Table of Contents
Quick Answer
ISO/IEC 42001:2023 is the world's first certifiable AI management system standard, published 18 December 2023. It follows the Annex SL harmonised structure shared by ISO 9001 and ISO 27001, making integrated management systems practical.
- Certifiable by accredited bodies (BSI, DNV, TUV SUD, Bureau Veritas)
- 10 clauses + Annex A (38 controls) + Annex B (implementation guidance) + Annex C (objectives) + Annex D (application across sectors)
- Complements NIST AI RMF (risk) and ISO/IEC 23894 (risk management in AI)
What Is ISO/IEC 42001?
ISO/IEC 42001 was developed jointly by ISO and IEC through Joint Technical Committee SC 42 on AI. It provides requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) within an organisation.
It is part of an ISO/IEC family of AI standards including:
- ISO/IEC 22989:2022 — AI concepts and terminology
- ISO/IEC 23053:2022 — Framework for AI systems using ML
- ISO/IEC 23894:2023 — Guidance on risk management
- ISO/IEC 38507:2022 — Governance implications of AI
- ISO/IEC 25059:2023 — Quality model for AI systems
- ISO/IEC 42005:2025 — AI system impact assessment
Key Details / Requirements
The 10 Clauses
| Clause | Title |
|---|---|
| 1 | Scope |
| 2 | Normative references |
| 3 | Terms and definitions |
| 4 | Context of the organization |
| 5 | Leadership |
| 6 | Planning |
| 7 | Support |
| 8 | Operation |
| 9 | Performance evaluation |
| 10 | Improvement |
Annex A Controls (38 across 9 areas)
| Area | Sample Control |
|---|---|
| A.2 Policies | A.2.2 AI policy |
| A.3 Internal organization | A.3.2 AI roles and responsibilities |
| A.4 Resources | A.4.5 Data resources |
| A.5 Assessing AI system impacts | A.5.3 AI system impact assessment |
| A.6 AI system lifecycle | A.6.1 Requirements for AI systems |
| A.7 Data for AI | A.7.5 Data acquisition |
| A.8 Information for interested parties | A.8.2 Information for users of the AI system |
| A.9 AI system use | A.9.2 Intended use of the AI system |
| A.10 Third-party relationships | A.10.3 Suppliers |
Real-World Examples / Case Studies
Anthropic — Publicly committed to pursuing ISO 42001 certification in 2024 and has published its Responsible Scaling Policy aligned with Annex A controls.
KPMG, PwC, Deloitte, EY — All launched ISO 42001 readiness services in 2024.
BSI — Issued its first ISO 42001 certificates in 2024, including to Japanese SoftBank subsidiary.
Microsoft and Google Cloud — Rolling ISO 42001 into enterprise trust-and-compliance portfolios.
What This Means for Organisations
Adopting ISO 42001:
- Fits alongside ISO 27001 (information security) and ISO 9001 (quality) in an integrated management system
- Provides a recognised certification for customer and regulator assurance
- Maps cleanly to EU AI Act Art. 17 (quality management system) obligations
- Is increasingly required in enterprise AI RFPs
Compliance Checklist
- Define AIMS scope (Clause 4.3)
- Issue an AI Policy (A.2.2)
- Establish AI roles and responsibilities (A.3.2)
- Implement AI System Impact Assessments (A.5.3, aligns with ISO 42005)
- Document the AI system lifecycle (A.6)
- Manage data quality and provenance (A.7)
- Publish user information (A.8)
- Conduct internal audits (Clause 9.2)
- Schedule management review (Clause 9.3)
- Engage an accredited certification body
Conclusion
ISO/IEC 42001 is the fastest way to demonstrate responsible AI to customers, regulators, and investors — with a recognised certificate on the wall.
Reach ISO 42001 certification with Misar AI's readiness programme.