ISO 42001 is the world’s first international standard specifically for AI management systems. Published in December 2023 by the International Organization for Standardization, it provides organizations with a structured framework to govern artificial intelligence responsibly—before regulators force them to. Whether you’re building AI products, deploying AI systems internally, or trying to demonstrate responsible AI governance to customers and regulators, this guide covers what ISO 42001 actually requires, how to implement it, and where it fits alongside other compliance frameworks.
What Is ISO 42001?
ISO 42001:2023 is an international standard that establishes requirements for an information security management system (ISMS) specific to artificial intelligence. More practically, it’s a set of controls and processes designed to help organizations manage the risks and impacts of AI systems across their operations.
The standard was developed by ISO/IEC JTC 1/SC 42 (Artificial Intelligence) in response to rapid AI adoption and the urgent need for standardized governance. Unlike frameworks that only address data security or privacy, ISO 42001 takes a holistic view: it covers the entire AI lifecycle, from design and development through deployment, monitoring, and retirement.
ISO 42001 uses the familiar Plan-Do-Check-Act (PDCA) cycle that many organizations recognize from ISO 27001 (information security) or ISO 9001 (quality management). This means if you already have experience with ISO frameworks, the methodology won’t feel entirely new. However, ISO 42001 adds AI-specific control objectives that go beyond traditional security—things like transparency requirements, bias assessment, human oversight mechanisms, and AI system monitoring.
Who Should Pursue ISO 42001?
Three groups benefit most from ISO 42001 certification:
Organizations that provide AI systems to others sit at the top of the list. If you’re building and selling machine learning models, large language model applications, generative AI tools, or any AI product to customers, ISO 42001 certification signals that you’ve built responsible AI governance into your product development from day one. Customers—especially those in regulated industries—are increasingly asking for it.
Organizations that deploy AI systems internally should also consider it. If you’re using AI for credit decisions, hiring, customer service automation, content recommendations, or fraud detection, you’re making decisions that affect people. ISO 42001 ensures you have controls around how those systems work, who oversees them, and how you monitor for unintended consequences.
Finally, organizations that want to demonstrate responsible AI governance to regulators, customers, or stakeholders should pursue certification. As regulations like the EU AI Act and various sector-specific rules mature, having a recognized standard in place becomes a competitive and risk management advantage.
If you operate in financial services, healthcare, government, or industries handling sensitive consumer decisions, the business case is particularly strong.
The Structure of ISO 42001
ISO 42001 follows a familiar structure for those who’ve worked with other ISO standards. It’s organized around the PDCA cycle: Plan (establish policy and objectives), Do (implement controls), Check (monitor effectiveness), and Act (improve based on findings).
The standard contains 23 control objectives organized into four broad categories. Annex A covers organizational controls—things like governance, resource management, competence, and supplier management. Annex B covers AI-specific controls that address the unique risks of artificial intelligence systems.
The control objectives are intentionally broad. ISO doesn’t prescribe a single “right way” to implement them. A startup with three AI engineers will implement differently from a Fortune 500 company with hundreds. The standard leaves implementation details to organizations, which means you have flexibility but also responsibility for tailoring controls to your context.
Key ISO 42001 Requirements
Leadership and AI Policy. The standard requires your leadership team to establish an AI management system and take accountability for it. This isn’t a checkbox exercise—it means your board, C-suite, or equivalent needs to understand your organization’s AI strategy, the risks it carries, and the governance framework you’ve put in place. You need a documented AI policy that outlines your approach to responsible AI and is communicated across the organization.
Risk and Impact Assessment for AI. Before or immediately after deploying an AI system, you must assess what could go wrong. What’s the harm if the model makes a wrong decision? Who’s affected? What’s the likelihood and severity? ISO 42001 doesn’t tell you to avoid all risk—it tells you to understand it and decide whether it’s acceptable. For high-impact systems (decisions affecting credit, employment, or public safety), you need more rigorous assessment.
AI System Lifecycle Controls. The standard covers the full lifecycle: design, development, validation, deployment, monitoring, and decommissioning. At design, you should consider potential biases, fairness issues, and security risks upfront. During development, you validate that the system works as intended. After deployment, you monitor performance, drift, and user feedback. When the system reaches end-of-life, you have a documented process for retirement and data handling.
Transparency and Explainability. Depending on context and impact, you need to be able to explain how an AI system works and why it made a specific decision. This doesn’t mean you have to hand over proprietary algorithms—it means you understand them well enough to explain them to stakeholders, regulators, and affected individuals. For high-stakes decisions, transparency requirements are stricter.
Data Quality and Governance. AI systems are only as good as their training data. ISO 42001 requires you to have processes for ensuring data quality, addressing bias in datasets, documenting data sources, and ensuring data used in AI systems is handled consistently with your broader data governance and privacy framework.
Human Oversight. Humans remain in the loop. The standard requires that for significant decisions, humans review AI recommendations before action is taken. For some systems, this might mean a model alert that a human must approve. For others, it’s a human reviewing a subset of decisions to catch errors. The level of oversight depends on impact.
Monitoring and Continual Improvement. Post-deployment, you need mechanisms to detect when an AI system’s performance degrades, when it behaves unexpectedly, or when external factors (regulatory changes, new data patterns) require adjustments. You track metrics, incident reports, and user feedback, and you use that information to improve the system.
