ISO/IEC 42001 is the first international management system standard for artificial intelligence, and the first against which an organisation can be certified. Published in December 2023 and developed within ISO/IEC JTC 1/SC42, it does for AI what ISO 9001 did for quality and ISO/IEC 27001 did for information security: it turns "we take this seriously" from a claim into an auditable set of organisational practices. Interest in certification has grown rapidly, driven by procurement requirements, regulatory pressure, and the simple fact that customers increasingly ask for evidence rather than assurances.
Yet much of the commentary on 42001 stays at the level of the acronym. This article looks at what the standard actually asks of an organisation, and what implementing it realistically involves.
A Management System, Not a Product Checklist
The most common misunderstanding about ISO/IEC 42001 is that it certifies an AI system. It does not. It certifies an organisation's management system for AI: the policies, roles, processes, and controls through which the organisation governs how it develops, provides, or uses AI. A company can hold a 42001 certificate and still ship a flawed model; what the certificate attests is that the organisation has a systematic, documented, and independently audited way of identifying and managing AI-related risks and responsibilities.
This distinction matters when reading vendor claims. "ISO 42001 certified" is meaningful evidence of organisational maturity. It is not a safety rating for any particular product, and treating it as one repeats the mistake of reading ISO 9001 certification as a product quality guarantee.
How the Standard Is Structured
Like other modern ISO management system standards, 42001 follows the harmonised structure, which means organisations already running an ISO/IEC 27001 or ISO 9001 system will find the skeleton familiar:
- Context of the organisation: determining the organisation's role in the AI value chain (developer, provider, user, often several at once) and the internal and external issues that shape its AI activities.
- Leadership: an AI policy, top-management commitment, and clearly assigned roles and responsibilities for AI governance.
- Planning: risk assessment and risk treatment, plus a requirement distinctive to 42001: the AI system impact assessment, which considers consequences for individuals, groups, and society, not just for the organisation itself.
- Support and operation: resources, competence, awareness, documentation, and the operational processes through which risk treatments and controls are actually applied across the AI system lifecycle.
- Performance evaluation and improvement: monitoring, internal audit, management review, and corrective action: the machinery that keeps the system honest over time.
Annex A provides a reference set of controls, spanning areas such as policies for AI, internal organisation, resources for AI systems, impact assessment, the AI system lifecycle, data management, information for interested parties, use of AI systems, and third-party relationships. As with ISO/IEC 27001, organisations select and justify controls based on their risk assessment rather than implementing everything mechanically.
"ISO/IEC 42001 does not certify your AI system. It certifies that your organisation has a systematic, auditable way of governing how AI is built, deployed, and used."
The Impact Assessment: The Genuinely New Part
For organisations experienced with other management systems, most of 42001 is a familiar discipline applied to a new domain. The element with the least precedent is the AI system impact assessment. Conventional risk assessment asks what could harm the organisation. The impact assessment asks what the AI system could do to others: individuals affected by its decisions, groups who may experience differential performance, and society more broadly.
Doing this well requires capabilities many organisations have never needed in a compliance function: understanding how a model's failure modes translate into human consequences, reasoning about fairness across groups, and documenting judgements that are contestable rather than mechanical. It is also where 42001 connects most directly to regulation: the reasoning it demands overlaps substantially with the fundamental-rights and risk-management thinking required under the EU AI Act.
What Implementation Realistically Involves
Timelines vary with organisational size and maturity, but the shape of the work is consistent:
- Scoping and gap analysis: establishing which AI activities are in scope, what governance already exists, and where the gaps are. Organisations with an existing 27001 system typically find they can extend rather than duplicate much of the machinery.
- Building the inventory: most organisations discover during scoping that they do not have a reliable inventory of the AI systems they use, including AI embedded in procured software. This step alone often justifies the exercise.
- Risk and impact assessment: the analytical core, and the part most dependent on genuine AI expertise rather than management-system experience.
- Controls, documentation, and operation: selecting controls, writing the policies and procedures that give them effect, and, crucially, running them long enough to generate the records an auditor will ask for.
- Audit: internal audit and management review, followed by the two-stage certification audit if certification is the goal. Accredited certification is supported by ISO/IEC 42006, which sets requirements for the bodies that audit and certify AI management systems.
A realistic end-to-end effort for a mid-sized organisation is measured in months, not weeks, and the common failure mode is treating it as a documentation sprint. Auditors are increasingly experienced at distinguishing a management system that operates from a binder of policies written the month before the audit.
Should Your Organisation Pursue It?
Certification is not the right first question. The right first question is whether your organisation can currently answer, with evidence: what AI systems do we develop or use, what could they do to the people affected by them, and who is accountable for that? If the answer is no, the disciplines in 42001 are worth adopting whether or not a certificate follows. If customers, regulators, or procurement frameworks are asking for demonstrable AI governance (an increasingly common situation), certification converts work you should be doing anyway into a portable, independently verified credential.
42001 also does not stand alone. It draws its vocabulary from ISO/IEC 22989, its risk-management guidance from ISO/IEC 23894, and its lifecycle framing from related SC42 work. Organisations get the most value when they treat it as the organising frame for that wider landscape rather than a standalone checkbox.
References
- ISO/IEC 42001:2023, Information technology: Artificial intelligence management system, ISO
- ISO/IEC 42006:2025, Requirements for bodies providing audit and certification of artificial intelligence management systems, ISO
- ISO/IEC 22989:2022, Artificial intelligence concepts and terminology, ISO
- ISO/IEC 23894:2023, Artificial intelligence: Guidance on risk management, ISO
- Regulation (EU) 2024/1689 (the EU AI Act), EUR-Lex
Considering ISO/IEC 42001 for your organisation?
We help organisations scope, gap-assess, and build AI management systems that hold up to audit, grounded in direct experience of the SC42 standards landscape.
Contact us