The ISO/IEC 42001 Certification Guide
ISO/IEC 42001 is the international, certifiable standard for an Artificial Intelligence Management System (AIMS) — the AI equivalent of what ISO 27001 is to information security. In 2026 it has become the strongest single trust signal for AI-driven products: buyers require it in procurement, Texas's TRAIGA rewards recognized AI risk management, and it maps efficiently onto EU AI Act obligations.
- ISO 42001 covers organizations that develop, provide, or use AI — not just model builders.
- Annex A: 38 controls in 9 areas, from impact assessments to third-party AI.
- Certification takes 6–12 months; an existing ISO 27001 ISMS covers 40–60% of the machinery.
- It does not presume EU AI Act conformity — but it is the most efficient way to operationalize Act obligations.
Who should pursue ISO 42001
- AI product companies — certification answers the security-review question every enterprise buyer now asks.
- Companies embedding third-party AI into consequential workflows — the standard covers users of AI, not just developers.
- Organizations in scope for the EU AI Act or US state AI laws — an AIMS provides the governance scaffolding those laws expect.
The structure: clauses and controls
Like all modern ISO management standards, 42001 follows the harmonized structure — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement — so it bolts cleanly onto an existing ISO 27001 ISMS. Annex A lists 38 controls in 9 control areas:
| Control area | What it covers |
|---|---|
| Policies related to AI | AI policy aligned to objectives, reviewed on cadence |
| Internal organization | Roles, responsibilities, and reporting for AI accountability |
| Resources for AI systems | Inventory of data, tooling, models, compute, and competence |
| Assessing impacts | AI system impact assessments on individuals, groups, society |
| AI system lifecycle | Requirements, design, verification, deployment, operation, retirement |
| Data for AI systems | Data acquisition, quality, provenance, preparation |
| Information for interested parties | Transparency: documentation, user information, incident communication |
| Use of AI systems | Responsible-use objectives and intended-use boundaries |
| Third-party relationships | Supplier AI risk, customer obligations, responsibility allocation |
ISO 42001 and the EU AI Act
The two are complementary, not equivalent. Certification does not create a presumption of AI Act conformity — but the overlap is substantial: the Act's risk management system maps to Clause 6 planning and impact-assessment controls; data governance to the data-for-AI area; technical documentation to lifecycle controls; transparency to interested-parties controls; and the quality management system requirement to the AIMS itself. With high-risk obligations scheduled for August 2026 (amid Digital Omnibus proposals to delay parts to 2027–28), building the AIMS now positions you for either timeline. See the EU AI Act Compliance Guide.
The certification path (6–12 months)
- Scope the AIMS. Which AI systems, products, and business units? Start with the AI that matters commercially.
- Gap assessment. Organizations with ISO 27001 typically find 40–60% of the management-system machinery already exists.
- Build the core artifacts: AI policy, AI system inventory, impact-assessment methodology, lifecycle procedures, statement of applicability.
- Operate and evidence. Run impact assessments on real systems, execute a management review and internal audit — auditors need operating evidence, not binders.
- Stage 1 and Stage 2 audits by an accredited certification body; three-year cycle with annual surveillance.
Compyl maps ISO 42001's 38 controls into the same library as ISO 27001, SOC 2, NIST AI RMF, and the EU AI Act — implement once, satisfy many. The platform manages your AI inventory, automates impact-assessment workflows, and keeps your statement of applicability current. Combined with the AI Governance Implementation Guide, this is the fastest route from no-AIMS to audit-ready.
Frequently asked questions
What is ISO/IEC 42001 in one sentence?
How long does ISO 42001 certification take?
Does ISO 42001 certification satisfy the EU AI Act?
ISO 42001 vs NIST AI RMF — which should we adopt?
Do we need ISO 42001 if we only use vendor AI?
Get ISO 42001-ready with Compyl
Compyl unifies governance, risk, compliance and audit on one source of truth — built by CISOs, with a human approving every consequential decision.
About this guide. By Compyl Research. This is general information, not legal advice — consult counsel for your specific obligations. Compyl is an AI-powered, agentic GRC platform built by CISOs.