What is ISO 42001?
What exactly is ISO 42001 and who published it?
ISO/IEC 42001:2023 is the world's first internationally recognized, certifiable standard for AI management systems. Published by ISO and IEC in December 2023, it gives organizations a structured, auditable framework for governing AI responsibly — covering everything from bias and transparency to human oversight and AI system lifecycle governance.
Where ISO 27001 governs information security — protecting data confidentiality, integrity, and availability — ISO 42001 governs artificial intelligence: how you design, deploy, monitor, and improve AI systems in a way that is fair, transparent, accountable, and safe. Like ISO 27001, it results in a formal certificate issued by an accredited certification body, valid for three years with annual surveillance audits.
The standard is built around the same High-Level Structure (HLS) used by ISO 27001 and ISO 9001, which means the management system architecture — policies, risk assessments, internal audits, management review, document control — is familiar to anyone who has implemented another ISO standard. The AI-specific content lives primarily in Clauses 4–10 and the 38 controls in Annex A.
Source: ISO/IEC 42001:2023 — Artificial intelligence — Management systems (iso.org)
What each standard actually covers
Before comparing them, it helps to understand what each standard was fundamentally designed to do — and where the boundaries are drawn.
- Logical access controls
- Encryption & data protection
- Availability & uptime
- Incident response
- Change management
- Vendor management
- Privacy controls (optional TSC)
- Information security policies
- Asset & risk management
- Access control
- Cryptography
- Physical security
- Supplier security
- Business continuity
- AI policy & governance
- AI risk assessment
- AI system impact assessments
- Bias & fairness controls
- Algorithmic transparency
- Human oversight mechanisms
- AI system lifecycle
- AI training data governance
Notice what's absent from the SOC 2 and ISO 27001 columns: anything AI-specific. Neither standard was designed with AI in mind. They were built to protect data and systems — not to govern whether an AI model is fair, transparent, or operating with appropriate human oversight.
Do I need ISO 42001 if I already have ISO 27001?
My company is ISO 27001 certified. Do we still need ISO 42001?
Yes — if you build or deploy AI, ISO 27001 alone does not cover AI governance. ISO 27001 protects your information. ISO 42001 governs your AI. They answer fundamentally different questions and were designed for different risks.
The good news: because both standards share the same High-Level Structure, your existing management system infrastructure transfers directly. NIST estimates the control overlap at approximately 60–70%. You are not starting from scratch — you are adding the AI governance layer on top of a foundation you've already built.
What you'll need to build that doesn't exist in ISO 27001:
- An AI-specific risk assessment methodology that evaluates bias, fairness, societal impact, and AI failure modes — distinct from your ISMS risk assessments
- AI system impact assessments evaluating effects on individuals, groups, and society
- An AI policy covering principles, governance roles, and your commitment to responsible AI
- Controls for AI data governance, bias detection and mitigation, algorithmic transparency, and human oversight
- AI system lifecycle governance from design through decommissioning
For organizations with a mature ISO 27001 program, the incremental path to ISO 42001 certification typically takes 3–6 months. Most certification bodies offer combined audits that cover both standards in a single engagement, reducing total cost and disruption significantly.
Sources: ISO/IEC 42001:2023; ISO/IEC 27001:2022
Already have ISO 27001? See our ISO 27001 compliance checklist for a full breakdown of what's required — then layer ISO 42001 on top using the steps in this guide.
Do I need ISO 42001 if I already have SOC 2?
We just completed SOC 2 Type II. Does that cover our AI governance obligations?
SOC 2 does not cover AI governance. A SOC 2 report gives your customers confidence in your data security and operational controls — it says nothing about how you govern your AI systems, manage bias, or ensure human oversight. The two credentials answer fundamentally different questions.
SOC 2 is built around the AICPA's Trust Services Criteria — a framework designed for service organizations' security, availability, confidentiality, processing integrity, and privacy. The AICPA has not published AI-specific Trust Services Criteria. A standard SOC 2 audit does not evaluate AI governance, model fairness, or algorithmic transparency at all.
