ISO/IEC 42001, published in December 2023, is the first international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within organizations. Unlike guidance frameworks such as the NIST AI RMF, ISO/IEC 42001 is a certifiable standard: organizations can undergo third-party audits to demonstrate conformance, much as they do with ISO 27001 for information security or ISO 9001 for quality management.

Why a Management System Standard for AI

Organizations adopting AI face a governance gap. They may have information security policies, quality management processes, and data protection controls, but none of these fully address the unique risks AI introduces: model bias, lack of explainability, data provenance concerns, and the challenge of managing systems whose behavior is learned rather than explicitly programmed.

ISO/IEC 42001 fills this gap by providing a structured management system approach specifically designed for AI. It gives organizations a certifiable way to demonstrate to customers, regulators, and partners that they manage AI responsibly and systematically.

Structure of the Standard

ISO/IEC 42001 follows the Harmonized Structure (Annex SL) used by all modern ISO management system standards. This means organizations already certified to ISO 27001 or ISO 9001 will recognize the clause structure and can integrate their AIMS with existing management systems.

The core clauses cover:

  • Context of the Organization - Understanding internal and external factors relevant to AI, including stakeholder needs and the scope of the AIMS.
  • Leadership - Top management commitment, AI policy establishment, and assignment of roles and responsibilities.
  • Planning - AI risk assessment, treatment of AI-related risks and opportunities, and objectives for the AIMS.
  • Support - Resources, competence, awareness, communication, and documented information needed to operate the AIMS.
  • Operation - Operational planning and control, AI risk assessment execution, and AI risk treatment implementation.
  • Performance Evaluation - Monitoring, measurement, analysis, internal audit, and management review of the AIMS.
  • Improvement - Nonconformity handling, corrective action, and continual improvement of the AIMS.

Key Annexes

The standard includes several informative annexes that provide practical guidance:

Annex A contains a set of controls organized into themes including AI system impact assessment, data governance for AI, AI system lifecycle management, third-party and customer relationships, and responsible use of AI. Organizations select applicable controls based on their risk assessment and document their choices in a Statement of Applicability.

Annex B provides implementation guidance for each Annex A control. Annex C offers guidance on AI-related organizational objectives and risk sources. Annex D addresses the use of AI across domains and sectors.

Certification Process

Certification to ISO/IEC 42001 follows the standard ISO audit process: a Stage 1 audit reviews documentation and readiness, and a Stage 2 audit evaluates implementation effectiveness. Certification is granted by accredited certification bodies and is valid for three years, with annual surveillance audits.

Early adopters include AI vendors seeking competitive differentiation, regulated industries preparing for the EU AI Act, and organizations in supply chains where customers require demonstrable AI governance. The standard is particularly relevant for organizations that develop AI systems for others, as certification provides an externally validated signal of governance maturity.

Relationship to Other Standards

ISO/IEC 42001 is part of a broader family of AI standards under ISO/IEC JTC 1/SC 42. Related standards include ISO/IEC 23894 for AI risk management, ISO/IEC 38507 for governance of AI by boards, and the ISO/IEC 5338 series for AI system lifecycle processes. Organizations often use ISO/IEC 42001 as the management system backbone and reference these companion standards for specific technical or governance practices.

Sources

  1. ISO/IEC 42001:2023. Information technology — Artificial intelligence — Management system. International Organization for Standardization, December 2023. https://www.iso.org/standard/81230.html — The normative standard itself.
  2. ISO/IEC 23894:2023. Information technology — Artificial intelligence — Guidance on risk management. ISO/IEC, 2023. https://www.iso.org/standard/77304.html — Companion risk management guidance referenced within ISO 42001.
  3. ISO/IEC JTC 1/SC 42. Artificial intelligence — Catalogue of standards. ISO. https://www.iso.org/committee/6794475.html — Overview of all standards in the AI standards family under the same technical committee.