ISO 42001:2023 explained — AI Management Systems
ISO/IEC 42001:2023, published in December 2023, is the world's first certifiable management-system standard for Artificial Intelligence. It gives organisations a structured way to develop, deploy and use AI responsibly — and to demonstrate that to customers, regulators and the public.
What ISO/IEC 42001 covers
ISO 42001 specifies requirements for an AI Management System (AIMS) and complements other AI guidance (ISO 22989, ISO 23894, ISO 23053). Core requirements:
- AI policy and AI objectives aligned with the organisation's context and stakeholders
- AI impact assessment — covering individuals, groups and society
- AI risk assessment and treatment specific to AI lifecycle
- Roles, responsibilities and competence for AI development and deployment
- Controls across the AI lifecycle: data, design, verification, validation, operation, monitoring
- Third-party AI suppliers and components — due diligence and ongoing oversight
- Continual improvement and management review
Who needs ISO/IEC 42001?
Any organisation that develops, integrates, deploys or supplies AI systems — from foundation-model labs through SaaS vendors integrating LLMs, to regulated industries using AI for decisions about people. Particularly valuable for EU AI Act preparation.
Key points to know
- ISO 42001 sits on the same Annex SL structure as ISO 9001 and ISO 27001 — so it integrates with existing management systems.
- It is the only certifiable AI management standard today. SOC 2 and NIST AI RMF are useful but neither is a certification scheme.
- Demonstrating ISO 42001 conformance is increasingly demanded in enterprise procurement and is one credible route to EU AI Act risk-management requirements.
- AI impact assessment is broader than risk assessment — it considers benefits and harms to individuals, groups and society.
ISO/IEC 42001 — frequently asked questions
What is ISO 42001 in simple terms?
ISO 42001 is a management system standard for AI. It tells an organisation what processes, roles, risk assessments and controls to put in place so the AI it builds or uses is safe, accountable and continually improved.
How is ISO 42001 different from the EU AI Act?
The EU AI Act is law — binding on operators of AI systems in the EU. ISO 42001 is a voluntary management-system standard. Following ISO 42001 doesn't make you compliant with the AI Act automatically, but it is the most credible route to operationalising many of the AI Act's risk-management and governance requirements.
How does ISO 42001 fit alongside ISO 27001?
ISO 27001 covers information security broadly; ISO 42001 covers AI-specific risks (bias, explainability, model drift, training-data provenance). Both share the Annex SL structure, so an organisation already certified to ISO 27001 can integrate ISO 42001 with shared management-system controls.
Who needs ISO 42001 first?
High-impact AI deployers — financial services using AI for credit decisions, healthcare using AI for diagnosis, public-sector AI, employment screening, foundation-model vendors. Anyone selling AI into the EU should evaluate it for AI Act readiness.
What is an "AI impact assessment"?
A structured analysis of the potential impacts (positive and negative) of an AI system on individuals, groups and society. It goes beyond classical risk assessment to include fairness, transparency, human oversight, accessibility and environmental impact. The assessment is documented and reviewed across the AI lifecycle.