SOC 2 and ISO 42001 also differ structurally. SOC 2 produces an attestation report that describes your controls at a point in time. ISO 42001 produces a certificate that attests to a continuously operating management system. Enterprise customers increasingly distinguish between these: a SOC 2 report answers "how do you protect my data?" — ISO 42001 answers "how do you govern your AI?"
Source: AICPA — SOC Suite of Services
The AI governance gap — control by control
Here's where the three frameworks align and diverge across the requirements that matter most when governing AI:
| AI Governance Requirement | SOC 2 | ISO 27001 | ISO 42001 |
|---|---|---|---|
| AI risk assessment methodology | ✗ No | ✗ No | ✓ Yes |
| AI system impact assessments | ✗ No | ✗ No | ✓ Yes |
| Bias detection & mitigation | ✗ No | ✗ No | ✓ Yes |
| Algorithmic transparency | ✗ No | ✗ No | ✓ Yes |
| Human oversight mechanisms | ~ Partial | ~ Partial | ✓ Yes |
| AI training data governance | ✗ No | ~ Partial | ✓ Yes |
| AI system lifecycle governance | ✗ No | ✗ No | ✓ Yes |
| AI policy & governance structure | ✗ No | ✗ No | ✓ Yes |
| Third-party AI supply chain controls | ~ Partial | ~ Partial | ✓ Yes |
| Information security controls | ✓ Yes | ✓ Yes | ~ Partial |
| Formal certifiable credential | ✓ Yes | ✓ Yes | ✓ Yes |
The pattern is consistent: ISO 27001 and SOC 2 overlap significantly with each other on security controls (~60–70%), and both are silent on AI-specific governance requirements. ISO 42001 does not replace either framework — it extends your compliance program into the AI governance layer that neither was designed to cover.
The Colorado AI Act: ISO 42001 as a compliance safe harbor
Does any U.S. law specifically recognize ISO 42001 compliance?
Yes. Colorado SB 24-205 — the Colorado Artificial Intelligence Act — explicitly recognizes adherence to ISO 42001 as potential evidence of compliance with its responsible AI governance requirements, making it one of the few certifications that directly addresses U.S. state-level AI legislation.
The Colorado AI Act requires developers and deployers of "high-risk artificial intelligence systems" to implement risk management programs, conduct impact assessments, and maintain documentation of AI governance practices. The Act references internationally recognized technical standards — and ISO 42001 is the most prominent certifiable standard in that category.
Colorado is not alone. Several other states are modeling AI legislation on Colorado's framework. Organizations building their compliance program around ISO 42001 are positioning themselves for a U.S. regulatory landscape that is moving in one direction. Unlike the EU AI Act (which applies to EU residents), state AI legislation directly governs operations and AI use within the United States.
Practical implication: If you deploy AI systems that affect Colorado residents — which, for most SaaS companies, is true — ISO 42001 certification provides documented, auditable evidence that your AI governance program meets the state's requirements. This reduces legal exposure and simplifies compliance attestation in enterprise procurement processes.
ISO 42001 and the EU AI Act
Does ISO 42001 satisfy EU AI Act requirements?
ISO 42001 is not currently a formal compliance pathway under the EU AI Act — but it is widely recognized as strong evidence of compliance, particularly for the Act's requirements around risk management systems, technical documentation, and ongoing governance of high-risk AI systems.
The EU AI Act requires high-risk AI providers to implement quality management systems, conduct risk assessments, maintain technical documentation, and demonstrate ongoing governance. ISO 42001 directly addresses each of these obligations. The European Commission is working with standards bodies to develop harmonized standards under the Act, and ISO 42001 is expected to play a central role once that process concludes.
The August 2, 2026 deadline for high-risk AI system compliance is five months away. For organizations subject to both the EU AI Act and U.S. AI regulation, ISO 42001 provides a single auditable framework that satisfies a significant portion of both. See our EU AI Act compliance guide for the full timeline and obligations.
Source: EU Artificial Intelligence Act (Regulation 2024/1689)
How to add ISO 42001 to an existing ISO 27001 program
If you already have ISO 27001, here is the practical path to adding ISO 42001 certification without duplicating work:
-
Run a gap assessment against ISO 42001 Benchmark your current AI governance practices against the standard's clauses and Annex A controls. Identify what your ISMS already covers, what partially exists, and what's genuinely new. Our free tool can surface the biggest gaps in minutes.
