ISO/IEC 42001:2023
The world's first international standard for governing AI systems responsibly. Required by enterprise buyers. Aligned with the EU AI Act. The compliance credential every AI-enabled company will need.
What Is ISO/IEC 42001?
ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a structured framework for any organisation that develops, provides, or uses AI systems to do so responsibly, transparently, and in line with global regulatory expectations.
It follows the same Harmonized Structure (Annex SL / ISO High Level Structure) as ISO 27001 and ISO 9001 — so if your organisation already holds either of those certifications, you have a significant head start. The clause architecture is identical: context, leadership, planning, support, operation, performance evaluation, and improvement.
What makes ISO 42001 different is its AI-specific additions: impact assessments for AI systems, bias and fairness controls, explainability requirements, model lifecycle governance, data quality controls, and human oversight mechanisms — none of which exist in ISO 27001.
ISO 42001 at a Glance
Why ISO 42001 Matters in 2026
🇪🇺 EU AI Act Goes Live August 2026
The EU AI Act's high-risk system requirements become fully applicable in August 2026. While ISO 42001 is not legally mandated, 60–70% of EU AI Act documentation requirements map directly to ISO 42001 clauses and Annex A controls. Organisations implementing ISO 42001 now are building the governance backbone that satisfies the Act's risk classification, impact assessment, transparency, and post-market monitoring obligations simultaneously.
🏢 Buyers Are Already Asking
By mid-2026, 'Are you ISO 42001 certified or implementing it?' appears in roughly 40% of enterprise AI vendor RFPs in the EU and 25% in North America. Fortune 500 procurement teams, insurance underwriters, and regulated-industry buyers have added ISO 42001 clauses to vendor questionnaires. The pattern mirrors how ISO 27001 became a baseline procurement requirement between 2015 and 2020. ISO 42001 is on the same trajectory — two to three years earlier than most vendors expect.
🇮🇳 Aligned with India's DPDP Act
India's Digital Personal Data Protection Act rules (notified November 2025) require 'reasonable security safeguards' and responsible data processing — including for AI-driven decision systems. ISO 42001's data governance controls (A.6), impact assessment requirements (A.5), and transparency obligations (A.7) map directly onto DPDP obligations for Significant Data Fiduciaries using automated processing. Build ISO 42001 once; satisfy DPDP, EU AI Act, and Singapore's Model AI Governance Framework simultaneously.
🤖 You're Using AI Whether You Know It or Not
If your SaaS product uses any of the following, ISO 42001 applies to you: LLM-powered features, recommendation engines, automated scoring or ranking, fraud detection models, predictive analytics, AI-assisted customer support, or any third-party AI API embedded in your product. Enterprise buyers are now asking: 'Show me your AI governance.' ISO 42001 is the answer.
🔗 70% of the Work Is Already Done
Organisations with ISO 27001 certification share the same management system structure, policy framework, risk assessment process, and audit methodology as ISO 42001. The incremental work is adding AI-specific controls: impact assessments, bias monitoring, explainability documentation, and AI supply chain management. Most ISO 27001-certified companies can reach ISO 42001 certification readiness in 3–4 months rather than 9–12 months from scratch.
🏆 First-Mover Window Is Closing
In 2024, ISO 42001 certification was rare. In 2025, KPMG India, major financial institutions, and technology enterprises began certifying. In 2026, enterprise procurement gates are activating. The companies that certify in 2026 will have 12–18 months of competitive differentiation before certification becomes a baseline expectation. The window to lead rather than follow is now.
ISO 42001: The 10 Clauses Explained
Clauses 1–3 are introductory. Clauses 4–10 are mandatory for certification.
Clause 4
Clause 5
Clause 6
Clause 7
Clause 8
Clause 9
Clause 10
Annex A: The 38 AI Governance Controls
Annex A is not a mandatory checklist — it is a reference set. Your Statement of Applicability (SoA) documents which controls apply based on your AI risk assessment. You must justify any exclusions.
