Back to Frameworks Hub
The AI Management System Standard

ISO/IEC 42001:2023

The world's first international standard for governing AI systems responsibly. Required by enterprise buyers. Aligned with the EU AI Act. The compliance credential every AI-enabled company will need.

38 Controls
Across 9 Domains
10 Clauses
Mandatory Requirements
76%
Teams Adopting ISO 42001
40%
Enterprise RFPs Require It

What Is ISO/IEC 42001?

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a structured framework for any organisation that develops, provides, or uses AI systems to do so responsibly, transparently, and in line with global regulatory expectations.

It follows the same Harmonized Structure (Annex SL / ISO High Level Structure) as ISO 27001 and ISO 9001 — so if your organisation already holds either of those certifications, you have a significant head start. The clause architecture is identical: context, leadership, planning, support, operation, performance evaluation, and improvement.

What makes ISO 42001 different is its AI-specific additions: impact assessments for AI systems, bias and fairness controls, explainability requirements, model lifecycle governance, data quality controls, and human oversight mechanisms — none of which exist in ISO 27001.

ISO 42001 at a Glance

Published
December 2023
Issued by
ISO / IEC Joint Technical Committee
Structure
10 Clauses + 4 Annexes (A, B, C, D)
Annex A Controls
38 controls across 9 domains
Certifiable
Yes — via accredited certification bodies

Why ISO 42001 Matters in 2026

🇪🇺 EU AI Act Goes Live August 2026

The EU AI Act's high-risk system requirements become fully applicable in August 2026. While ISO 42001 is not legally mandated, 60–70% of EU AI Act documentation requirements map directly to ISO 42001 clauses and Annex A controls. Organisations implementing ISO 42001 now are building the governance backbone that satisfies the Act's risk classification, impact assessment, transparency, and post-market monitoring obligations simultaneously.

🏢 Buyers Are Already Asking

By mid-2026, 'Are you ISO 42001 certified or implementing it?' appears in roughly 40% of enterprise AI vendor RFPs in the EU and 25% in North America. Fortune 500 procurement teams, insurance underwriters, and regulated-industry buyers have added ISO 42001 clauses to vendor questionnaires. The pattern mirrors how ISO 27001 became a baseline procurement requirement between 2015 and 2020. ISO 42001 is on the same trajectory — two to three years earlier than most vendors expect.

🇮🇳 Aligned with India's DPDP Act

India's Digital Personal Data Protection Act rules (notified November 2025) require 'reasonable security safeguards' and responsible data processing — including for AI-driven decision systems. ISO 42001's data governance controls (A.6), impact assessment requirements (A.5), and transparency obligations (A.7) map directly onto DPDP obligations for Significant Data Fiduciaries using automated processing. Build ISO 42001 once; satisfy DPDP, EU AI Act, and Singapore's Model AI Governance Framework simultaneously.

🤖 You're Using AI Whether You Know It or Not

If your SaaS product uses any of the following, ISO 42001 applies to you: LLM-powered features, recommendation engines, automated scoring or ranking, fraud detection models, predictive analytics, AI-assisted customer support, or any third-party AI API embedded in your product. Enterprise buyers are now asking: 'Show me your AI governance.' ISO 42001 is the answer.

🔗 70% of the Work Is Already Done

Organisations with ISO 27001 certification share the same management system structure, policy framework, risk assessment process, and audit methodology as ISO 42001. The incremental work is adding AI-specific controls: impact assessments, bias monitoring, explainability documentation, and AI supply chain management. Most ISO 27001-certified companies can reach ISO 42001 certification readiness in 3–4 months rather than 9–12 months from scratch.

🏆 First-Mover Window Is Closing

In 2024, ISO 42001 certification was rare. In 2025, KPMG India, major financial institutions, and technology enterprises began certifying. In 2026, enterprise procurement gates are activating. The companies that certify in 2026 will have 12–18 months of competitive differentiation before certification becomes a baseline expectation. The window to lead rather than follow is now.

ISO 42001: The 10 Clauses Explained

Clauses 1–3 are introductory. Clauses 4–10 are mandatory for certification.

Clauses 1–3 cover Scope, Normative References, and Terms & Definitions. They provide the foundation and language of the standard. Not audited individually — but understanding the AI-specific terminology in Clause 3 is critical before implementing Clauses 4–10.
4

Clause 4

Context of the Organisation
Plain English:Understand your organisation's role in the AI ecosystem and what obligations that creates.
Key questions it answers:Who are your stakeholders? What is the scope of your AIMS? Are you an AI developer, provider, or user?
Auditor looks for:AIMS scope document, stakeholder register, context analysis.
5

Clause 5

Leadership
Plain English:Senior leadership must actively own AI governance — not delegate it entirely to IT or compliance.
Key questions it answers:Has the C-suite assigned accountability? Is there an AI policy signed by top management?
Auditor looks for:Signed AI policy, RACI matrix, management review minutes.
6

Clause 6

Planning
Plain English:Identify AI-specific risks and opportunities, set governance objectives, and plan how to address them.
Key questions it answers:Have you conducted AI risk & impact assessments? What are your governance objectives?
Auditor looks for:AI risk register, impact assessment documentation, Statement of Applicability (SoA).
7

Clause 7

Support
Plain English:Ensure you have the right resources, competence, awareness, and documentation to run your AIMS.
Key questions it answers:Do AI practitioners have documented competence? Are employees aware of responsibilities?
Auditor looks for:Training records, competence assessments, document control register.
8

Clause 8

Operation
Plain English:Plan and control the AI system lifecycle — from design through deployment, monitoring, and decommissioning.
Key questions it answers:How are models tested and approved? How is model drift detected?
Auditor looks for:System design records, deployment approvals, post-deployment monitoring logs.
9

Clause 9

Performance Evaluation
Plain English:Measure, monitor, and review whether your AIMS is working — through internal audits and management reviews.
Key questions it answers:How do you monitor compliance? When was your last internal audit?
Auditor looks for:Monitoring plan, completed internal audit reports, management review minutes.
10

Clause 10

Improvement
Plain English:When things go wrong or opportunities arise, systematically improve your AIMS.
Key questions it answers:How do you handle AI system incidents and near-misses?
Auditor looks for:Nonconformity log, incident register, improvement plans.

