What ISO 42001 is and why buyers ask for it
ISO/IEC 42001, published in 2023, is the first international standard for an Artificial Intelligence Management System (AIMS). It gives organisations a certifiable framework for governing AI responsibly — managing the risks, transparency, accountability and human oversight that come with developing or using artificial intelligence.
AI adoption has moved faster than most organisations’ governance around it, and that gap is now a commercial and regulatory concern. Buyers want to know that the AI in a product is managed deliberately; regulators, including under the EU AI Act, are raising expectations. ISO 42001 lets an organisation demonstrate, through an independent audit, that it takes AI governance seriously. It is one of the newest and fastest-growing standards in the ISO Certifications portfolio, issued under IAS accreditation and the IAF Multilateral Recognition Arrangement, and it complements ISO 27001 for security and ISO 27701 for privacy.
What the audit covers
Certification follows the same two-stage assessment as other ISO management systems. The audit examines how your AIMS operates, including:
- The scope and AI policy of the management system, and the roles and accountability around AI
- AI risk assessment and impact assessment — understanding what could go wrong and who could be affected
- Controls across the AI lifecycle — data, design and development, deployment and ongoing monitoring
- Transparency and human oversight of AI systems and their outputs
Surveillance audits across the three-year cycle confirm the system keeps pace with how your use of AI evolves.
Typical timeline
For most organisations, ISO 42001 certification takes around 12–16 weeks, depending on how extensively AI is used and how much governance already exists. Organisations with a large or fast-changing AI footprint take longer. Each engagement begins with a fixed-price scoping call and a proposal within 24 hours.
Common questions
What is an AI Management System (AIMS)?
An AIMS is the management system ISO 42001 certifies: a structured framework of policies, roles, risk and impact assessments, controls and oversight for developing and using artificial intelligence responsibly across its lifecycle — from data and design through deployment and monitoring.
Who needs ISO 42001?
Organisations that develop or deploy AI — SaaS and software companies building AI features, and increasingly any business embedding AI in its products, decisions or operations. As customers and regulators scrutinise how AI is governed, certification is a credible way to show it is managed deliberately.
How does ISO 42001 relate to ISO 27001 and ISO 27701?
ISO 27001 covers information security and ISO 27701 covers privacy; ISO 42001 adds governance specific to artificial intelligence. The three share the common ISO management-system structure and integrate well, so organisations with significant AI and data activity often pursue them together.
Does ISO 42001 mean we comply with the EU AI Act?
Not automatically. ISO 42001 gives you an audited governance framework that supports responsible AI practices and builds much of the foundation regulations expect — but certification to a management system standard is not the same as legal compliance with any specific regulation. It does, however, make demonstrating responsible governance considerably easier.
