ISO/IEC 42001:2023 is the first international standard for AI management systems (AIMS). Published in December 2023, it specifies requirements for organizations that develop, provide, or use AI systems to establish, implement, maintain, and continually improve an AI management system. It follows the Harmonized Structure used by other ISO management system standards (ISO 9001, ISO 27001), making it integrable with existing management systems.

Structure

Like other ISO management system standards, ISO 42001 follows the Plan-Do-Check-Act cycle. It covers organizational context and stakeholder needs, leadership commitment and AI policy, planning for risks and opportunities, support (resources, competence, awareness, communication, documentation), operation (AI system lifecycle processes, impact assessment, data management), performance evaluation (monitoring, measurement, internal audit, management review), and improvement (nonconformity handling, corrective action, continual improvement).

Key Requirements

Organizations must establish an AI policy that reflects their commitment to responsible AI. They must conduct AI impact assessments for their systems. They must implement controls from Annex A (which covers AI-specific controls for data management, model development, deployment, and monitoring) and Annex B (which provides guidance on AI objectives). Risk treatment must address both organizational risks and risks to individuals and society from the AI system.

Certification

Organizations can be certified against ISO 42001 by accredited certification bodies. Certification demonstrates to customers, regulators, and stakeholders that the organization has a systematic approach to managing AI. Several major cloud providers and AI companies achieved early certification in 2024.

Relationship to Regulations

ISO 42001 is not a regulation, but compliance with it supports regulatory compliance. The EU AI Act’s requirements for quality management systems and risk management align closely with ISO 42001’s structure. Organizations certified to ISO 42001 will find it easier to demonstrate compliance with the EU AI Act’s organizational requirements, though certification alone does not guarantee regulatory compliance.

ISO 42001 complements ISO 27001 (information security) and ISO 27701 (privacy), and organizations can integrate all three into a unified management system.

Sources

  • ISO/IEC 42001:2023. Information technology — Artificial intelligence — Management system. International Organization for Standardization. (The standard itself; all requirements, Annex A controls, and Annex B guidance are defined here.)
  • ISO/IEC JTC 1/SC 42. (2023). ISO/IEC 42001 Implementation Guide. ISO. (Official implementation guidance accompanying the standard.)
  • National Institute of Standards and Technology. (2023). AI RMF 1.0 and ISO 42001 Crosswalk. NIST. (Official mapping between NIST AI RMF subcategories and ISO 42001 requirements; enables organizations to satisfy both frameworks simultaneously.)