Prove responsible AI
A recognised, certifiable signal that your AI is governed, not improvised.
The world's first international standard for an AI Management System. Prove to customers, investors and regulators that the AI you build and deploy is responsibly governed.
Published in December 2023, ISO/IEC 42001 is the world's first international standard for an Artificial Intelligence Management System (AIMS). It specifies requirements for establishing, implementing, maintaining and continually improving responsible governance of AI within an organisation. It is structured exactly like ISO 27001, with management-system clauses 4-10 and a set of Annex A controls.
AI risk assessment · structured identification and treatment of AI-specific risk. AI impact assessment · effects on individuals and society. System lifecycle · governance across design, build and deployment. Data governance · quality, provenance and handling of training data. Transparency & explainability · clarity on how systems decide. Human oversight & accountability · named roles and meaningful control. Continual improvement · review and refine over time.
Organisations building, deploying or selling AI/ML products. Companies whose customers, investors or regulators now ask how AI is governed. Firms preparing for the EU AI Act and similar regulation. It demonstrates trustworthy, responsible AI to enterprise buyers and procurement, and integrates cleanly with an existing ISO 27001 ISMS through the shared management-system structure.
A recognised, certifiable signal that your AI is governed, not improvised.
Answer the AI governance questions now appearing in procurement and security reviews.
Build the evidence base for the EU AI Act and emerging AI rules before they bite.
Shared structure with ISO 27001 means a single, integrated management system.
Map your AI systems and assess current state against the clauses and Annex A controls.
Run the AI risk and AI impact assessments that sit at the heart of the standard.
Implement policies, lifecycle controls, data governance, oversight roles and records.
Internal audit, management review, then certification audit with an accredited body.
Typically 4-9 months to first certification, depending on how many AI systems are in scope and how mature your existing governance is. Organisations with an established ISO 27001 ISMS move faster because much of the management-system structure is already in place.
No. ISO 42001 can stand alone. But because it shares the management-system structure with ISO 27001, the two integrate cleanly. If you already hold ISO 27001, the AIMS bolts onto your existing system rather than duplicating it.
ISO 42001 is not a substitute for the EU AI Act, but it builds the governance, risk-assessment and documentation foundations regulators will expect. Certifying is a practical, defensible way to demonstrate good-faith readiness ahead of enforcement.
The standard requires named accountability and meaningful human oversight. In practice ownership sits with a senior risk, security or product leader, supported by data, engineering and legal. We help you define those roles as part of the build.
Yes. ISO 42001 covers organisations that deploy or use AI, not just those that build it. If you embed third-party models into products or operations, the standard helps you govern that use responsibly and prove it to customers.