ISO/IEC 42001
ISO/IEC 42001:2023 is the first international, certifiable standard for an AI management system (AIMS). Like ISO 27001 for information security, it defines how an organization should establish, implement, maintain and continually improve the way it governs AI — through a policy, defined roles, risk and impact assessments, a set of controls, and a Plan-Do-Check-Act improvement cycle. It is voluntary and certifiable, giving organizations a recognized way to demonstrate responsible AI management.
Definition
ISO/IEC 42001 is a management-system standard that specifies requirements for establishing and continually improving an Artificial Intelligence Management System (AIMS) across an organization's AI lifecycle.
Scope
Any organization that provides or uses AI, of any size or sector. It governs the management system around AI — not a specific product — so it complements product- or risk-specific frameworks rather than replacing them.
Key requirements
- A certifiable AI management system, structured like other ISO management standards.
- Requires an AI policy, leadership commitment and clearly assigned roles and responsibilities.
- Centres on AI risk assessment and AI system impact assessment.
- Provides a reference set of controls (Annex A) and implementation guidance (Annex B).
- Built on the Plan-Do-Check-Act cycle for continual improvement.
- Complements regulation (EU AI Act) and risk frameworks (NIST AI RMF).
Controls
- AI policy & governance roles
- Establish an organizational AI policy and assign accountable owners — governance starts with leadership, not tooling.
- AI risk assessment
- Systematically identify, analyse and treat risks across the AI lifecycle, and keep the assessment current.
- AI system impact assessment
- Assess impacts on individuals and society (fairness, safety, rights), not just technical risk.
- Lifecycle controls (Annex A)
- Apply controls for data, design, deployment and operation, selecting those relevant to your context.
- Continual improvement (PDCA)
- Audit, review and improve the management system on a cycle, so governance keeps pace with change.
Checklist
- 01Define the AIMS scope and an organizational AI policy.
- 02Assign governance roles, responsibilities and leadership accountability.
- 03Run AI risk assessments and AI system impact assessments.
- 04Select and implement the relevant Annex A controls.
- 05Document objectives, processes and evidence of operation.
- 06Establish internal audit and management review.
- 07Run the Plan-Do-Check-Act cycle and pursue certification if desired.
Common pitfalls
- Treating it as a one-off project rather than a continuing management system.
- Documenting a policy nobody operates against day to day.
- Confusing it with EU AI Act compliance — certification is not legal conformity.
- Skipping impact assessment and reducing it to technical risk only.
Examples
- A company standing up an AIMS to govern all its AI use under one policy and risk process.
- An impact assessment surfacing a fairness risk before a model ships.
- An annual internal audit and management review closing governance gaps.
FAQs
- Is ISO/IEC 42001 the same as complying with the EU AI Act?
- No. The standard is a voluntary, certifiable management system; the EU AI Act is binding law. A well-run AIMS supports legal compliance but does not by itself satisfy it.
- Can you get certified?
- Yes. Like ISO 27001, an accredited body can audit and certify an organization's AI management system against the standard.
- How does it relate to NIST AI RMF?
- They are complementary: NIST AI RMF gives a risk-management framework and trustworthiness characteristics; ISO/IEC 42001 gives the certifiable management-system structure to operate governance continuously.