredited certificate
Clauses 4–10 (implementation guide)
Practical reading of the Annex SL management-system clauses for an AIMS
Annex A and informative annexes
How to use the Annex A reference controls + the B / C / D informative annexes
Operationalizing in Modulos
OFF-7 / MFF-7 (legacy) and OFF-10 / MFF-10 (clause-aligned) rollout, evidence patterns
ISO 42001 vs NIST AI RMF
Certifiable AIMS vs voluntary risk-management framework — side by side
EU AI Act high-risk AI systems
Articles 8–15 substantive obligations that an ISO 42001 AIMS supports
Source attribution
ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. Available via the ISO Online Browsing Platform. © ISO.
Disclaimer
This page is for general informational purposes and does not constitute legal or certification advice.