Compyl
Framework · ISO 42001

ISO 42001 compliance,
built into your GRC program.

ISO/IEC 42001 is the first international standard for AI management systems, and the EU AI Act is making responsible AI a regulatory requirement rather than a talking point. Compyl runs your AI governance program on the same control library as the rest of your GRC, so most of the evidence you need already exists.

What is ISO 42001?

ISO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS), published in December 2023. It defines how an organization governs the development and use of AI responsibly: leadership accountability, AI risk and impact assessments, lifecycle controls, data governance, and continuous improvement, with Annex A controls organized into nine categories. Like ISO 27001, it is certifiable: an accredited body audits your AIMS, and certification runs on a three-year cycle with surveillance audits. It is quickly becoming the way companies prove trustworthy AI to customers, boards, and regulators.
Why now

AI governance stopped being optional

The EU AI Act is enforcingThe Act entered into force in August 2024, general-purpose AI obligations began in August 2025, and high-risk system obligations land in August 2026. ISO 42001 is the clearest path to demonstrating the governance the Act expects.
Your customers are askingSecurity questionnaires now include AI sections. Enterprise buyers want evidence that your AI features are governed, and an ISO 42001 certificate answers the question before it is asked.
Boards want proof, not policyAI risk has reached the board agenda. A certifiable management system turns responsible-AI intentions into controls, owners, evidence, and audit results.
How Compyl helps

ISO 42001 on one connected platform

One control library, cross-mapped

ISO 42001 follows the same harmonized structure as ISO 27001, and the overlap is large. Compyl maps each control once, so your existing ISMS evidence counts toward your AIMS from day one.

Automated evidence collection

Pre-built evidence blueprints pull live proof from your stack through in-house integrations, so AI governance controls are monitored continuously, not screenshotted before audits.

AI risk and impact assessments

Run AI risk assessments and system impact assessments in the same risk module you already use, with risk quantified in dollars through FAIR at the Enterprise package.

Policy management, mapped to controls

Draft, approve, and attest AI policies with AI-assisted first drafts, and keep every policy linked to the controls it governs.

Vendor AI oversight

Third parties are where AI risk hides. Assess vendor AI use inside your vendor risk workflows, on the same platform as everything else.

Prove it with your Trust Center

Publish your AI governance posture alongside SOC 2 and ISO 27001, so buyers see responsible AI before they ask.

The ISO 27001 head start

If you already hold ISO 27001, you are further along than you think. ISO 42001 reuses the harmonized management-system structure: context, leadership, planning, support, operation, evaluation, improvement. Compyl’s cross-mapped control library means a large share of your AIMS requirements are satisfied by evidence you already collect, and your quote reflects that: adding a framework on Compyl costs a fraction of starting one from scratch. See how pricing works.

Common questions

ISO 42001: Frequently Asked Questions

What is ISO 42001 in simple terms?
ISO 42001 is the international standard that tells an organization how to govern its use of artificial intelligence responsibly. It works like ISO 27001 but for AI: you build a management system (an AIMS) with policies, risk assessments, controls, and evidence, and an accredited auditor certifies it.
Who needs ISO 42001?
Any organization that develops AI products, embeds AI features, or uses AI in ways that affect customers. Software companies with AI features, regulated industries deploying AI, and vendors selling into enterprises that ask about AI governance are the earliest adopters.
Is ISO 42001 mandatory under the EU AI Act?
No, ISO 42001 is voluntary. The EU AI Act is the law, and ISO 42001 is the clearest recognized way to demonstrate the governance, risk management, and documentation practices the Act expects. Many organizations pursue both together because the work overlaps heavily.
How long does ISO 42001 certification take?
It depends on your starting point. Organizations with an existing ISO 27001 ISMS typically move fastest because the management-system structure and much of the evidence already exist. On a platform with cross-mapped controls, readiness is usually a matter of months rather than a year.
How much does ISO 42001 certification cost?
Total cost includes your readiness work, the platform you run your AIMS on, and the certification body’s audit fees. The biggest cost driver is duplicated effort, which is why running ISO 42001 on the same control library as ISO 27001 matters: evidence collected once satisfies both. Compyl includes all 70+ frameworks, so adding ISO 42001 is not a new line item.
What is the difference between ISO 42001 and ISO 27001?
ISO 27001 governs information security; ISO 42001 governs artificial intelligence. They share the same management-system skeleton, which is why they pair so well: ISO 27001 protects the data, ISO 42001 governs what your AI does with it.
Does Compyl support ISO 42001?
Yes. ISO 42001 is one of the 70+ frameworks in Compyl’s cross-mapped control library, with evidence blueprints, AI risk assessment workflows, policy management, and vendor AI oversight on the same platform as the rest of your GRC program.
GRC your way

Govern AI on the platform you already trust

One control library. Your ISMS evidence, working toward your AIMS.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies