Table of Contents
Quick Answer
ISO/IEC 42001:2023 is the world's first certifiable AI management system standard, published 18 December 2023. It follows the Annex SL harmonised structure shared by ISO 9001 and ISO 27001, making integrated management systems practical.
- Certifiable by accredited bodies (BSI, DNV, TUV SUD, Bureau Veritas)
- 10 clauses + Annex A (38 controls) + Annex B (implementation guidance) + Annex C (objectives) + Annex D (application across sectors)
- Complements NIST AI RMF (risk) and ISO/IEC 23894 (risk management in AI)
What Is ISO/IEC 42001?
ISO/IEC 42001 was developed jointly by ISO and IEC through Joint Technical Committee SC 42 on AI. It provides requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) within an organisation.
It is part of an ISO/IEC family of AI standards including:
- ISO/IEC 22989:2022 — AI concepts and terminology
- ISO/IEC 23053:2022 — Framework for AI systems using ML
- ISO/IEC 23894:2023 — Guidance on risk management
- ISO/IEC 38507:2022 — Governance implications of AI
- ISO/IEC 25059:2023 — Quality model for AI systems
- ISO/IEC 42005:2025 — AI system impact assessment
Key Details / Requirements
The 10 Clauses
Clause
Title
1
Scope
2
Normative references
3
Terms and definitions
4
Context of the organization
5
Leadership
6
Planning
7
Support
8
Operation
9
Performance evaluation
10
Improvement
Annex A Controls (38 across 9 areas)
Area
Sample Control
A.2 Policies
A.2.2 AI policy
A.3 Internal organization
A.3.2 AI roles and responsibilities
A.4 Resources
A.4.5 Data resources
A.5 Assessing AI system impacts
A.5.3 AI system impact assessment
A.6 AI system lifecycle
A.6.1 Requirements for AI systems
A.7 Data for AI
A.7.5 Data acquisition
A.8 Information for interested parties
A.8.2 Information for users of the AI system
A.9 AI system use
A.9.2 Intended use of the AI system
A.10 Third-party relationships
A.10.3 Suppliers
Real-World Examples / Case Studies
Anthropic — Publicly committed to pursuing ISO 42001 certification in 2024 and has published its Responsible Scaling Policy aligned with Annex A controls.
KPMG, PwC, Deloitte, EY — All launched ISO 42001 readiness services in 2024.
BSI — Issued its first ISO 42001 certificates in 2024, including to Japanese SoftBank subsidiary.
Microsoft and Google Cloud — Rolling ISO 42001 into enterprise trust-and-compliance portfolios.
What This Means for Organisations
Adopting ISO 42001:
- Fits alongside ISO 27001 (information security) and ISO 9001 (quality) in an integrated management system
- Provides a recognised certification for customer and regulator assurance
- Maps cleanly to EU AI Act Art. 17 (quality management system) obligations
- Is increasingly required in enterprise AI RFPs
Compliance Checklist
- Define AIMS scope (Clause 4.3)
- Issue an AI Policy (A.2.2)
- Establish AI roles and responsibilities (A.3.2)
- Implement AI System Impact Assessments (A.5.3, aligns with ISO 42005)
- Document the AI system lifecycle (A.6)
- Manage data quality and provenance (A.7)
- Publish user information (A.8)
- Conduct internal audits (Clause 9.2)
- Schedule management review (Clause 9.3)
- Engage an accredited certification body
FAQs
Q: Is ISO 42001 mandatory?
No — it is voluntary, but increasingly demanded in enterprise procurement.
Q: How does it differ from NIST AI RMF?
AI RMF is a risk-management framework; ISO 42001 is a management-system standard that can be certified.
Q: How long does certification take?
Typically 6-12 months: 3-6 months to implement + 2-stage audit (Stage 1 documentation, Stage 2 operations).
Q: Who certifies?
Accredited bodies including BSI, DNV, TUV SUD, Bureau Veritas, SGS, and TUV Rheinland.
Q: Does it help with the EU AI Act?
Yes — it operationalises Articles 9, 10, 13, 14, 17, and 62.
Q: Is 42001 the same as ISO 42005?
No — 42001 is the AIMS standard; 42005 is the AI impact assessment standard published in 2025.
Q: Cost?
Implementation (staff time + consultants) USD 50K-500K depending on size; certification fees USD 10K-100K.
Conclusion
ISO/IEC 42001 is the fastest way to demonstrate responsible AI to customers, regulators, and investors — with a recognised certificate on the wall.
Reach ISO 42001 certification with Misar AI's readiness programme.