Guide AI Compliance

ISO 42001: The AI Management System Standard Your Organisation Needs to Know

ISO/IEC 42001:2023 is the international standard for AI Management Systems (AIMS). Published in December 2023, it provides organisations with a structured, certifiable framework for governing AI responsibly — from risk assessment to human oversight to data governance. As EU AI Act obligations approach and customers start asking about AI governance, searches for ISO 42001 are rising fast. This guide explains what the standard requires, how it relates to ISO 27001, and how to approach implementation.

CT
Cyvra Team
Cyvra Consultancy
10 June 2026
10 min read
Key takeaways
  • ISO 42001 is the first internationally recognised AI Management System standard — it is certifiable, like ISO 27001
  • It applies to organisations that develop, provide, or use AI-based products and services — providers and deployers alike
  • The standard uses the same High Level Structure as ISO 27001 and ISO 9001, so integration with existing management systems is straightforward
  • The AI system impact assessment is the central new requirement — it evaluates potential effects on people and society, not just technical risk
  • ISO 42001 maps directly to several EU AI Act deployer obligations and can form the documented governance basis for AI Act compliance
  • Organisations with mature ISO 27001 programmes can typically reach ISO 42001 certification readiness within 6 to 12 months

What ISO 42001 is

ISO/IEC 42001:2023 — formally titled "Information technology — Artificial Intelligence — Management System" — is the international standard for establishing, implementing, maintaining, and improving an Artificial Intelligence Management System (AIMS). It was published by ISO in December 2023 and became the first globally recognised certifiable standard for AI governance.

The standard is not a technical specification for building AI systems. It is a management system standard: it defines the governance processes, documentation, oversight mechanisms, and continual improvement cycles that an organisation needs in order to manage AI responsibly. It is concerned with how you make decisions about AI, not with the mathematics or engineering behind the AI itself.

ISO 42001 applies to any organisation that develops AI systems, provides AI-based products or services, or uses AI systems in its operations. That means software vendors building AI features, SaaS companies whose platforms incorporate AI, and businesses that deploy AI tools from third-party providers — all of them are within the scope of the standard. The obligations scale with the role: providers face more detailed implementation requirements, but deployers have real governance duties too.

Why searches for ISO 42001 are rising

Two forces are driving uptake. First, the EU AI Act requires documented processes for AI risk management, human oversight, and monitoring that ISO 42001 provides the framework to implement. Second, enterprise procurement, insurers, and investors are beginning to ask for evidence of structured AI governance — in the same way they asked for ISO 27001 a decade ago. The certification market for ISO 42001 is growing rapidly.

The standard's structure

ISO 42001 uses the Harmonised Structure (HS), the common framework shared by all modern ISO management system standards including ISO 27001, ISO 9001, and ISO 14001. This means that if your organisation already operates an ISO 27001 Information Security Management System, the governance architecture for ISO 42001 will be immediately familiar — and the two systems can be integrated rather than run in parallel.

The ten clauses of the standard follow the Plan-Do-Check-Act cycle:

4
Context
Understanding the organisation, its interested parties, AI-specific internal and external issues, and the scope of the AIMS. Requires identification of all AI systems within scope and the organisation's role for each (developer, provider, or deployer).
5
Leadership
Top management must demonstrate commitment to the AIMS, establish an AI policy, and assign roles and responsibilities for AI governance. The AI policy must address responsible AI use, human oversight, and alignment with the organisation's values.
6
Planning
AI-specific risks and opportunities must be identified and assessed. AI objectives must be established — measurable targets for responsible AI use. Risk treatment plans must be documented and linked to controls from Annex A.
7
Support
Resources, competence, awareness, communication, and documented information. Staff involved in AI development or deployment must demonstrate the competence required for their role. Records of AIMS processes must be maintained.
8
Operation
The core implementation clause. Requires AI system impact assessments, AI risk assessments, risk treatment, and the operational controls for each in-scope AI system. This is where most of the AI-specific work lives.
9
Performance evaluation
Monitoring, measurement, internal audit, and management review. Organisations must define what they measure, how often, and who reviews the results. Management reviews must cover AI risk performance and AIMS improvements.
10
Improvement
Nonconformity, corrective action, and continual improvement. AI-specific incidents — system failures, harmful outputs, bias findings — must be recorded, investigated, and used to drive process improvement.

