ISO/IEC 42001 — AI Management System Standard (Summary)
ISO/IEC 42001:2023 is the first certifiable management-system standard for AI. It defines how an organisation should establish, operate, and continually improve an AI Management System (AIMS), using the same high-level structure as other ISO standards (e.g. ISO/IEC 27001).
Core structure (Clauses 4–10)
- Context (4): Define organisational context, stakeholders, and AIMS scope.
- Leadership (5): Assign roles, responsibilities, and top-management commitment.
- Planning (6): Address AI-related risks and opportunities; set objectives.
- Support (7): Provide resources, competence, awareness, communication, documentation.
- Operation (8): Plan, design, develop, deploy, and operate AI systems under control.
- Performance evaluation (9): Monitor, measure, audit, and review AIMS performance.
- Improvement (10): Manage nonconformities and drive continual improvement.
Annex A controls (AI-specific)
Annex A provides a catalogue of AI-focused controls, including:
- AI policy and internal organisation
- Resources and competence for AI
- Impact and risk assessment for AI systems
- AI system lifecycle management (design, development, validation, deployment, monitoring, retirement)
- Data quality and data governance
- Third-party and vendor relationships
- Information for interested parties (e.g. transparency, documentation)
The standard certifies the management system, not individual models or AI products. A certificate shows that an organisation runs a structured, auditable approach to governing AI, but each use case still needs case-specific application of that system.
Why ISO/IEC 42001 Matters
- Procurement and assurance signal
- Coverage of AI governance methodology
- Strategy: Clause 4 (context, scope, objectives)
- Governance: Clauses 5 and 9 (leadership, oversight, review)
- Risk: Annex A.5 (impact and risk assessment)
- Use cases & maturity: Annex A.6 (lifecycle controls)
- Change & improvement: Clause 10
- Vendor management: Annex A.10 (third-party controls)
- Sustainability & learning: Clause 10.2 (continual improvement)
- Audit defensibility
- Defined AIMS scope and boundaries
- AI policy and governance structure
- Risk and impact registers for AI systems
- Lifecycle records (design, testing, deployment, monitoring, retirement)
- Management review minutes and improvement actions
Relationship to the EU AI Act
- The EU AI Act defines substantive legal obligations (e.g. prohibited practices, high-risk system requirements, transparency duties, GPAI obligations).
- ISO/IEC 42001 defines a management system that structures how an organisation identifies, manages, documents, and reviews AI risks and controls.
They are complementary:
- Operating a robust 42001 AIMS makes it easier to generate and maintain the documentation, risk assessments, and lifecycle evidence the AI Act expects.
- 42001 does not equal AI Act compliance, but a 42001-aligned programme is significantly closer to AI Act readiness than an ad hoc approach.