Annex A: The 38 AI Governance Controls

Annex A is not a mandatory checklist — it is a reference set. Your Statement of Applicability (SoA) documents which controls apply based on your AI risk assessment. You must justify any exclusions.

How ISO 42001 Fits With Frameworks You Already Know

FrameworkFocusCertifiableLegally MandatedISO 42001 Overlap
ISO 27001Information SecurityYesNo (market-driven)70% — shared management system structure
SOC 2Security, Availability, ConfidentialityNo (attestation report)No40% — shared risk assessment, access control, incident response
EU AI ActAI Risk RegulationNo (legal compliance)Yes (EU, Aug 2026)60–70% — risk classification, impact assessment, transparency
NIST AI RMFAI Risk ManagementNoNo80% — maps directly to ISO 42001 clauses
DPDP Act (India)Data ProtectionNo (legal compliance)Yes (India)30% — data governance, impact assessment, transparency
GDPRPersonal Data ProtectionNo (legal compliance)Yes (EU)25% — data governance, transparency, accountability

Already have ISO 27001? You're approximately 70% of the way to ISO 42001. The management system, risk assessment methodology, policy framework, internal audit programme, and document control are all reusable. The incremental work: AI-specific impact assessments, bias controls, model lifecycle documentation, and AI supply chain governance.

The Road to ISO 42001 Certification

1

Gap Assessment

Weeks 1–2

Assess your current state against ISO 42001 clauses 4–10 and Annex A controls. Identify what exists, what is missing, and what needs to be built. Produce a gap register with priority ratings.

Deliverable: Gap report + roadmap
2

AIMS Design

Weeks 3–8

Design your AI Management System scope, AI policy, risk assessment methodology, and Statement of Applicability (SoA). Document all required policies, procedures, and controls.

Deliverable: AIMS documentation
3

Implementation

Weeks 8–16

Implement controls, train relevant staff, run your first AI impact assessments, build your AI risk register, and establish monitoring mechanisms.

Deliverable: Risk register, evidence
4

Internal Audit

Weeks 16–18

Conduct an internal audit of your AIMS against ISO 42001 requirements. Identify and resolve nonconformities before the certification audit.

Deliverable: Internal audit report
5

Certification

Weeks 18–24

Stage 1 audit: document review. Stage 2 audit: on-site or remote evidence review and interviews. Successful completion results in ISO 42001 certificate.

Deliverable: ISO 42001 Certificate
Timeline for organisations with existing ISO 27001: typically 3–5 months to certification. Without ISO 27001: 6–12 months depending on AI program maturity.

Does ISO 42001 Apply to Your Organisation?

AI Developers

Organisations building AI models, AI features, or AI-powered products for sale or deployment. If you train models, fine-tune LLMs, or ship AI APIs — ISO 42001 applies. Your enterprise buyers will ask.

AI Deployers

Organisations deploying third-party AI systems in their products or operations — including any SaaS platform using OpenAI, Anthropic, Google, or other AI APIs in production. You are responsible for governing how those systems are used.

AI Users in Regulated Industries

Financial services firms, healthcare organisations, insurance companies, and any regulated entity using AI for consequential decisions — credit scoring, fraud detection, triage, claims processing. Regulators in these sectors are increasingly aligning expectations with ISO 42001.

Indian Enterprises with DPDP Obligations

Companies likely to be designated as Significant Data Fiduciaries under the DPDP Act who use AI in data processing. ISO 42001's data governance, impact assessment, and transparency controls directly support DPDP obligations for AI-driven processing.

EU Market Vendors

Any company selling software into the EU market that incorporates AI features. The EU AI Act's August 2026 deadline for high-risk system obligations means EU-market SaaS companies need an AI governance framework now.

Companies Holding ISO 27001

If you have ISO 27001 and your product now includes AI features — your existing certification does not cover AI-specific governance. ISO 42001 is the extension that closes this gap. Leverage your existing ISMS rather than starting from scratch.

A GRC Practitioner's View on ISO 42001

Rishabh Arora · ISO 42001 Lead Auditor · 7 years in GRC

"I got certified as an ISO 42001 Lead Auditor because I saw where enterprise buyer conversations were heading — and I wanted to be ahead of it, not catching up to it.

Every SOC 2 audit I do now includes at least one question about AI. 'Do you use AI in your production environment?' 'Are those models tested for bias?' 'Do you have an AI risk assessment?' Most companies don't have answers. Yet.

The window to be early on ISO 42001 is still open — but it is closing. When ISO 27001 became a procurement baseline around 2018–2020, companies that moved early had 2–3 years of competitive differentiation. ISO 42001 is on the same curve, roughly 3–4 years behind ISO 27001's adoption trajectory.

The companies I'd urge to start immediately: any SaaS business embedding AI APIs in their product, any Indian company targeting enterprise or government buyers, and any organisation that already holds ISO 27001 — because for you, the incremental effort is genuinely manageable."

Frequently Asked Questions

Where Does Your Organisation Stand on ISO 42001?

Take the free gap analysis — 15 minutes, no sales call, instant report.

Covers all 7 mandatory clauses
Maps to all 38 Annex A controls
Instant PDF report