What is ISO 42001? The AI Management System Standard Explained

ISO/IEC 42001 is the first international standard for an artificial intelligence management system (AIMS). Published in December 2023, it sets out how an organisation should govern, risk-assess and continually improve the AI it builds or uses. Any organisation can certify to it, whether you develop AI or deploy someone else’s, in any sector.

What ISO 42001 is

ISO/IEC 42001 is a management system standard. It does not tell you which AI to build or ban; it tells you how to run a system that keeps your AI accountable, documented and under control as it changes. It follows the same high-level structure as ISO 27001 and ISO 9001, so it sits alongside the standards many companies already hold rather than replacing them.

The standard exists because AI introduces risks ordinary software does not: bias, opacity, model drift, and decisions made with limited human oversight. ISO 42001 gives an organisation a repeatable way to identify those risks, assign ownership, and prove the system works to a customer, a board or a regulator.

Who ISO 42001 applies to

ISO 42001 applies to any organisation that develops, provides or uses AI, of any size and in any industry. The standard recognises that companies play different roles: you might build and sell an AI product, embed a third-party model in your own service, or simply use AI tools internally. Your obligations scale to that role and to the risk your AI carries.

For a SaaS company shipping AI features, certification is increasingly a sales requirement: enterprise buyers and their procurement teams now ask who owns AI governance before they sign. For a smaller team experimenting with AI, the standard scales down to a proportionate set of controls rather than an enterprise programme.

How the standard is structured: clauses 4 to 10 and Annex A

ISO 42001 is built on two parts. Clauses 4 to 10 set the management-system requirements: context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. These are the requirements an auditor certifies you against.

Annex A lists 38 controls, grouped under control objectives covering areas such as AI policy, internal roles, resources for AI systems, the AI lifecycle, data for AI, information for interested parties, and use of AI systems. You select and justify which controls apply in a Statement of Applicability, the same mechanism ISO 27001 uses. Further annexes give implementation guidance, set out potential AI risk sources, and explain how the standard applies across different domains.

The AI system impact assessment: the requirement that sets 42001 apart

The distinctive requirement in ISO 42001 is the AI system impact assessment. Beyond assessing risk to the organisation, you have to assess how your AI affects individuals, groups and wider society, covering issues like fairness, safety, transparency and the consequences of an automated decision going wrong. You document those impacts, decide what to do about them, and revisit the assessment as the system changes. No other widely held ISO management standard asks for this, and it is usually the part of the standard that takes a SaaS team the most thought.

ISO 42001 vs ISO 27001

ISO 27001 governs information security: keeping data confidential, available and intact. ISO 42001 governs how AI is managed: whether it is fair, accountable and overseen. They overlap on structure and on data controls, but they answer different questions, and holding one does not satisfy the other.

ISO 27001ISO 42001
Information security managementAI management
Protects data and systemsGoverns how AI behaves and is overseen
Mature, widely demanded by buyersNew (2023), increasingly asked for in AI deals
No impact assessment on third parties requiredAI system impact assessment required

Because they share the same clause structure, the two integrate well. Many companies that already hold ISO 27001 add ISO 42001 onto the same management system rather than running two separate programmes.

How ISO 42001 certification works

Certification follows the standard ISO route. You run a gap analysis against the requirements, build the management system and controls you are missing, then run an internal audit to test it. An accredited certification body then carries out a Stage 1 audit of your documentation and a Stage 2 audit of how it works in practice. Pass both and you receive your certificate, maintained through annual surveillance audits over a three-year cycle.

How long it takes depends on how much of a management system you already have. A company that holds ISO 27001 has a head start; one starting from nothing needs longer to build and embed the controls before an audit is worthwhile. Our ISO 42001 implementation guide walks through each phase and what determines the timeline.

What drives the cost

There is no fixed price for ISO 42001, and any single figure quoted online is misleading. The real cost is driven by a handful of factors: the size of your organisation, the number and complexity of the AI systems in scope, how mature your existing governance is, whether you already hold a related ISO certification, and the certification body’s own audit fees. The largest variable is usually internal effort, which is exactly what a fixed-scope engagement is designed to reduce.

ISO 42001 and the EU AI Act

ISO 42001 and the EU AI Act are not the same thing. The AI Act is binding regulation that classifies AI systems by risk and imposes obligations accordingly; ISO 42001 is a voluntary management-system standard. Holding the certification does not by itself make you AI Act compliant. What it does give you is the governance backbone the regulation expects, evidence that you assess AI risk and impact, assign accountability and oversee your systems, which makes demonstrating compliance considerably easier. We cover the relationship in detail in ISO 42001 and the EU AI Act.

How Atoro helps

Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered across security and compliance. We run the same AI management system we help clients build, so the guidance is grounded in having been through the audit ourselves, not in theory. We offer ISO 42001 implementation on a fixed scope, and independent ISO 42001 internal audits for teams who have built the system and need it tested before certification.

ISO 42001 FAQs

What is ISO 42001?

ISO/IEC 42001 is the international standard that specifies requirements for establishing, implementing, maintaining and continually improving an artificial intelligence management system (AIMS). It gives organisations a structured way to govern the AI they build or use.

Who needs ISO 42001?

Any organisation that develops, provides or uses AI, of any size and in any sector. For SaaS companies shipping AI features it is increasingly a requirement in enterprise sales, where buyers want to see who owns AI governance.

When was ISO 42001 published?

ISO/IEC 42001 was published in December 2023. It is the first international standard for an AI management system.

Is ISO 42001 certification mandatory?

No. Like other ISO management system standards, certification is voluntary. Organisations pursue it to demonstrate responsible AI governance to customers, regulators and investors, and increasingly because buyers ask for it.

How many controls does ISO 42001 have?

Annex A of ISO 42001 contains 38 controls, grouped under control objectives covering areas such as AI policy, roles and responsibilities, the AI lifecycle, data for AI systems, and use of AI. You select and justify the applicable controls in a Statement of Applicability.

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 manages information security; ISO 42001 manages AI. They share the same clause structure and integrate well, but holding one does not satisfy the other. Many companies add ISO 42001 onto an existing ISO 27001 management system.

Does ISO 42001 make us EU AI Act compliant?

Not on its own. The EU AI Act is binding regulation; ISO 42001 is a voluntary standard. The certification gives you the governance backbone the Act expects and makes demonstrating compliance easier, but it is not a substitute for meeting the regulation’s specific obligations.

How long does ISO 42001 certification take?

It depends on how much management system you already have. A company holding ISO 27001 can move faster; one starting from nothing needs time to build and embed controls before the Stage 1 and Stage 2 audits are worthwhile.

How do you get ISO 42001 certified?

Run a gap analysis against the standard, build the missing parts of your AI management system, and pass an internal audit. An accredited certification body then carries out a Stage 1 audit of your documentation and a Stage 2 audit of how it works in practice. Clear both and you receive your certificate, maintained by annual surveillance audits over a three-year cycle.