ISO/IEC 42001:2023 is the world's first international standard for AI management systems (AIMS). Published in December 2023, it specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS — a structured set of policies, processes, and controls for governing AI responsibly.

Is ISO 42001 mandatory?

ISO 42001 is currently voluntary. However, some organizations — particularly Microsoft suppliers under the MS SSPA program — are already required to achieve it. As AI regulation matures globally, ISO 42001 is widely expected to become a de facto requirement in enterprise procurement and potentially a compliance pathway under regulations like the EU AI Act.

How is ISO 42001 different from ISO 27001?

ISO 27001 covers information security management (protecting data confidentiality, integrity, and availability). ISO 42001 covers AI management — governance, transparency, bias mitigation, ethical use, and AI-specific risk. Both use the same high-level management system structure, so organizations with ISO 27001 have a significant head start on ISO 42001.

How long does ISO 42001 certification take?

For most organizations, the path from kick-off to certification takes 4–12 months depending on AI system complexity, existing governance maturity, and how narrow the initial scope is. Organizations already certified to ISO 27001 typically achieve it faster.

What are the 38 controls in ISO 42001?

ISO 42001 Annex A contains 38 controls organized across 9 control objectives covering: AI policy, internal organization, AI risk management, AI system impact assessment, AI system lifecycle, data management, third-party and supply chain controls, incident management, and human oversight.

Does ISO 42001 help with EU AI Act compliance?

Yes. ISO 42001 implementation satisfies many EU AI Act governance requirements, particularly for high-risk AI systems. While ISO 42001 certification is not a formal compliance pathway under the Act (harmonized standards are still being finalized), organizations with a certified AIMS are well-positioned for EU AI Act conformity assessments.

Who should pursue ISO 42001 certification?

Any organization that builds, deploys, or operates AI systems and wants to demonstrate responsible AI governance to customers, regulators, or enterprise buyers. It's especially valuable for AI product companies, SaaS providers, cloud and platform providers, enterprises using AI for high-stakes decisions, and any organization subject to the EU AI Act or Microsoft SSPA requirements.

ISO 42001: What It Is and How to Get Certified

What Is ISO 42001?

ISO/IEC 42001:2023 is the world's first international, certifiable standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it gives organizations a structured framework to govern AI responsibly — covering how you design, deploy, monitor, and continuously improve AI systems throughout their lifecycle.

If you're familiar with ISO 27001 for information security, ISO 42001 follows the same management system logic. You define a scope, conduct risk assessments, implement controls, run internal audits, and get certified by an accredited body. The difference is the subject matter: instead of protecting data, you're governing AI — its fairness, transparency, accountability, and the risks it poses to people and organizations.

Controls in Annex A

Standard clauses

3 yrs

Certification validity

Still voluntary — but that's changing fast. ISO 42001 is not legally required today, but Microsoft's SSPA supplier program already mandates it for certain vendors, and enterprise buyers are increasingly asking for it in RFPs. As AI regulation matures, ISO 42001 is on track to become the baseline AI governance credential — much like ISO 27001 became the de facto information security standard.

Who Should Pursue ISO 42001?

ISO 42001 applies to any organization involved in AI — whether you build it, deploy it, or use it in your operations. That covers a wide range:

AI product companies — vendors building AI-powered software or models
SaaS and cloud providers — platforms that use AI in their services
Enterprises using AI internally — for hiring, lending, operations, customer service
Professional services firms — law firms, consultancies, ad-tech companies using AI tools
Microsoft SSPA suppliers — already required for certain supplier tiers
Organizations subject to the EU AI Act — ISO 42001 provides a strong foundation for compliance

You don't need to be an AI company to need it. If AI makes decisions that affect your customers, employees, or partners — and you want to demonstrate that those decisions are governed responsibly — ISO 42001 is the credential to pursue.

Structure: The 10 Clauses

ISO 42001 uses the same High-Level Structure (HLS) as ISO 27001, ISO 9001, and other ISO management system standards. Clauses 1–3 are introductory. Clauses 4–10 contain the mandatory requirements.

Clause 4

Context of the Organization

Identify internal and external factors affecting your AIMS, define stakeholder expectations, and set your scope.

Clause 5

Leadership

Top management must demonstrate commitment, assign roles, and establish an AI policy that guides your governance approach.

Clause 6

Planning

Conduct AI risk assessments, define AI objectives, and plan for changes — including AI system impact assessments where required.

Clause 7

Support

Allocate resources, build competence, train staff, and manage the documentation your AIMS depends on.

Clause 8

Operation

Implement controls from Annex A, conduct impact assessments, and manage AI system lifecycles from development through decommissioning.

Clause 9

Performance Evaluation

Monitor, measure, analyze, and evaluate your AIMS through internal audits and management reviews.

