ISO/IEC 42001: The AI Management System Standard Enterprise Leaders Need to Understand

For two years, "AI governance" inside most organisations has meant a policy document, a committee, and a set of principles. ISO/IEC 42001 is what turns that into a management system an auditor can certify. Published in December 2023, it is the world's first international standard for an Artificial Intelligence Management System — and for enterprise leaders, it is becoming the most recognisable way to demonstrate, to customers, regulators, and boards, that AI is being managed deliberately rather than improvised.

This guide explains what the standard actually requires, how certification works, how it relates to the EU AI Act, and how to decide whether pursuing it is worth the effort for your organisation.

What ISO/IEC 42001 Is

ISO/IEC 42001:2023 specifies the requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System — an AIMS — within an organisation. It was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and published in December 2023.

The mental model that helps most is the analogy to ISO 27001. ISO 27001 does not tell you which firewall to buy; it requires you to have a managed, risk-based, continually improving system for information security, and it lets an independent body certify that you do. ISO 42001 does the same thing for AI: it does not prescribe which models or tools to use, but it requires a structured, accountable, risk-based system for the responsible development, provision, and use of AI — and provides a certificate to prove the system exists and works.

Crucially, it applies to organisations that build AI and to organisations that merely use it. A company deploying third-party AI tools across its operations is as much in scope as one training its own models.

How the Standard Is Structured

ISO/IEC 42001 follows Annex SL — the common high-level structure shared by modern ISO management-system standards, including ISO 27001 (information security) and ISO 9001 (quality). This is deliberate and useful: an organisation that already runs an ISO 27001 management system will recognise the shape immediately, and the two can be integrated rather than run in parallel.

The auditable requirements sit in clauses 4 through 10:

• Clause 4 — Context. Understand the organisation, its AI activities, and the needs of interested parties; define the scope of the AIMS.
• Clause 5 — Leadership. Top-management commitment, an AI policy, and clearly assigned roles and responsibilities.
• Clause 6 — Planning. AI risk assessment and treatment, an AI system impact assessment, and measurable objectives.
• Clause 7 — Support. Resources, competence, awareness, communication, and documented information.
• Clause 8 — Operation. Operational planning and control of the AI lifecycle.
• Clause 9 — Performance evaluation. Monitoring, measurement, internal audit, and management review.
• Clause 10 — Improvement. Corrective action and continual improvement.

Anyone who has seen an ISO 27001 implementation will find this familiar — the difference is that the risks being managed are AI-specific.

What the Annex A Controls Cover

Where the standard becomes AI-specific is Annex A, which lists 38 controls grouped under nine control objectives. These are the concrete practices an organisation selects from, based on its risk assessment, and documents in a Statement of Applicability — again mirroring the ISO 27001 model. The further annexes provide implementation guidance for those controls and set out potential AI-related organisational objectives, risk sources, and sector-specific considerations.

The control areas address the things that make AI different from conventional software, including:

• Policies and organisational accountability for AI — who owns AI risk and how it is escalated.
• The AI system lifecycle — responsible design, development, verification, deployment, operation, and decommissioning.
• Data governance for AI — data quality, provenance, and management across training and operation.
• Information and transparency for users — what people are told about the AI system and its limitations.
• Use of AI systems — responsible operation, including human oversight.
• Third-party and supplier relationships — managing the AI systems and components you obtain from others.

For most organisations, the gap between their current practice and these controls is not technical capability — it is documentation, accountability, and consistency. The controls force the discipline that an aspirational AI policy alone does not.

How Certification Works

ISO 42001 is a certifiable standard, which is the source of much of its value: a third party attests that your management system meets the requirements. Certification is awarded by an accredited certification body — not by ISO itself — and follows a familiar two-stage process:

• Stage 1 reviews your documentation and readiness: is the management system designed, are the required policies and assessments in place, is the scope coherent?
• Stage 2 tests implementation and effectiveness: is the system actually operating as documented, with evidence that controls are working and being reviewed?

A certificate is valid for three years, with annual surveillance audits in the intervening years to confirm the system remains in operation, and a recertification audit at the end of the cycle. This is the same rhythm organisations already know from ISO 27001.

The certification-body landscape is maturing quickly. Schellman was the first ANAB-accredited certification body for ISO 42001 in the United States, and established global bodies such as BSI now offer it. For organisations choosing a certifier, accreditation — by ANAB, UKAS, or an equivalent national accreditation body — is what gives the certificate its weight.

ISO 42001 and the EU AI Act: Related, Not Equivalent

This is the point on which leaders are most often misled, so it is worth stating plainly: achieving ISO 42001 certification is not the same as complying with the EU AI Act.

The two are different kinds of instrument. ISO 42001 is a voluntary standard an organisation chooses to adopt. The EU AI Act is binding law with specific, non-negotiable obligations for high-risk AI systems. There is substantial overlap — analyses commonly put it at roughly 40–50% of the Act's high-level requirements — and a working ISO 42001 management system materially reduces the cost and effort of reaching AI Act compliance, because the governance scaffolding is already there. But it does not, on its own, discharge the Act's legal requirements.

The mechanism that does grant a legal "presumption of conformity" under the Act is a harmonised standard — a standard developed under a European Commission mandate and cited in the Official Journal of the EU. These are being developed by the joint technical committee CEN-CENELEC JTC 21. ISO/IEC 42001 is not itself a harmonised standard, though it is closely watched as the international reference point as the harmonised standards take shape.

The practical reading for a leader: pursue ISO 42001 because it builds the management system that good AI governance requires and that EU AI Act compliance will lean on — not because a certificate makes the Act's obligations go away.

Should Your Organisation Pursue Certification?

Certification is not free, and it is not for everyone. It is most clearly worth it when:

• You sell AI-enabled products or services, and customers — especially enterprise and public-sector buyers — are starting to ask how you govern AI. A certificate answers a procurement question that is increasingly being asked.
• You operate in a regulated sector or under the EU AI Act's shadow, and want a structured, defensible governance foundation.
• You already run ISO 27001, in which case the incremental effort to add an AIMS on the same Annex SL structure is far lower than starting from scratch.

It is less urgent when AI use is still genuinely experimental and small in scope — though even then, building toward the standard's structure is a sound way to avoid accumulating governance debt that has to be remediated later.

What Leaders Should Be Asking

To the executive sponsor of AI: If a customer or regulator asked us today to demonstrate how we govern AI, what would we hand them? If the honest answer is a principles document and a few meeting minutes, ISO 42001 is the framework that turns that into something defensible.

To the risk and compliance function: Where does our existing ISO 27001 system already satisfy 42001's requirements, and what is genuinely new? The overlap is large, and scoping the delta first prevents over-investing.

To anyone equating certification with regulatory compliance: What does this certificate actually cover, and what EU AI Act obligations remain after we hold it? The certificate is a strong foundation, not a finish line.

The Underlying Point

ISO/IEC 42001 has arrived at the moment enterprise AI governance needed it — when "we take AI seriously" had to become something an auditor could verify and a customer could trust. It does not tell an organisation which AI to build or buy. It requires that whatever AI it builds or buys is managed through an accountable, risk-based, continually improving system — and gives that system a recognised certificate. For leaders, the value is less in the certificate itself than in the discipline it forces: the certificate is simply the proof that the discipline is real.