ISO 42001
Getting Started Guide

ISO/IEC 42001:2023 Artificial Intelligence Management System

The world's first AI governance standard. Required by EU AI Act-aligned buyers. First-mover advantage still available.

Audit Effort3–5 months
Key Fact38 Annex A controls across 9 domains

What Is ISO 42001?

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a structured framework for any organisation that develops, provides, or uses AI systems to do so responsibly, transparently, and in line with global regulatory expectations.

It follows the same Harmonized Structure (Annex SL / ISO High Level Structure) as ISO 27001 and ISO 9001 — so if your organisation already holds either of those certifications, you have a significant head start. The clause architecture is identical: context, leadership, planning, support, operation, performance evaluation, and improvement.

What makes ISO 42001 different is its AI-specific additions: impact assessments for AI systems, bias and fairness controls, explainability requirements, model lifecycle governance, data quality controls, and human oversight mechanisms — none of which exist in ISO 27001.

Does ISO 42001 Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

AI Product Developers

Startups building LLM wrappers, model interfaces, or training custom weights.

Likely applies

EU Market Vendors

SaaS companies exporting AI-integrated software to the European Union market under the EU AI Act.

Likely applies

Enterprise AI Deployers

Firms deploying third-party AI to automate consumer-facing decisions.

Likely applies
You probably don't need ISO 42001 if:
  • Your codebase has no AI features, machine learning calls, or LLM integrations.
  • You operate solely in localized domestic markets without enterprise AI buyer demand.
  • You are in a pre-revenue sandbox phase and do not publish or distribute AI models.

Why ISO 42001 Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

EU AI Act Implementation

The EU AI Act's high-risk system obligations become fully applicable in August 2026. ISO 42001 satisfies 60-70% of these requirements.

Enterprise Procurement Gates

Enterprise buyers are adding AI governance sections to their vendor security reviews. ISO 42001 acts as the ultimate validation.

Competitive First-Mover Advantage

Obtaining ISO 42001 certification in 2026 establishes market leadership before governance becomes a baseline commodity.

The Requirements

The core security controls and evidence parameters audited for ISO 42001.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for ISO 42001.

1
Weeks 1–2

Gap Assessment & Scoping

Catalog all AI models, map data flows, and identify gaps against standard requirements.

Key Deliverable:Gap assessment, AI asset register
2
Weeks 3–8

AIMS Design & Statement of Applicability

Write AI Policy, design risk assessment templates, and draft the Statement of Applicability (SoA).

Key Deliverable:AIMS policies, SoA document
3
Weeks 8–16

Operational Control Build

Run AI impact assessments, document data sources, build drift tracking, and train employees.

Key Deliverable:Risk register, model monitoring logs
4
Weeks 16–20

Internal Audit & Stage 1/2 Reviews

Perform the mandatory internal audit, address findings, and invite the auditor for Stage 1 & 2 audits.

Key Deliverable:Internal audit report, ISO 42001 Certificate
With Existing Certifications

10–12 weeks: Leverage existing ISO 27001 processes (audit, reviews) to focus solely on AI-specific Annex A domains.

Starting from Scratch

20–24 weeks: Starting from scratch requires time to build a management system, draft policies, and run audits.

The Mistakes That Delay Most ISO 42001 Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Writing AIMS without listing all AI models

Why it happens:

Teams don't catalog third-party API dependencies or internal research sandboxes.

How to avoid it:

Create a comprehensive AI inventory register before auditing. Document every API endpoint.

Treating it strictly as a security standard

Why it happens:

Teams assume ISO 27001 security covers AIMS requirements.

How to avoid it:

Focus on AI-specific domains: bias, transparency, explainability, lifecycle monitoring, and societal impact.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

ISO 42001 Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

ISO 42001 Gap Analysis

Run our free interactive ISO 42001 Gap Analysis to map out your readiness gap and audit criteria instantly.

Start ISO 42001 Gap Analysis
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about ISO 42001 compliance and certification processes.