Clause 10

Improvement

Address nonconformities, implement corrective actions, and continually improve your AI management system.

Annexes A–D

Controls & Guidance

Annex A lists 38 controls. Annex B provides implementation guidance. Annex C covers AI objectives and risk sources. Annex D addresses integration with other standards.

The 38 Controls: Annex A

Annex A is the operational heart of ISO 42001. It contains 38 controls organized across 9 control objectives. You select which controls apply to your context via a Statement of Applicability — similar to how ISO 27001 works.

A.2
Policies for AI — Establish an overarching AI policy and specific-use policies governing how AI is developed and deployed in your organization.
A.3
Internal Organization — Define roles, responsibilities, and governance structures for AI oversight.
A.4
Resources for AI Systems — Manage compute, data, tooling, and human resources needed for responsible AI.
A.5
Assessing Impacts of AI Systems — Conduct AI system impact assessments to evaluate effects on individuals, groups, and society.
A.6
AI System Lifecycle — Governance requirements across design, development, testing, deployment, monitoring, and decommissioning.
A.7
Data for AI Systems — Data quality, provenance, governance, and controls for training and operational data.
A.8
Information for Interested Parties — Transparency requirements — what you disclose about your AI systems to users and stakeholders.
A.9
Use of AI Systems — Controls for appropriate use, human oversight, and intervention mechanisms.
A.10
Third-Party and Customer Relations — Supply chain controls, due diligence on AI vendors, and customer-facing accountability.

Within each control objective, individual controls address specific practices. For example, A.6 (AI System Lifecycle) includes controls on requirements specification, design documentation, testing for bias and performance, and monitoring in production. Annex B provides detailed implementation guidance for each control.

ISO 42001 vs. ISO 27001

This is the most common question from organizations already certified to ISO 27001. The short answer: they're complementary, not duplicative. If you have ISO 27001, you have a significant structural advantage — but you still have meaningful work to do.

Dimension	ISO 27001	ISO 42001
Scope	Information security management	AI management
Subject	Protecting data (CIA triad)	Governing AI systems (fairness, transparency, accountability)
Controls	93 controls in Annex A	38 controls in Annex A
Risk focus	Information security risks	AI-specific risks: bias, opacity, misuse, societal impact
Structure	ISO High-Level Structure (HLS)	ISO High-Level Structure (HLS) — identical format
Certification	3-year cycle, annual surveillance	3-year cycle, annual surveillance
Maturity	Established — widely adopted	Newer — adoption accelerating rapidly

If you have ISO 27001, your management system infrastructure (policies, internal audits, management review, document control) transfers directly. What you'll need to build from scratch: AI-specific risk assessments, impact assessments, AI policy, and controls covering transparency, bias, human oversight, and AI lifecycle governance. Organizations with ISO 27001 typically reach ISO 42001 certification significantly faster than those starting from zero. See our ISO 27001 compliance checklist if you're still working on that foundation.

ISO 42001 vs. NIST AI RMF

Both frameworks aim to make AI trustworthy, but they're fundamentally different in nature. ISO 42001 is a certifiable standard with specific requirements you're audited against. The NIST AI RMF is a voluntary, flexible framework with no formal certification.

Dimension	ISO 42001	NIST AI RMF
Type	Certifiable international standard	Voluntary framework
Certification	Yes — audited by accredited body	No formal certification
Geographic origin	International (ISO/IEC)	U.S.-origin (NIST)
Prescriptiveness	Specific requirements (shall language)	Flexible guidance (should/can language)
Best for	Demonstrating governance to customers and regulators via credential	Internal AI risk management program design
Relationship	Highly complementary — many organizations use both

In practice, many organizations implement the NIST AI RMF to structure their internal AI risk program, then pursue ISO 42001 certification to demonstrate that program externally. The GOVERN, MAP, MEASURE, MANAGE functions of the AI RMF map well to ISO 42001's clauses — working through one makes the other considerably easier.

ISO 42001 and the EU AI Act

If your organization is subject to the EU AI Act, ISO 42001 is highly relevant — though the relationship is nuanced.

The EU AI Act mandates specific requirements for high-risk AI systems, including quality management systems, risk management, technical documentation, human oversight, and conformity assessments. ISO 42001's AIMS requirements overlap significantly with these obligations. An organization with a certified AIMS has already built most of the governance infrastructure the Act requires.

However, ISO 42001 certification is not currently a formal compliance pathway under the EU AI Act. The European Commission is working with standards bodies to develop harmonized standards — and ISO 42001 is expected to play a central role once finalized. In the meantime, ISO 42001 certification is strong evidence of responsible AI governance and reduces the burden of EU AI Act conformity assessments considerably.

Practical guidance: If you're building for EU markets, implement ISO 42001 and the EU AI Act in parallel rather than sequentially. The documentation, risk assessments, and controls overlap substantially. Doing them together is far more efficient than treating them as separate projects.