How ISO 42001 Fits With Frameworks You Already Know
| Framework | Focus | Certifiable | Legally Mandated | ISO 42001 Overlap |
|---|---|---|---|---|
| ISO 27001 | Information Security | Yes | No (market-driven) | 70% — shared management system structure |
| SOC 2 | Security, Availability, Confidentiality | No (attestation report) | No | 40% — shared risk assessment, access control, incident response |
| EU AI Act | AI Risk Regulation | No (legal compliance) | Yes (EU, Aug 2026) | 60–70% — risk classification, impact assessment, transparency |
| NIST AI RMF | AI Risk Management | No | No | 80% — maps directly to ISO 42001 clauses |
| DPDP Act (India) | Data Protection | No (legal compliance) | Yes (India) | 30% — data governance, impact assessment, transparency |
| GDPR | Personal Data Protection | No (legal compliance) | Yes (EU) | 25% — data governance, transparency, accountability |
Already have ISO 27001? You're approximately 70% of the way to ISO 42001. The management system, risk assessment methodology, policy framework, internal audit programme, and document control are all reusable. The incremental work: AI-specific impact assessments, bias controls, model lifecycle documentation, and AI supply chain governance.
The Road to ISO 42001 Certification
Gap Assessment
Assess your current state against ISO 42001 clauses 4–10 and Annex A controls. Identify what exists, what is missing, and what needs to be built. Produce a gap register with priority ratings.
AIMS Design
Design your AI Management System scope, AI policy, risk assessment methodology, and Statement of Applicability (SoA). Document all required policies, procedures, and controls.
Implementation
Implement controls, train relevant staff, run your first AI impact assessments, build your AI risk register, and establish monitoring mechanisms.
Internal Audit
Conduct an internal audit of your AIMS against ISO 42001 requirements. Identify and resolve nonconformities before the certification audit.
Certification
Stage 1 audit: document review. Stage 2 audit: on-site or remote evidence review and interviews. Successful completion results in ISO 42001 certificate.
Does ISO 42001 Apply to Your Organisation?
AI Developers
Organisations building AI models, AI features, or AI-powered products for sale or deployment. If you train models, fine-tune LLMs, or ship AI APIs — ISO 42001 applies. Your enterprise buyers will ask.
AI Deployers
Organisations deploying third-party AI systems in their products or operations — including any SaaS platform using OpenAI, Anthropic, Google, or other AI APIs in production. You are responsible for governing how those systems are used.
AI Users in Regulated Industries
Financial services firms, healthcare organisations, insurance companies, and any regulated entity using AI for consequential decisions — credit scoring, fraud detection, triage, claims processing. Regulators in these sectors are increasingly aligning expectations with ISO 42001.
Indian Enterprises with DPDP Obligations
Companies likely to be designated as Significant Data Fiduciaries under the DPDP Act who use AI in data processing. ISO 42001's data governance, impact assessment, and transparency controls directly support DPDP obligations for AI-driven processing.
EU Market Vendors
Any company selling software into the EU market that incorporates AI features. The EU AI Act's August 2026 deadline for high-risk system obligations means EU-market SaaS companies need an AI governance framework now.
Companies Holding ISO 27001
If you have ISO 27001 and your product now includes AI features — your existing certification does not cover AI-specific governance. ISO 42001 is the extension that closes this gap. Leverage your existing ISMS rather than starting from scratch.
A GRC Practitioner's View on ISO 42001
Rishabh Arora · ISO 42001 Lead Auditor · 7 years in GRC
"I got certified as an ISO 42001 Lead Auditor because I saw where enterprise buyer conversations were heading — and I wanted to be ahead of it, not catching up to it.
Every SOC 2 audit I do now includes at least one question about AI. 'Do you use AI in your production environment?' 'Are those models tested for bias?' 'Do you have an AI risk assessment?' Most companies don't have answers. Yet.
The window to be early on ISO 42001 is still open — but it is closing. When ISO 27001 became a procurement baseline around 2018–2020, companies that moved early had 2–3 years of competitive differentiation. ISO 42001 is on the same curve, roughly 3–4 years behind ISO 27001's adoption trajectory.
The companies I'd urge to start immediately: any SaaS business embedding AI APIs in their product, any Indian company targeting enterprise or government buyers, and any organisation that already holds ISO 27001 — because for you, the incremental effort is genuinely manageable."
Frequently Asked Questions
Where Does Your Organisation Stand on ISO 42001?
Take the free gap analysis — 15 minutes, no sales call, instant report.