ISO 42001 vs. ISO 27001: How They Work Together
A common question: do I need both ISO 27001 and ISO 42001? The short answer is yes—they’re complementary, not competing.
ISO 27001 is an information security management system standard. It covers confidentiality, integrity, and availability of information assets. It includes access controls, encryption, incident management, vendor security, and employee awareness. These are foundational for any organization handling sensitive data.
ISO 42001 assumes you already have a solid information security foundation and builds AI-specific governance on top of it. Many of the controls in ISO 42001 reference or depend on ISO 27001 controls. For example, ISO 42001 requires you to document your AI systems and their training data. ISO 27001 controls around access management, change control, and audit logging support that requirement.
In practice, if you pursue both certifications, you’ll have a significant overlap in your control documentation and processes. Your information security team and your AI governance team need to coordinate. But you won’t be building two entirely separate management systems. The standards are designed to coexist.
If your organization is only beginning governance work, consider whether you should start with ISO 27001 (if you haven’t already) or pursue both in parallel. The decision depends on your maturity level, regulatory environment, and business drivers.
ISO 42001 and the EU AI Act: The Connection
The EU AI Act, which began enforcement in 2024, is reshaping how organizations approach AI governance globally. ISO 42001 and the EU AI Act are not the same thing, but they’re closely related.
The EU AI Act establishes legal requirements: which AI systems are high-risk, what documentation and testing they require, which are prohibited, and what compliance mechanisms apply. It’s a regulatory mandate with significant penalties for non-compliance.
ISO 42001 is a management system standard—a documented framework that demonstrates you’ve implemented systematic controls over AI risks. Organizations pursuing EU AI Act compliance often turn to ISO 42001 because it provides a structured, auditable way to meet the Act’s requirements. If you’re subject to the EU AI Act and you achieve ISO 42001 certification, you have strong evidence that you’re meeting core governance obligations.
That said, ISO 42001 certification alone doesn’t guarantee EU AI Act compliance. The Act has specific requirements—around algorithm testing, documentation, conformity assessment—that go beyond the scope of a management system standard. You’ll likely need ISO 42001 as a foundation, but you may also need additional controls specific to the Act’s technical and procedural requirements.
How Long Does ISO 42001 Certification Take?
The timeline varies based on organizational maturity, current controls, and scope. A startup with a single AI product and limited governance infrastructure might take 4–6 months to implement a basic ISO 42001 system and pass certification audit. A large enterprise with multiple AI systems, distributed teams, and complex compliance requirements might take 9–12 months or longer.
The process has several phases. First is scoping: you decide what AI systems and processes fall within your management system. Then comes implementation: you document policies, design processes, assign responsibilities, and roll out controls. This typically takes 2–4 months. Next is pre-audit (optional but recommended): an external consultant reviews your system, finds gaps, and helps you fix them before the formal audit. Finally comes the certification audit itself: an accredited auditor verifies your system meets the standard. If gaps exist, you fix them and undergo verification. Once passed, you’re certified for three years, with annual surveillance audits.
The time to certification also depends on your documentation maturity. If you already have data governance processes, security controls, and change management in place, you’re building on a solid foundation. If you’re starting from scratch, expect a longer timeline.
ISO 42001 Certification Checklist: Where to Start
If you’re considering ISO 42001 certification, here’s a practical starting point:
Conduct a gap assessment to understand where your current state stands against the standard. What policies do you have? What controls are already in place? Where are the gaps? This assessment takes 2–4 weeks and clarifies the scope of work ahead.
Document your AI systems and their business purposes. Create an inventory of every AI system your organization operates: what it does, who uses it, what data it processes, and what decisions it affects. This becomes your management system’s scope.
Develop an AI governance framework including an AI policy, roles and responsibilities, and escalation paths for AI-related incidents or concerns. Leadership needs to sign off on this.
Assess AI risks and impacts for each system. Use a structured methodology to identify potential harms, who’s affected, likelihood, and severity. Document this in a risk register.
Design control processes around each of the standard’s control objectives. Which controls already exist? Which need to be built? What does implementation look like in your organization?
Assign ownership and communicate. Every control needs an owner—someone responsible for implementing and maintaining it. Your team members need to understand the AI governance framework and their role in it.
Implement controls and document everything. Policies, procedures, training records, risk assessments, audit logs, and incident reports should all be documented and organized.
Pre-audit: Work with an external consultant to find any remaining gaps before the formal certification audit. This is highly recommended and saves time and cost during the official audit.
Conduct a certification audit. Hire an ISO 27001 auditor accredited for ISO 42001 (many are dual-accredited) to audit your system. If gaps are found, address them and schedule a follow-up verification.
After certification, maintain your system through annual surveillance audits and ongoing improvement.
How Soter Advisory Can Help
Building an AI management system is a substantial undertaking, especially if your organization hasn’t implemented ISO frameworks before. ISO 42001 requires thinking across multiple dimensions—technical security, governance, risk management, and organizational change—and getting it right matters.
Need help with ISO 42001? Soter Advisory works with companies at every stage—from initial gap assessment through to certification and ongoing support. Book a free consultation →