The ISO 42001 Certification Process

Certification follows the same two-stage audit process as ISO 27001 and other ISO management system standards.

Define your AIMS scope Decide which AI systems, products, and business units are in scope. Start narrow — a single AI product or business unit — and expand in subsequent cycles. A well-defined scope is the foundation of a manageable certification project.
Conduct a gap assessment Benchmark your current AI governance practices against ISO 42001's clauses and Annex A controls. Identify what's missing, what partially exists, and what's already in place. Our free gap assessment tool can help surface the biggest gaps quickly.
Build your AIMS documentation Write your AI policy, establish roles and responsibilities, create procedures for AI risk assessment and impact assessment, and produce a Statement of Applicability documenting which Annex A controls apply and how.
Implement Annex A controls Execute your risk treatment plan — build data governance procedures, establish AI system lifecycle processes, implement transparency and human oversight mechanisms, and document everything auditors will need to see.
Train your team Ensure all staff with AI governance responsibilities understand their roles. ISO 42001 requires demonstrable competence — not just policies on paper.
Run internal audits and management review Conduct at least one internal audit cycle to verify controls are operating effectively. Hold a management review to assess AIMS performance and sign off on readiness for external audit.
Stage 1 audit (documentation review) Your chosen certification body reviews your AIMS documentation — policies, risk assessments, Statement of Applicability, internal audit results. They confirm your system is sufficiently documented and ready for Stage 2.
Stage 2 audit (implementation audit) Auditors verify your AIMS is fully implemented and operating effectively. They interview staff, review evidence, and test that controls work in practice, not just on paper. Nonconformities must be resolved before certification is issued.

Timeline and Cost

Both depend heavily on your starting point. Organizations with ISO 27001 already have the management system infrastructure in place and can move considerably faster.

Starting Point	Typical Timeline	Key Cost Drivers
ISO 27001 certified	3–6 months	Gap assessment, AI-specific documentation, audit fees
Strong internal governance, no ISO cert	6–9 months	Management system build, controls implementation, audit fees
Starting from scratch	9–14 months	Full AIMS build, remediation, training, audit fees

Certification body audit fees typically range from $8,000–$25,000 depending on organization size and scope complexity. Add internal time, possible consultant support, and remediation costs. Organizations that have already implemented the NIST AI RMF or have mature AI governance practices will spend significantly less on remediation.

If you already hold ISO 27001 certification, consider pursuing ISO 42001 alongside your next ISO 27001 surveillance or recertification audit — many certification bodies offer combined audits that reduce total cost and disruption.

Find Your ISO 42001 Gaps Now

Our free assessment benchmarks your current AI governance practices and flags the highest-priority gaps before you engage a certification body.

Start Free Assessment →

Frequently Asked Questions

Is ISO 42001 the same as ISO 27001 for AI?

Structurally similar, but different in scope. Both are ISO management system standards using the same High-Level Structure — so policies, audits, and management reviews look familiar. But ISO 27001 governs information security, while ISO 42001 governs AI management specifically: bias, transparency, human oversight, AI system lifecycle, and impact on affected populations. You need both if you handle sensitive data and build or deploy AI.

Can a small company get ISO 42001 certified?

Yes. ISO 42001 is designed to scale. A startup with a narrow AIMS scope (one AI product, well-defined) can achieve certification faster and at lower cost than an enterprise with dozens of AI systems. The key is scope discipline — start with your highest-risk or most commercially important AI system and expand over subsequent certification cycles.

What's a Statement of Applicability in ISO 42001?

The Statement of Applicability (SoA) is a document that lists all 38 Annex A controls and states, for each one, whether it applies to your organization and why. For controls you've excluded, you must justify the exclusion. The SoA is a key audit document — it's how auditors understand the shape of your AIMS and how you've tailored the standard to your context.

Does ISO 42001 cover generative AI and large language models?

Yes. The standard is technology-agnostic — it applies to any AI system including generative AI, LLMs, recommendation systems, and automated decision systems. For generative AI specifically, controls around transparency, human oversight, impact assessment, and data governance are particularly relevant. The specific risks of LLMs (hallucination, prompt injection, harmful outputs) are addressed through the risk assessment and control implementation process.

How does ISO 42001 relate to GDPR and privacy?

ISO 42001 has significant overlap with privacy obligations, particularly in data governance controls (Annex A.7) and impact assessment requirements (Annex A.5). Organizations implementing ISO 42001 alongside GDPR compliance will find overlapping requirements around data quality, data provenance, transparency, and documentation. Combined implementation is more efficient than treating them separately. ISO 42001 Annex D explicitly references ISO 27701 (privacy extension for ISO 27001) as a complementary standard.