ISO 42001: the standard for governing AI.

ISO/IEC 42001:2023

Direct answer

ISO/IEC 42001 is the world's first certifiable international standard for an AI management system (AIMS). Published in December 2023, it gives organizations that develop, provide, or use AI a risk-based framework, ten clauses plus 38 Annex A controls, to govern AI responsibly. Accredited bodies certify it. Certification supports, but does not equal, EU AI Act compliance.

What ISO 42001 is

ISO/IEC 42001 is the first international management-system standard for artificial intelligence. It does for AI what ISO 27001 does for information security: it gives an organization a structured, auditable way to set objectives, assess risk, apply controls, and improve over time, specifically for the AI systems it builds, provides, or uses. It is built on the same Annex SL Harmonized Structure as ISO 27001 and ISO 9001, and it is certifiable by accredited third-party bodies, so responsible AI governance can be demonstrated rather than just asserted.

Why ISO 42001 matters now

AI is moving into decisions that affect real people, which raises questions of bias, transparency, and oversight that security and quality standards do not answer. Regulation is arriving in parallel. ISO 42001 gives teams a recognized way to get ahead of both, and it has a currency advantage worth using: most published guidance still shows the old EU AI Act high-risk date of 2 August 2026, which has since shifted.

Corrected EU AI Act timeline (verify Official Journal status at publish):

  • 1 August 2024: the EU AI Act entered into force.
  • 2 February 2025: prohibitions on unacceptable-risk AI and AI literacy obligations apply.
  • 2 August 2025: general-purpose AI model obligations apply.
  • 2 August 2026: Article 50 transparency obligations remain live. Do not stand this work down.
  • 2 December 2026: grace deadline for generative AI providers applying watermarking or other transparency measures.
  • 2 December 2027: revised application date for standalone high-risk systems (Annex III), moved from 2 August 2026.
  • 2 August 2028: revised application date for high-risk AI embedded in regulated products (Annex I).

The revised high-risk dates come from the Digital Omnibus political agreement of 7 May 2026 and take legal effect only on publication in the Official Journal. Until then the original dates remain the legal baseline.

The structure: ten clauses

ISO 42001 has ten clauses. Clauses 1 to 3 cover scope, normative references, and terms. Clauses 4 to 10 are the auditable requirements, shared in shape with ISO 27001 and ISO 9001, which is what makes the standards integrate. The AI-specific demands concentrate in Clauses 6 (planning, including risk and impact assessment) and 8 (operation across the AI lifecycle).

ISO 42001 clause summary
ClauseTitleRequirement in one line
4Context of the organizationDetermine internal and external issues, interested parties, and define the AIMS scope (4.3).
5LeadershipTop-management commitment, an approved AI policy, and assigned roles.
6PlanningAI risk assessment, AI system impact assessment, risk treatment, the SoA, and AI objectives.
7SupportResources, competence, awareness, communication, documented information.
8OperationOperational control across the AI lifecycle; execute risk treatment and impact assessments.
9Performance evaluationMonitoring, measurement, internal audit, management review.
10ImprovementNonconformity, corrective action, continual improvement.

Annex A: 38 controls in 9 objectives

Annex A provides 38 reference controls organized into 9 objectives, numbered A.2 to A.10. They are a reference set, not a mandatory checklist: you select the applicable controls through risk assessment and record the include or exclude decision, with justification, in your Statement of Applicability. The standard also includes Annex B (implementation guidance), Annex C (potential AI objectives and risk sources), and Annex D (sector and cross-standard integration).

Note: a minority of sources cite 39 controls. The ISO-aligned count is 38. The full control-by-control breakdown is on the Annex A controls spoke.

ISO 42001 Annex A objectives
ObjectiveTitleControls
A.2Policies related to AI3
A.3Internal organization2
A.4Resources for AI systems5
A.5Assessing impacts of AI systems4
A.6AI system life cycle8
A.7Data for AI systems5
A.8Information for interested parties5
A.9Use of AI systems3
A.10Third-party and customer relationships3
Total38

What certification requires

To certify, an organization implements Clauses 4 to 10: define context and AIMS scope, demonstrate leadership and an AI policy, plan through AI risk and impact assessments, provide resources and competence, operate lifecycle controls, evaluate performance through internal audit and management review, and improve continually. The applicable Annex A controls are selected by risk and justified in the Statement of Applicability, which is a primary audit deliverable and the place teams most often slip.

How to get certified, and what it costs

Certification is awarded by an accredited third-party body after a two-stage audit. Stage 1 reviews documentation; Stage 2 tests the system in practice. Certificates run three years with annual surveillance audits. In the US look for ANAB accreditation, in the UK UKAS, in the Netherlands RvA. ISO itself does not certify. End to end, a typical program runs three to nine months depending on scope and existing management-system maturity.

Cost estimates (public data is limited; treat as estimates, not official tariffs):

  • Certification-body audit fees: roughly USD 15,000 to 60,000 in year one for small to mid organizations.
  • Implementation effort: often USD 10,000 to 40,000.
  • Annual surveillance: around USD 3,000 to 10,000.
  • ISO 42001 audits currently run higher than equivalent ISO 27001 audits because the accredited-auditor pool is small.

Adoption: no reliable official count of certified organizations exists. Third-party estimates put the total above 350 globally through April 2026.

