ISO/IEC 42001:2023 is the world's first certifiable AI management system standard. Here's what it requires, how it relates to the EU AI Act, and a practical path to implementation.
Why ISO 42001 exists
AI systems create risks that classic information security standards don't fully address: bias, hallucination, opacity, drift, automation bias, and accountability gaps when a model is wrong. ISO/IEC 42001:2023 is the first international standard to define a management system specifically for AI — comparable to what ISO 27001 did for information security.
It is certifiable. An accredited body can audit your AI Management System (AIMS) and issue a certificate that customers, regulators and procurement teams increasingly ask for.
The Annex A controls (at a glance)
A.2 Policies related to AI
A.3 Internal organisation
A.4 Resources for AI systems
A.5 Assessing impacts of AI systems
A.6 AI system lifecycle
A.7 Data for AI systems
A.8 Information for interested parties of AI systems
A.9 Use of AI systems
A.10 Third-party and customer relationships
A five-step implementation path
Step 1
Define your AI scope and roles
List the AI systems you build, sell, host or use, and pick a role for each: provider, producer, customer, partner, subject. Your obligations differ for each role.
Step 2
Run an AI impact assessment
Clause 6.1.4 and Annex B. Assess each AI system for impact on individuals, groups and society — performance, fairness, transparency, safety, security, privacy.
Step 3
Score and treat AI risks
Use your existing risk methodology (5×5 likelihood × impact works). AI-specific risks include training-data bias, model drift, prompt injection, IP leakage and over-reliance.
Step 4
Implement Annex A controls
Adopt the controls that apply to your role. Document a Statement of Applicability listing included controls, excluded controls and the justification for each.
Step 5
Monitor, audit, improve
AI systems drift — performance today is not performance next quarter. Define monitoring metrics, set thresholds, run internal audits, and feed findings into management review.
One workspace for ISO 27001 + ISO 42001
If you already run an ISMS, an AIMS doesn't need a second tool. The clauses share the same Annex SL backbone — controls, risks and policies overlap, and a unified workspace prevents duplication.
ISO-STANDARD.app ships a ready-to-adopt ISO 42001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
Who needs ISO 42001?
Any organisation that develops, provides or uses AI systems — from foundation-model builders to SaaS vendors embedding LLMs to enterprises deploying AI internally. It is the AI counterpart to ISO 27001 for information security.
How does ISO 42001 relate to the EU AI Act?
The AI Act is regulation; ISO 42001 is a voluntary management system standard. Certification does not grant AI Act conformity, but a 42001 AIMS gives you most of the governance, risk management and documentation evidence the Act expects from high-risk system providers.
Can ISO 42001 be integrated with ISO 27001?
Yes — and most organisations should. Both share the Annex SL high-level structure, so scope, leadership, planning, support, operation, evaluation and improvement clauses line up directly. The AIMS treats AI-specific risks (bias, robustness, transparency) as a complement to the ISMS.
What is in Annex A?
ISO 42001 Annex A defines 38 controls across 10 categories — policies for AI, internal organisation, resources, impact assessment, AI system lifecycle, data, information for interested parties, AI system use, third-party relationships and AI system development.