The AI system impact assessment

The AI system impact assessment is the most distinctive element of ISO 42001. It sits within Clause 8 (Operation) and requires organisations to evaluate, before deploying any AI system in scope, the potential impact of that system on:

  • Individuals who interact with the system or whose data it processes — including accuracy, fairness, transparency, and the possibility of harmful outcomes.
  • Groups and communities that may be affected by the system's outputs at scale — including potential for discriminatory or disproportionate impact on protected groups.
  • Society more broadly — including environmental impact, concentration of power, and effects on democratic processes or public trust.
  • The organisation itself — reputational, legal, and operational risks arising from the AI system's behaviour.

The impact assessment must be documented, reviewed when the AI system changes materially, and used to inform the selection of controls. It is not a one-time gate but an ongoing process — if an AI system changes in scope, use case, or underlying model, the impact assessment must be revisited.

For organisations preparing for EU AI Act compliance, the impact assessment maps closely to the Fundamental Rights Impact Assessment (FRIA) required of certain high-risk AI deployers under the Act. Implementing ISO 42001's impact assessment process is a practical way to build the documentation discipline that FRIA compliance requires.

The impact assessment is not a compliance checkbox. It is the mechanism by which an organisation demonstrates it has thought seriously about what its AI systems could do to the people affected by them — not just what they can do for the business.

Annex A controls

ISO 42001's Annex A contains AI-specific controls that organisations should consider implementing, similar to the 93 controls in ISO 27001's Annex A. The Annex A controls in ISO 42001 cover six domains:

  • Policies related to AI: Controls covering the establishment, communication, and review of the organisation's AI policy and supporting policies on specific AI topics.
  • Internal organisation: Controls covering governance structures, roles, oversight bodies, and accountability for AI systems.
  • Resources for AI systems: Controls covering data governance, compute resources, and the tools and infrastructure used in AI development and deployment.
  • Assessing AI impact: Controls covering the process and documentation requirements for the AI system impact assessment.
  • AI system lifecycle: Controls covering design, development, testing, deployment, monitoring, and decommissioning of AI systems.
  • Third-party and customer relationships: Controls covering AI-related obligations in supplier and customer contracts, and due diligence on third-party AI components.

Organisations select controls from Annex A based on the outcomes of their AI risk assessment and impact assessment. Not every control applies to every organisation — the Statement of Applicability (SoA) documents which controls are in scope and provides the justification for any exclusions.

ISO 42001 vs ISO 27001: what's different

Dimension ISO 27001 ISO 42001
Focus Protecting information and information systems Governing AI responsibly across its lifecycle
Risk scope Confidentiality, integrity, availability of information AI system impact on people, society, and the organisation; fairness, transparency, accountability
Key assessment Information security risk assessment AI system impact assessment + AI risk assessment
Annex A controls 93 controls across 4 themes AI-specific controls across 6 domains
Scope definition Information assets and systems in scope AI systems in scope and the organisation's role for each
Certification cycle 3 years, annual surveillance audits 3 years, annual surveillance audits
Integration Integrates with ISO 9001, ISO 14001, others Designed to integrate with ISO 27001 and ISO 9001

For organisations already operating an ISO 27001 ISMS, the path to ISO 42001 is substantially shorter. The management system infrastructure — documented information, internal audit, management review, corrective action — is already in place. What needs to be added is AI-specific: the AI policy, impact assessment process, AI risk assessment, and the AI-specific controls from Annex A. Many organisations choose to integrate these into their existing ISMS rather than running a separate AIMS.

ISO 42001 and the EU AI Act

ISO 42001 and the EU AI Act address the same problem from different angles. The AI Act sets legal minimum requirements. ISO 42001 provides a management system framework that makes meeting those requirements systematic and auditable.

Several EU AI Act obligations for deployers of high-risk AI map directly to ISO 42001 processes:

  • The Act's requirement to implement human oversight maps to ISO 42001's human oversight controls in Annex A and the impact assessment requirement to consider the adequacy of human review.
  • The Act's requirement to monitor AI system performance and detect unexpected behaviour maps to ISO 42001 Clause 9's monitoring and measurement requirements.
  • The Act's requirement to maintain logs maps to ISO 42001's documented information requirements and Annex A controls on record-keeping.
  • The Act's FRIA requirement for certain deployers maps to ISO 42001's AI system impact assessment process.
  • The Act's requirement to inform workers affected by AI systems maps to ISO 42001's communication and awareness controls.

Formal harmonisation — where conformity with ISO 42001 creates a legal presumption of compliance with specific AI Act articles — is expected but had not yet been confirmed as of June 2026. When harmonised standards are published in the Official Journal, ISO 42001 certification is likely to become a significant asset for both providers and deployers seeking to demonstrate compliance.

Dec
2023
ISO/IEC 42001:2023 published — the first certifiable AI management system standard
6–12
months to certification readiness for organisations with mature ISO 27001 programmes
3 yrs
certification cycle with annual surveillance audits, same structure as ISO 27001

Getting started with ISO 42001

The implementation path depends on where you are starting from. Organisations with ISO 27001 have a significant head start. Those without any formal management system face a longer road but can implement both standards together from a shared foundation.

Step 1: Define your AIMS scope

List every AI system your organisation develops, provides, or uses in a professional context. For each system, determine your role: developer, provider, or deployer. Systems where you are a developer or provider will require more detailed documentation and controls. Systems where you are a deployer — using a third-party AI tool — require governance over how you use them, not over how they are built.

Step 2: Conduct AI system impact assessments

For each in-scope AI system, complete an impact assessment covering the four dimensions: impact on individuals, groups, society, and the organisation. Document your findings, identify where impact is significant, and use the assessment to drive your control selection. This step often surfaces governance gaps that were not previously visible — AI tools deployed without proper review, data practices that need updating, and oversight mechanisms that are informal or absent.

Step 3: Conduct your AI risk assessment

Using the findings from your impact assessments, complete a formal AI risk assessment for each in-scope system. Identify risks to the organisation from AI failures, misuse, or harmful outputs. Rate them. Identify the treatment options: accept, mitigate, transfer, or avoid. Document the decisions and link them to the controls you will implement from Annex A.

Step 4: Establish your AI policy and governance structure

Draft an AI policy that sets out your organisation's commitments on responsible AI use, human oversight, transparency to affected parties, and data governance. Assign clear ownership: who is accountable for the AIMS overall, who reviews AI system performance, and who is responsible for the impact assessment process. If you have an existing information security function, AI governance can sit alongside it — but it needs a named owner.

Step 5: Implement controls and prepare for audit

Select and implement the Annex A controls relevant to your in-scope systems and risk profile. Document your Statement of Applicability. Run at least one complete internal audit cycle before engaging a certification body. The Stage 1 audit reviews your documentation; the Stage 2 audit tests whether your controls work in practice. Surveillance audits then happen annually for three years before full recertification.

Our audits and compliance team supports organisations through ISO 42001 gap assessments, impact assessment design, and implementation planning. Our AI advisory practice brings domain knowledge of AI system risks across financial services, healthcare, and professional services — the three sectors where AI governance questions are most acute.

Frequently asked questions

Who should pursue ISO 42001 certification?

ISO 42001 is designed for any organisation that develops, provides, or uses AI-based products or services. Developers and vendors of AI systems will find it most directly applicable, but deployers — businesses using AI in their operations — are also within scope. Organisations already certified to ISO 27001 are well-positioned to extend their management system to cover AI, as the structural framework is identical.

Does ISO 42001 certification satisfy EU AI Act compliance requirements?

ISO 42001 is not a legal compliance tool in itself and certification does not automatically satisfy EU AI Act obligations. However, it provides the documented management system framework that the EU AI Act's deployer obligations require: structured AI risk assessment, human oversight controls, monitoring processes, and documented governance. Regulators may reference ISO 42001 as a harmonised standard, which would allow conformity with it to raise a presumption of compliance with certain AI Act requirements — but this formal harmonisation has not yet occurred.

How long does ISO 42001 certification take?

The timeline depends heavily on the maturity of your existing AI governance processes. Organisations with mature ISO 27001 management systems can typically complete the gap analysis, implement AI-specific controls, and achieve certification within six to twelve months. Organisations starting from scratch may need twelve to twenty-four months. Certification follows a two-stage audit process: a Stage 1 documentation review followed by a Stage 2 on-site assessment, with annual surveillance audits and a full recertification every three years.

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 governs information security management — protecting the confidentiality, integrity, and availability of information and information systems. ISO 42001 governs AI management — ensuring AI systems are developed, deployed, and used responsibly, with appropriate risk assessment, human oversight, transparency, and data governance. They share the same High Level Structure and can be integrated into a single management system. ISO 27001 covers AI systems as information processing assets; ISO 42001 covers the AI-specific governance layer on top.

What is an AI system impact assessment under ISO 42001?

The AI system impact assessment is a structured evaluation of the potential effects of an AI system on individuals, groups, and society. It goes beyond traditional risk assessment by requiring organisations to consider societal impact, fairness, transparency, and the rights of people affected by AI decisions — including those who are not direct users of the system. The impact assessment informs the selection and implementation of controls from the standard's Annex A and must be documented and reviewed periodically.

AI Governance

Ready to build your AI Management System?

We support organisations with ISO 42001 gap assessments, impact assessment design, and implementation — from scoping to certification readiness.

Talk to our team Our AI services