ISO/IEC 42001 is the first international management system standard for artificial intelligence, and the first against which an organisation can be certified. Published in December 2023 and developed within ISO/IEC JTC 1/SC42, it does for AI what ISO 9001 did for quality and ISO/IEC 27001 did for information security: it turns "we take this seriously" from a claim into an auditable set of organisational practices. Interest in certification has grown rapidly, driven by procurement requirements, regulatory pressure, and the simple fact that customers increasingly ask for evidence rather than assurances.

Yet much of the commentary on 42001 stays at the level of the acronym. This article looks at what the standard actually asks of an organisation, and what implementing it realistically involves.

A Management System, Not a Product Checklist

The most common misunderstanding about ISO/IEC 42001 is that it certifies an AI system. It does not. It certifies an organisation's management system for AI: the policies, roles, processes, and controls through which the organisation governs how it develops, provides, or uses AI. A company can hold a 42001 certificate and still ship a flawed model; what the certificate attests is that the organisation has a systematic, documented, and independently audited way of identifying and managing AI-related risks and responsibilities.

This distinction matters when reading vendor claims. "ISO 42001 certified" is meaningful evidence of organisational maturity. It is not a safety rating for any particular product, and treating it as one repeats the mistake of reading ISO 9001 certification as a product quality guarantee.

How the Standard Is Structured

Like other modern ISO management system standards, 42001 follows the harmonised structure, which means organisations already running an ISO/IEC 27001 or ISO 9001 system will find the skeleton familiar:

Annex A provides a reference set of controls, spanning areas such as policies for AI, internal organisation, resources for AI systems, impact assessment, the AI system lifecycle, data management, information for interested parties, use of AI systems, and third-party relationships. As with ISO/IEC 27001, organisations select and justify controls based on their risk assessment rather than implementing everything mechanically.

"ISO/IEC 42001 does not certify your AI system. It certifies that your organisation has a systematic, auditable way of governing how AI is built, deployed, and used."

The Impact Assessment: The Genuinely New Part

For organisations experienced with other management systems, most of 42001 is a familiar discipline applied to a new domain. The element with the least precedent is the AI system impact assessment. Conventional risk assessment asks what could harm the organisation. The impact assessment asks what the AI system could do to others: individuals affected by its decisions, groups who may experience differential performance, and society more broadly.

Doing this well requires capabilities many organisations have never needed in a compliance function: understanding how a model's failure modes translate into human consequences, reasoning about fairness across groups, and documenting judgements that are contestable rather than mechanical. It is also where 42001 connects most directly to regulation: the reasoning it demands overlaps substantially with the fundamental-rights and risk-management thinking required under the EU AI Act.

What Implementation Realistically Involves

Timelines vary with organisational size and maturity, but the shape of the work is consistent:

A realistic end-to-end effort for a mid-sized organisation is measured in months, not weeks, and the common failure mode is treating it as a documentation sprint. Auditors are increasingly experienced at distinguishing a management system that operates from a binder of policies written the month before the audit.

Should Your Organisation Pursue It?

Certification is not the right first question. The right first question is whether your organisation can currently answer, with evidence: what AI systems do we develop or use, what could they do to the people affected by them, and who is accountable for that? If the answer is no, the disciplines in 42001 are worth adopting whether or not a certificate follows. If customers, regulators, or procurement frameworks are asking for demonstrable AI governance (an increasingly common situation), certification converts work you should be doing anyway into a portable, independently verified credential.

42001 also does not stand alone. It draws its vocabulary from ISO/IEC 22989, its risk-management guidance from ISO/IEC 23894, and its lifecycle framing from related SC42 work. Organisations get the most value when they treat it as the organising frame for that wider landscape rather than a standalone checkbox.

References

Considering ISO/IEC 42001 for your organisation?

We help organisations scope, gap-assess, and build AI management systems that hold up to audit, grounded in direct experience of the SC42 standards landscape.

Contact us