ISO 42001, the AI management standard,explained
ISO/IEC 42001:2023 is the first international standard for an AI management system (AIMS). It is the governance equivalent of ISO 27001, but for organisations that build or use artificial intelligence. Rather than testing a fixed checklist, it certifies that you run a managed, repeatable process for developing and using AI responsibly.
What ISO 42001 is
ISO/IEC 42001, published in 2023, is the international standard for an artificial intelligence management system. It was created because AI raises governance questions that information-security standards do not fully cover, such as how models are trained, how decisions are explained, and how human oversight is maintained.
Like ISO 27001, it is certifiable. An accredited certification body audits your management system and, if you pass, issues a certificate, with surveillance audits in between.
What an AI management system covers
An AIMS wraps your AI work in a governed lifecycle. The standard sets out management-system requirements and a set of AI-specific controls, covering areas such as:
- AI policy, roles, and accountability for AI systems.
- AI risk assessment and AI impact assessment, including effects on individuals and society.
- Data and model governance across the AI lifecycle.
- Transparency and information provided to users about AI systems.
- Human oversight and the ability to intervene.
- Monitoring, logging, and continual improvement of AI systems.
How it relates to ISO 27001
ISO 42001 uses the same management-system structure as ISO 27001, the shared format ISO uses across its management standards. That means the governance backbone, risk process, internal audit, and management review look familiar if you already run an ISMS.
The two are complementary: ISO 27001 governs information security, ISO 42001 governs responsible AI. Where they overlap, such as risk management and access control, the work can be reused rather than duplicated.
Why it matters now
AI governance is moving from optional to expected. Regulation such as the EU AI Act is raising the bar, and buyers are starting to ask how the AI in your product is governed. ISO 42001 gives you a recognised, auditable way to answer that, and to show customers and regulators that responsible AI is a managed process rather than a promise.
How to approach it
- 1Inventory the AI systems you build or use, and the risks each one carries.
- 2Set your AI policy, roles, and the scope of your management system.
- 3Run AI risk and impact assessments, and put controls against the findings.
- 4Reuse your ISO 27001 governance and risk work where the two overlap.
- 5Maintain evidence and review it, so you stay audit-ready for certification and surveillance.
Frequently asked questions
Is ISO 42001 certifiable?
Yes. Like ISO 27001, ISO 42001 is certifiable by an accredited certification body after an audit of your AI management system, with surveillance audits to maintain it. The certificate shows that you run a governed, repeatable process for responsible AI.
How is ISO 42001 different from ISO 27001?
ISO 27001 governs information security through an ISMS; ISO 42001 governs responsible AI through an AIMS. They share the same management-system structure, so they fit together, but ISO 42001 adds AI-specific concerns such as impact assessment, model governance, transparency, and human oversight.
Does ISO 42001 satisfy the EU AI Act?
Not automatically. The EU AI Act is law and ISO 42001 is a voluntary standard, so they are different things. But running an ISO 42001 management system gives you much of the governance, risk, and documentation the Act expects, which makes meeting your legal obligations more straightforward.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.