-
Define your AIMS scope Your AI Management System scope can be narrower than your ISMS scope. Start with your highest-risk or most commercially important AI systems. Scope discipline is the biggest lever for controlling certification time and cost.
-
Write your AI policy Create a standalone AI policy covering principles for responsible AI use, governance roles and responsibilities, and your commitment to legal compliance and continuous improvement. Keep it short and real — auditors want evidence it's followed, not a marketing document.
-
Conduct AI risk and impact assessments Run AI-specific risk assessments for each in-scope system — these evaluate bias, fairness, societal impact, and AI failure modes, and are distinct from your ISMS risk assessments. Also conduct AI system impact assessments evaluating effects on affected individuals and groups.
-
Implement Annex A controls and build your Statement of Applicability Work through the 38 Annex A controls, document which apply to your context, and implement those your risk assessment has prioritized. Use Annex B for implementation guidance on each control.
-
Integrate with your existing ISMS Align your AIMS documentation, internal audit schedule, and management review with your existing ISO 27001 program. Genuinely share processes where you can — don't build parallel bureaucracy where one program will do.
-
Certify — ideally with a combined audit Engage your existing ISO 27001 certification body early. Most offer combined Stage 1 and Stage 2 audits covering both standards in a single engagement, which significantly reduces total cost compared to two separate audit cycles.
Find your ISO 42001 gaps in minutes
Our free assessment benchmarks your current AI governance practices against ISO 42001 and flags the highest-priority gaps — whether you're starting from scratch or building on ISO 27001 or SOC 2.
Start Free Assessment →Frequently Asked Questions
Can ISO 42001 replace ISO 27001?
No. ISO 42001 is not a replacement for ISO 27001 — it's a complement. ISO 27001 covers information security management; ISO 42001 covers AI management. If your AI systems handle sensitive data (almost all do), you need both. ISO 27001 protects the data your AI processes; ISO 42001 governs how your AI behaves. Organizations that pursue both have a significantly stronger compliance posture than those with either alone.
What's the difference between ISO 42001 and the NIST AI RMF?
ISO 42001 is a certifiable international standard — you can be audited against it by an accredited body and receive a certificate. The NIST AI RMF is a voluntary U.S. framework with no formal certification. Both cover similar ground on AI risk governance, with approximately 70% overlap in underlying principles. Most organizations use the NIST AI RMF as their internal operational framework and pursue ISO 42001 for the external credential. NIST explicitly designed the AI RMF to be compatible with ISO 42001.
Source: NIST AI Risk Management Framework (AI RMF 1.0) — nist.gov
Does SOC 2 cover AI at all?
Not specifically. The AICPA's Trust Services Criteria do not include AI-specific requirements. A SOC 2 auditor may evaluate controls that happen to touch AI systems (access controls, change management, availability), but a SOC 2 report does not attest to AI governance, bias controls, or human oversight practices. The AICPA has acknowledged this gap — no AI-specific Trust Services Criteria have been published as of 2026.
Source: AICPA — SOC Suite of Services
How does ISO 42001 relate to CMMC and DFARS?
The Cybersecurity Maturity Model Certification (CMMC) — governed by DoD DFARS clause 252.204-7021 — focuses on protecting Controlled Unclassified Information in the defense industrial base. It does not address AI governance. If your defense contracting work involves AI-enabled systems, CMMC covers the security of those systems' data; ISO 42001 covers the governance of the AI systems themselves. As DoD increasingly procures AI, separate AI governance requirements are expected to emerge, and ISO 42001 is the most likely reference standard. See our CMMC Level 2 guide for current requirements.
Source: DoD CMMC Program Office — acq.osd.mil
Is there a combined ISO 27001 + ISO 42001 certification?
There is no single combined certificate — you receive separate ISO 27001 and ISO 42001 certificates. However, ISO 42001 Annex D explicitly addresses integration with ISO 27001 and other management system standards, and most accredited certification bodies offer integrated audits covering both simultaneously. This is significantly more efficient than two separate programs and is the recommended path for organizations pursuing both.