What is ISO 42001?
ISO/IEC 42001:2023 is a standard for AI Management Systems. Published in December 2023, it provides a framework for organizations to develop, deploy, and manage AI responsibly.
Think of it as ISO 27001 (information security) or ISO 9001 (quality management), but for AI. If you're familiar with management system standards, the structure will feel familiar: policy, planning, support, operation, evaluation, improvement.
Certification is voluntary. No law requires it. But organizations pursue it to demonstrate due diligence, satisfy customer requirements, or support regulatory compliance efforts.
Key point: ISO 42001 certification doesn't mean you comply with the EU AI Act. They're related but different. The standard helps build processes; the regulation requires specific product outcomes.
Requirements overview
ISO 42001 follows the ISO High-Level Structure (Annex SL), making it easier to integrate with other management systems. Here's what each clause covers:
Clause 4: Context of the organization
Understand your organization's context for AI. Identify interested parties (customers, regulators, employees, affected individuals). Define the scope of your AI management system.
Clause 5: Leadership
Top management must demonstrate commitment. Establish an AI policy. Assign roles, responsibilities, and authorities. Leadership can't delegate this to the tech team alone.
Clause 6: Planning
Address risks and opportunities specific to AI. Set measurable AI objectives. Plan how to achieve them. This includes AI-specific risk assessment that goes beyond traditional IT risk.
Clause 7: Support
Determine and provide resources. Ensure competence of people working with AI systems. Maintain awareness throughout the organization. Document what you need to document.
Clause 8: Operation
This is where AI-specific requirements live. Plan and control AI system development and deployment. Conduct AI impact assessments. Manage the AI system lifecycle. Handle third-party AI responsibly.
Clause 9: Performance evaluation
Monitor and measure your AI systems and management system. Conduct internal audits. Management review must include AI-specific considerations.
Clause 10: Improvement
Handle nonconformities and take corrective action. Continuously improve the management system and your AI practices.
ISO 42001 vs EU AI Act
| Aspect | ISO 42001 | EU AI Act |
|---|---|---|
| Nature | Voluntary standard | Legal requirement |
| Scope | Global | EU market |
| Focus | Management system (how you work) | Product compliance (what you ship) |
| Certification | Available from accredited bodies | Conformity assessment (mostly self-declared) |
| Penalties | None (voluntary) | Up to 7% global turnover |
How they work together: ISO 42001 gives you processes for managing AI responsibly. Those processes can help you meet EU AI Act requirements, but they're not the same thing.
For example: ISO 42001 requires you to have a risk management process. The EU AI Act requires high-risk AI systems to implement specific risk management measures. Your ISO 42001-compliant process can support AI Act compliance, but you still need to demonstrate product-level conformity.
Certification process
Timeline
Typical certification takes 6-12 months from starting implementation. This varies based on organizational size, existing management systems, and certification body availability.
Steps
- Gap analysis. Compare current practices against ISO 42001 requirements.
- Implementation. Build or adapt your AI management system. Document policies, procedures, and processes.
- Internal audit. Test your system before the certification body arrives.
- Stage 1 audit. Documentation review. The auditor checks if your system looks ready.
- Stage 2 audit. Implementation review. The auditor checks if you're actually doing what you documented.
- Certification decision. If you pass, you get the certificate.
- Surveillance audits. Annual check-ins to maintain certification.
Costs
Certification costs vary by organization size and certification body. Budget for:
- Consulting support (if needed)
- Staff time for implementation
- Certification body fees
- Annual surveillance audit fees
Getting started
Here's what to do now:
- Get the standard. Purchase ISO/IEC 42001:2023 from ISO or your national standards body.
- Assess your current state. What AI governance do you already have? Where are the gaps?
- Decide on scope. Will you certify the whole organization or specific AI systems/business units?
- Build the business case. Why certification? Customer requirement? Regulatory support? Competitive advantage?
- Plan resources. Who will lead implementation? Do you need external help?
Pro tip: If you already have ISO 27001 or ISO 9001, you have a head start. ISO 42001 uses the same structure, and you can integrate the management systems.