ISO 42001 certification timeline
StageTypical durationWhat happens
Gap analysis2 to 4 weeksAssess current state against Clauses 4 to 10 and Annex A.
Implementation1 to 4 monthsBuild the AI policy, risk and impact assessments, SoA, controls, registers.
Internal audit and management reviewAbout 1 monthIndependent internal review and leadership sign-off.
Stage 1 audit1 to 2+ daysDocumentation and readiness review by the certification body.
Stage 2 audit3 to 9+ daysImplementation tested; controls sampled; staff interviewed.
Certificate issuedn/aValid 3 years once major nonconformities are closed.
SurveillanceAnnual, 1 to 3 daysContinued conformity; recertification at year three.

TRAIN TO CERTIFYAbilene Academy is the only PECB Titanium Partner in Switzerland, the highest accreditation tier in the industry, delivering certified ISO 42001 Lead Implementer and Lead Auditor training in classroom, online, and self-study formats. Multilingual programmes in EN, FR, ES, DE, IT and more. 99% Exam pass rate · 2,500+ Professionals trained · 120+ Countries reached · Titanium Only PECB Titanium Partner in Switzerland.

ISO 42001 Lead Implementer training

ISO 42001 vs ISO 27001 vs NIST AI RMF vs the EU AI Act

ISO 42001 and ISO 27001 are complementary: one governs AI, the other information security, and they share a structure, so an organization already certified to ISO 27001 can extend into ISO 42001 rather than start over. The NIST AI RMF is a voluntary, non-certifiable methodology that pairs well with ISO 42001 as the auditable umbrella. The EU AI Act is binding law, not a certificate. See the full ISO 42001 vs ISO 27001 answer.

ISO 42001 vs ISO 27001 vs NIST AI RMF vs EU AI Act
DimensionISO/IEC 42001ISO/IEC 27001NIST AI RMFEU AI Act
PurposeGovern AI (AIMS)Information security (ISMS)Manage AI riskRegulate AI in the EU market
AI-specificYesNoYesYes
CertifiableYes (accredited)YesNo (self-attestation)No (legal conformity)
Legal statusVoluntary standardVoluntary standardVoluntary frameworkBinding law (Reg. (EU) 2024/1689)
StructureAnnex SL, 10 clauses, 38 controlsAnnex SL, 10 clauses, 93 controls4 functionsRisk tiers and obligations by Article

ISO 42001 and the EU AI Act

ISO 42001 supports EU AI Act readiness, but it is not legal equivalence. Its risk management, data governance, transparency, and human-oversight controls map closely to the Act's expectations, yet the Act adds obligations ISO 42001 does not cover: conformity assessment, CE marking, EU database registration, and serious-incident reporting. ISO 42001 is the management-system foundation, not a compliance certificate.

EU AI Act to ISO 42001 crosswalk
EU AI Act expectationMaps to ISO 42001
Risk management system (Art. 9)Clause 6.1; Clause 8.2
Data and data governance (Art. 10)Annex A.7
Technical documentation (Art. 11 / Annex IV)Clause 7.5; A.6.2
Record-keeping and logging (Art. 12)A.6.2; Clause 9
Transparency to users (Art. 13)Annex A.8
Human oversight (Art. 14)Annex A.9; A.6.2
Accuracy, robustness, security (Art. 15)Clause 8; A.6.2; ISO 27001 linkage
Quality management system (Art. 17)The whole AIMS (Clauses 4 to 10)
Not covered by ISO 42001Conformity assessment, CE marking, EU database registration, serious-incident reporting

ISO 42005 and ISO 42006

ISO 42001 sits in a growing family. ISO/IEC 42005:2025 is the guidance standard for AI system impact assessment; it operationalizes control A.5 and helps you document how a specific AI system, and its foreseeable misuse, may affect individuals and society. ISO/IEC 42006:2025 sets the competence and consistency requirements for the bodies that audit and certify AIMS, which is what underpins an accredited certificate. Both are worth knowing when you choose an auditor and design your impact assessments.

Running ISO 42001 in Acuna

Acuna lets you run ISO 42001 alongside your other frameworks rather than as a separate project. It builds and maintains the AI system inventory, runs AI risk and impact assessments, generates and version-controls the Statement of Applicability, maps Annex A controls to evidence, and keeps controls monitored for surveillance audits. Requirements map once and reuse, so a team already running ISO 27001 extends into ISO 42001 efficiently. See how Acuna maps ISO 42001.

EXPLORE

ISO 42001

ISO 42001 vs ISO 27001Coming soon

How the AI standard and the security standard differ, and whether you need both.

Annex A controls, all 38 explainedComing soon

Each control, its objective, and what evidence an auditor expects.

The clauses 4 to 10, in depthComing soon

What each clause requires and how it is audited.

Certification cost and timelineComing soon

Stage 1, Stage 2, surveillance, and what it costs.

ISO 42001 vs NIST AI RMFComing soon

When to use each, and how they pair together.

EU AI Act crosswalkComing soon

How ISO 42001 maps to the Act, article by article.

ISO 42001 readiness checklistComing soon

A five-phase checklist from governance foundation to certification.

Statement of ApplicabilityComing soon

How to build the SoA: the primary Stage 1 audit deliverable.

ISO 42005 impact assessmentComing soon

Using the companion standard to document AI system impact.

A Lead Auditor's implementation guideComing soon

What auditors look for in Stage 2, and where most teams slip.

ISO 42001 solutionSOLUTION

How Acuna maps and runs ISO 42001 alongside your other frameworks.

ISO 42001: common questions.

GET STARTED

See how Acuna runs ISO 42001.

Book a 30-minute demo scoped to your AI governance program and the other frameworks you run.

Request a demoISO 42001 solution
Built for:CISOsCompliance LeadersMSSPs