In shortISO/IEC 42001 is the first international standard for an AI management system (AIMS). Published in 2023, it gives organisations a certifiable framework of policies, roles and controls to govern AI responsibly and to evidence many EU AI Act obligations. Certification typically takes 6–12 months.

In this guide

Key facts

Full titleISO/IEC 42001:2023, Artificial intelligence — Management system
TypeCertifiable management-system standard, like ISO/IEC 27001
StructureAnnex SL — integrates with ISO 27001 and ISO 9001
ControlsAnnex A: AI policy, roles, impact assessment, data, lifecycle, third parties
Typical timeline6–12 months to certification, depending on scope and maturity
Audit cycleStage 1 and Stage 2 audits, annual surveillance, recertification every 3 years

What is an AI management system (AIMS)?

An AIMS is a structured set of policies, roles, processes and controls for managing AI risks and obligations across the lifecycle. ISO 42001 specifies what a good one looks like. See what is ISO 42001?

What does ISO 42001 require?

An AI policy and defined scope, AI risk and impact assessments, a Statement of Applicability listing which Annex A controls apply, clear roles and objectives, and operational records that show the system runs and improves.

How does ISO 42001 map to the EU AI Act?

ISO 42001 is voluntary, but it provides the management-system backbone to operationalise and evidence many EU AI Act obligations. The Act sets the required outcomes; the standard helps you produce them repeatably.

ISO 42001 vs ISO 27001

ISO 27001 governs information security; ISO 42001 governs AI management. They share the Annex SL structure and integrate well, so holding 27001 makes 42001 faster. You do not need 27001 first.

Certification: stages, time and cost

Certification runs through a Stage 1 documentation review and a Stage 2 implementation audit, then annual surveillance and recertification every three years. It typically takes 6–12 months; for SMEs the all-in cost is often in the low-to-mid five figures (GBP).

Is ISO 42001 worth it for an SME?

Often yes when AI is core to your product or customers demand assurance: an accredited certificate pre-answers many buyer due-diligence questions, shortening sales cycles. See AI procurement readiness and our ISO 42001 readiness support.

Frequently asked questions

Is ISO 42001 certifiable?

Yes — by accredited third-party certification bodies, like ISO 27001. You can self-assess readiness first.

How long does ISO 42001 certification take?

Typically 6–12 months depending on AI maturity, scope and existing management systems.

Does ISO 42001 satisfy the EU AI Act?

It is voluntary, but it operationalises and evidences many AI Act obligations; it does not replace the legal requirements.

Do I need ISO 27001 first?

No, but having 27001 makes 42001 faster because the management-system backbone already exists.

Can we self-certify?

No — certification requires an accredited third-party audit.

Related guides

Sources

Last updated 19 June 2026.