ISO/IEC 42001.
Governed, trustworthy AI.

The world's first international standard for an AI Management System. Prove to customers, investors and regulators that the AI you build and deploy is responsibly governed.

The standard.

Published in December 2023, ISO/IEC 42001 is the world's first international standard for an Artificial Intelligence Management System (AIMS). It specifies requirements for establishing, implementing, maintaining and continually improving responsible governance of AI within an organisation. It is structured exactly like ISO 27001, with management-system clauses 4-10 and a set of Annex A controls.

What it covers.

AI risk assessment · structured identification and treatment of AI-specific risk. AI impact assessment · effects on individuals and society. System lifecycle · governance across design, build and deployment. Data governance · quality, provenance and handling of training data. Transparency & explainability · clarity on how systems decide. Human oversight & accountability · named roles and meaningful control. Continual improvement · review and refine over time.

Who needs it.

Organisations building, deploying or selling AI/ML products. Companies whose customers, investors or regulators now ask how AI is governed. Firms preparing for the EU AI Act and similar regulation. It demonstrates trustworthy, responsible AI to enterprise buyers and procurement, and integrates cleanly with an existing ISO 27001 ISMS through the shared management-system structure.

Key benefits.

01

Prove responsible AI

A recognised, certifiable signal that your AI is governed, not improvised.

02

Win enterprise deals

Answer the AI governance questions now appearing in procurement and security reviews.

03

Get ahead of regulation

Build the evidence base for the EU AI Act and emerging AI rules before they bite.

04

Reuse your ISMS

Shared structure with ISO 27001 means a single, integrated management system.

Scope. Assess. Build. Certify.

1

Scope & gap analysis

Map your AI systems and assess current state against the clauses and Annex A controls.

2

Risk & impact assessment

Run the AI risk and AI impact assessments that sit at the heart of the standard.

3

Build the AIMS

Implement policies, lifecycle controls, data governance, oversight roles and records.

4

Audit & certify

Internal audit, management review, then certification audit with an accredited body.

  • Gap analysis report.Current state vs the clauses and Annex A controls.
  • AI risk & impact assessments.Documented methodology and results for each AI system.
  • AIMS policy set.AI policy, data governance, transparency and oversight procedures.
  • Statement of Applicability.Annex A controls, justified and mapped to your AI systems.
  • Internal audit & management review.Evidence the system works, ready for the certification body.
  • Continual improvement plan.Surveillance schedule, review cadence and re-certification support.

Aligned with the AI governance landscape.

  • ISO/IEC 42001
  • ISO/IEC 23894
  • EU AI Act alignment
  • NIST AI RMF
  • ISO/IEC 27001

Frequently asked.

How long does it take?

Typically 4-9 months to first certification, depending on how many AI systems are in scope and how mature your existing governance is. Organisations with an established ISO 27001 ISMS move faster because much of the management-system structure is already in place.

Do we need ISO 27001 first?

No. ISO 42001 can stand alone. But because it shares the management-system structure with ISO 27001, the two integrate cleanly. If you already hold ISO 27001, the AIMS bolts onto your existing system rather than duplicating it.

How does it relate to the EU AI Act?

ISO 42001 is not a substitute for the EU AI Act, but it builds the governance, risk-assessment and documentation foundations regulators will expect. Certifying is a practical, defensible way to demonstrate good-faith readiness ahead of enforcement.

Who should own the AIMS internally?

The standard requires named accountability and meaningful human oversight. In practice ownership sits with a senior risk, security or product leader, supported by data, engineering and legal. We help you define those roles as part of the build.

We only use third-party AI. Does it still apply?

Yes. ISO 42001 covers organisations that deploy or use AI, not just those that build it. If you embed third-party models into products or operations, the standard helps you govern that use responsibly and prove it to customers.

Make compliance
feel inevitable.

Book a free consultation