What is ISO 42001?

Key facts

• Full title: ISO/IEC 42001:2023, Artificial intelligence — Management system.
• It is certifiable by accredited third parties, like ISO/IEC 27001.
• It uses the common Annex SL structure, so it integrates with ISO 27001 and ISO 9001.
• Annex A lists controls covering AI policy, roles, impact assessment, data and the AI lifecycle.
• Certification typically takes 6–12 months depending on scope and maturity.

What is an AI management system (AIMS)?

An AIMS is a structured set of policies, roles, processes and controls for managing AI risks and obligations across the lifecycle — from design and data through deployment and monitoring. ISO 42001 is the standard that specifies what a good one looks like.

What does ISO 42001 require?

It requires an AI policy and defined scope, AI risk and impact assessments, a Statement of Applicability setting out which Annex A controls apply, clear roles and objectives, and operational records that show the system runs and improves. Certification involves a Stage 1 documentation review and a Stage 2 implementation audit, then annual surveillance.

How does ISO 42001 relate to the EU AI Act?

ISO 42001 is voluntary, but it provides the management-system backbone to operationalise and evidence many EU AI Act obligations. The Act tells you the outcomes; the standard helps you produce them repeatably.

ISO 42001 vs ISO 27001 — what is the difference?

ISO 27001 governs information security; ISO 42001 governs AI management. They share the same Annex SL structure and integrate well, so if you already hold 27001, 42001 is faster because the management-system backbone exists. You do not need 27001 first.

Is ISO 42001 worth it for an SME?

Often yes when AI is core to your product or your customers demand assurance. An accredited certificate pre-answers many buyer due-diligence questions, shortening sales cycles. See AI procurement readiness and our ISO 42001 readiness support.

Frequently asked questions

What is ISO 42001?

ISO/IEC 42001 is the international standard for an AI Management System (AIMS) — a certifiable framework for governing AI responsibly.

How does ISO 42001 relate to the EU AI Act?

ISO 42001 is voluntary but provides the management system to operationalise and evidence many EU AI Act obligations.

How long does ISO 42001 certification take?

Typically 6–12 months depending on AI maturity, scope and existing management systems.

What's the difference between ISO 42001 and ISO 27001?

27001 governs information security; 42001 governs AI management. They share Annex SL structure and integrate well.

Do I need ISO 27001 before ISO 42001?

No, but having 27001 makes 42001 faster because the management-system backbone already exists.

Can we self-certify ISO 42001?

No — certification requires an accredited third-party audit; you can self-assess readiness first.

Related pages

• ISO/IEC 42001: the complete guide
• What is AI governance?
• Evidence to request from AI vendors
• ISO 42001 readiness
• What ISO 42001 adds to the AI Act

Sources

• ISO/IEC 42001:2023 — ISO
• European Commission — AI Act

Last updated 19 June 2026.