Compyl
GRC Your Way

What Is ISO 42001? The AI Management System Standard Explained

Last updated: July 14, 2026

ISO/IEC 42001 is the world’s first certifiable international standard for artificial intelligence management systems (AIMS). Published by ISO and IEC in December 2023, it specifies the requirements for establishing, implementing, maintaining, and continually improving a management system for AI. In plain terms, it gives your organization a repeatable framework for governing how AI is built and used, and a certificate that proves it to customers, auditors, and regulators.

This post is part of our complete guide to AI governance, which explains how ISO 42001 fits alongside the EU AI Act and the NIST AI RMF.

Key takeaways

  • ISO/IEC 42001:2023 is the first certifiable standard for AI management systems, published in December 2023.
  • It follows the same harmonized structure as ISO 27001, so an existing ISMS gives you a significant head start.
  • Requirements split into seven mandatory clauses (Clauses 4 through 10) and 38 Annex A controls grouped under nine objectives.
  • Certification uses the familiar two-stage audit model, with a three-year certificate and annual surveillance audits.
  • The standard is voluntary, but enterprise procurement and the EU AI Act are quickly making it the default way to prove AI governance.

What is an AI management system (AIMS)?

An AIMS is to artificial intelligence what an ISMS is to information security: a structured set of policies, processes, roles, and controls that govern AI across its entire lifecycle, from the decision to build or buy a system through deployment, monitoring, and eventual retirement. ISO 42001 does not certify a specific model or product. It certifies that your organization has a working system for identifying AI risks, assessing impacts on people, assigning accountability, and improving over time.

That distinction matters. A certificate is not a safety seal on any single AI feature. It is evidence that the organization behind the feature governs AI deliberately, which is exactly what enterprise buyers and regulators are starting to ask for.

What does ISO 42001 cover?

The standard has two layers. The first is a set of mandatory management system clauses, numbered 4 through 10, covering organizational context, leadership, planning, support, operation, performance evaluation, and improvement. Clause 6 is where ISO 42001 most clearly departs from its older siblings: it requires both an AI risk assessment and an AI impact assessment that considers consequences for individuals, groups, and society. Clause 8 requires you to manage the full AI system lifecycle, including design, verification, deployment, monitoring, and decommissioning.

The second layer is Annex A: a reference set of 38 controls grouped under nine objectives, covering areas such as AI policies, internal organization, resources for AI systems, impact assessment, lifecycle management, data governance, transparency to interested parties, responsible use, and third-party relationships. You select controls based on your risk assessment and justify the choices in a Statement of Applicability. Annex B provides implementation guidance for every control, Annex C catalogs AI risk sources and objectives, and Annex D discusses how the standard applies across domains and sectors.

For a clause-by-clause walkthrough, see our detailed breakdown of ISO 42001 requirements.

Why does ISO 42001 matter in 2026?

Three forces are converging. First, procurement: enterprise security questionnaires now routinely include AI governance sections, and vendors without credible answers lose deals quietly. Second, regulation: the EU AI Act is rolling out in phases. Prohibitions took effect on February 2, 2025 and obligations for general-purpose AI models on August 2, 2025. Under the Digital Omnibus adopted in June 2026, the deadline for most high-risk system obligations moved from August 2026 to December 2, 2027, with AI embedded in regulated products following on August 2, 2028. The delay is breathing room, not a reprieve: the obligations themselves remain, and a certified AIMS covers much of the operational groundwork the Act demands. Third, standardization: ISO 42001 gives auditors and buyers a common yardstick, the same dynamic that turned ISO 27001 and SOC 2 into table stakes.

Who should get ISO 42001 certified?

The strongest candidates are companies shipping AI products or AI-powered features, organizations using AI in decisions that affect people (hiring, lending, insurance, healthcare), and vendors selling into enterprises or regulated industries where AI questions are already showing up in due diligence. Providers of general-purpose models also fit squarely in scope. If your organization only consumes third-party AI tools, the standard still applies, but your scope and control set will be smaller and focused on responsible use and vendor oversight.

How does ISO 42001 certification work?

Certification is issued by certification bodies accredited by national accreditation bodies such as ANAB in the United States or UKAS in the United Kingdom. The audit follows the standard two-stage model. Stage 1 is a readiness review of your documentation: scope, AI policy, risk and impact assessment methodology, and Statement of Applicability. Stage 2 is the implementation audit, where auditors test whether the system actually operates: evidence of assessments performed, controls working, internal audits completed, and management reviews held. A successful audit yields a certificate valid for three years, with annual surveillance audits in between.

Most organizations get there in stages: gap analysis, scope definition, risk and impact assessments, control implementation, internal audit, then the certification audit. Timelines vary with maturity; teams with an existing ISO 27001 program typically move fastest because the two standards share their management system skeleton.

How does ISO 42001 relate to ISO 27001 and SOC 2?

ISO 42001 uses the same harmonized structure as ISO 27001, which means shared clauses for leadership, planning, support, audit, and improvement, and the realistic option of an integrated audit. It does not replace ISO 27001: one governs information security, the other governs AI-specific risks such as bias, transparency, human oversight, and societal impact. SOC 2 is different in kind, an attestation report rather than a certification, and its criteria were not designed around AI. Many organizations end up holding all three for different audiences.

Frequently asked questions

Is ISO 42001 certification mandatory?

No. It is a voluntary standard. No law currently requires it, but enterprise procurement teams increasingly expect it, and it maps closely to obligations under the EU AI Act, so market pressure is doing what mandates would.

How long does ISO 42001 certification take?

It depends on your starting point. Organizations with a mature ISO 27001 program often reach their Stage 2 audit within six to twelve months. Starting from scratch, plan for longer, since policies, assessments, and evidence all need time to operate before an auditor can test them.

Does ISO 42001 replace ISO 27001?

No. They address different risk domains and are designed to run side by side. The overlap in structure means much of your ISMS machinery (document control, internal audit, corrective action) can serve both.

What are the Annex A controls?

Annex A lists 38 reference controls grouped under nine objectives, from AI policies and role definitions to data quality, impact assessment, and third-party management. Not every control is mandatory: you apply the ones your risk assessment justifies and document the rest in your Statement of Applicability.

Can startups and small companies get certified?

Yes. The standard scales with scope. A focused scope covering one AI product line, with proportionate policies and assessments, is a legitimate and auditable AIMS.

If you are working toward certification, Compyl’s ISO 42001 compliance platform maps the controls you already run under ISO 27001 or SOC 2 onto the new standard, tracks your Statement of Applicability, and collects audit evidence continuously, so certification becomes a project measured in months rather than years.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies