← Knowledge Base
ISO 42001 Guide

ISO 42001: The AI Management System Standard

What ISO 42001 covers, who needs it, and how it fits alongside an existing ISO 27001 ISMS. The practical guide for organisations deploying or developing AI.

In this guide
Resources
Need help with this?

Our team can walk you through this in plain English.

Book a Free Chat

What ISO 42001 Is

ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for organisations to develop, provide, or use AI systems responsibly — covering governance, risk management, transparency, and accountability.

Think of it as ISO 27001, but for AI. It follows the same High Level Structure (Annex SL) as other ISO management system standards, making integration with an existing ISMS straightforward.

Who Needs It

ISO 42001 is relevant for three types of organisations:

AI Developers — organisations building AI products or models. Certification demonstrates responsible development practices to customers and regulators.

AI Providers — organisations deploying AI systems as part of a service. Relevant where customers or procurement teams are asking how AI is governed.

AI Users — organisations using third-party AI tools in their operations. The standard helps manage the risks of AI adoption even when you don’t build the models yourself.

If your organisation is doing any of the above — and most are, even informally — ISO 42001 is worth understanding.

Core Requirements

Like ISO 27001, ISO 42001 requires:

Context and scope — Define what AI systems are in scope, who the affected parties are, and what your organisation’s role is (developer, provider, or user).

AI Policy — A statement of your organisation’s commitment to responsible AI, approved by leadership.

Risk and impact assessment — Identify and treat risks specific to AI: bias, opacity, safety, data quality, and misuse. ISO 42001 introduces AI-specific impact assessment requirements alongside standard risk management.

Controls — Annex A contains 38 controls covering AI system lifecycle, data governance, transparency, human oversight, and third-party AI management.

Continual improvement — Same ongoing commitment as ISO 27001 — internal audits, management review, corrective actions.

How It Fits With ISO 27001

If you’re already certified to ISO 27001, the integration is relatively clean:

  • Shared management system infrastructure (policies, internal audit, management review, document control)
  • Complementary risk management — AI risks slot into your existing risk register with AI-specific considerations layered on
  • Some Annex A controls overlap — particularly around access control, supplier management, and incident management

The additional effort for an ISO 42001 implementation on top of an existing ISO 27001 ISMS is substantially less than starting from scratch.

The Regulatory Context

ISO 42001 is increasingly relevant given the regulatory trajectory:

  • The EU AI Act (in force 2024) imposes obligations on high-risk AI systems — ISO 42001 provides a credible framework for demonstrating compliance
  • Australia’s AI Ethics Framework and voluntary guidelines align with the principles embedded in the standard
  • Enterprise procurement teams, particularly in financial services and government, are beginning to ask AI governance questions

Certification isn’t required to benefit from the framework — many organisations use ISO 42001 as a reference without pursuing formal certification.

← Back to Knowledge Base ISO 27001 Overview: What It Is and What It Requires →