ISO/IEC 42001:2023
Direct answer
ISO/IEC 42001 is the world's first certifiable international standard for an AI management system (AIMS). Published in December 2023, it gives organizations that develop, provide, or use AI a risk-based framework, ten clauses plus 38 Annex A controls, to govern AI responsibly. Accredited bodies certify it. Certification supports, but does not equal, EU AI Act compliance.
ISO/IEC 42001 is the first international management-system standard for artificial intelligence. It does for AI what ISO 27001 does for information security: it gives an organization a structured, auditable way to set objectives, assess risk, apply controls, and improve over time, specifically for the AI systems it builds, provides, or uses. It is built on the same Annex SL Harmonized Structure as ISO 27001 and ISO 9001, and it is certifiable by accredited third-party bodies, so responsible AI governance can be demonstrated rather than just asserted.
AI is moving into decisions that affect real people, which raises questions of bias, transparency, and oversight that security and quality standards do not answer. Regulation is arriving in parallel. ISO 42001 gives teams a recognized way to get ahead of both, and it has a currency advantage worth using: most published guidance still shows the old EU AI Act high-risk date of 2 August 2026, which has since shifted.
Corrected EU AI Act timeline (verify Official Journal status at publish):
The revised high-risk dates come from the Digital Omnibus political agreement of 7 May 2026 and take legal effect only on publication in the Official Journal. Until then the original dates remain the legal baseline.
ISO 42001 has ten clauses. Clauses 1 to 3 cover scope, normative references, and terms. Clauses 4 to 10 are the auditable requirements, shared in shape with ISO 27001 and ISO 9001, which is what makes the standards integrate. The AI-specific demands concentrate in Clauses 6 (planning, including risk and impact assessment) and 8 (operation across the AI lifecycle).
| Clause | Title | Requirement in one line |
|---|---|---|
| 4 | Context of the organization | Determine internal and external issues, interested parties, and define the AIMS scope (4.3). |
| 5 | Leadership | Top-management commitment, an approved AI policy, and assigned roles. |
| 6 | Planning | AI risk assessment, AI system impact assessment, risk treatment, the SoA, and AI objectives. |
| 7 | Support | Resources, competence, awareness, communication, documented information. |
| 8 | Operation | Operational control across the AI lifecycle; execute risk treatment and impact assessments. |
| 9 | Performance evaluation | Monitoring, measurement, internal audit, management review. |
| 10 | Improvement | Nonconformity, corrective action, continual improvement. |
Annex A provides 38 reference controls organized into 9 objectives, numbered A.2 to A.10. They are a reference set, not a mandatory checklist: you select the applicable controls through risk assessment and record the include or exclude decision, with justification, in your Statement of Applicability. The standard also includes Annex B (implementation guidance), Annex C (potential AI objectives and risk sources), and Annex D (sector and cross-standard integration).
Note: a minority of sources cite 39 controls. The ISO-aligned count is 38. The full control-by-control breakdown is on the Annex A controls spoke.
| Objective | Title | Controls |
|---|---|---|
| A.2 | Policies related to AI | 3 |
| A.3 | Internal organization | 2 |
| A.4 | Resources for AI systems | 5 |
| A.5 | Assessing impacts of AI systems | 4 |
| A.6 | AI system life cycle | 8 |
| A.7 | Data for AI systems | 5 |
| A.8 | Information for interested parties | 5 |
| A.9 | Use of AI systems | 3 |
| A.10 | Third-party and customer relationships | 3 |
| Total | 38 |
To certify, an organization implements Clauses 4 to 10: define context and AIMS scope, demonstrate leadership and an AI policy, plan through AI risk and impact assessments, provide resources and competence, operate lifecycle controls, evaluate performance through internal audit and management review, and improve continually. The applicable Annex A controls are selected by risk and justified in the Statement of Applicability, which is a primary audit deliverable and the place teams most often slip.
Certification is awarded by an accredited third-party body after a two-stage audit. Stage 1 reviews documentation; Stage 2 tests the system in practice. Certificates run three years with annual surveillance audits. In the US look for ANAB accreditation, in the UK UKAS, in the Netherlands RvA. ISO itself does not certify. End to end, a typical program runs three to nine months depending on scope and existing management-system maturity.
Cost estimates (public data is limited; treat as estimates, not official tariffs):
Adoption: no reliable official count of certified organizations exists. Third-party estimates put the total above 350 globally through April 2026.
| Stage | Typical duration | What happens |
|---|---|---|
| Gap analysis | 2 to 4 weeks | Assess current state against Clauses 4 to 10 and Annex A. |
| Implementation | 1 to 4 months | Build the AI policy, risk and impact assessments, SoA, controls, registers. |
| Internal audit and management review | About 1 month | Independent internal review and leadership sign-off. |
| Stage 1 audit | 1 to 2+ days | Documentation and readiness review by the certification body. |
| Stage 2 audit | 3 to 9+ days | Implementation tested; controls sampled; staff interviewed. |
| Certificate issued | n/a | Valid 3 years once major nonconformities are closed. |
| Surveillance | Annual, 1 to 3 days | Continued conformity; recertification at year three. |
TRAIN TO CERTIFYAbilene Academy is the only PECB Titanium Partner in Switzerland, the highest accreditation tier in the industry, delivering certified ISO 42001 Lead Implementer and Lead Auditor training in classroom, online, and self-study formats. Multilingual programmes in EN, FR, ES, DE, IT and more. 99% Exam pass rate · 2,500+ Professionals trained · 120+ Countries reached · Titanium Only PECB Titanium Partner in Switzerland.
ISO 42001 Lead Implementer training →ISO 42001 and ISO 27001 are complementary: one governs AI, the other information security, and they share a structure, so an organization already certified to ISO 27001 can extend into ISO 42001 rather than start over. The NIST AI RMF is a voluntary, non-certifiable methodology that pairs well with ISO 42001 as the auditable umbrella. The EU AI Act is binding law, not a certificate. See the full ISO 42001 vs ISO 27001 answer.
| Dimension | ISO/IEC 42001 | ISO/IEC 27001 | NIST AI RMF | EU AI Act |
|---|---|---|---|---|
| Purpose | Govern AI (AIMS) | Information security (ISMS) | Manage AI risk | Regulate AI in the EU market |
| AI-specific | Yes | No | Yes | Yes |
| Certifiable | Yes (accredited) | Yes | No (self-attestation) | No (legal conformity) |
| Legal status | Voluntary standard | Voluntary standard | Voluntary framework | Binding law (Reg. (EU) 2024/1689) |
| Structure | Annex SL, 10 clauses, 38 controls | Annex SL, 10 clauses, 93 controls | 4 functions | Risk tiers and obligations by Article |
ISO 42001 supports EU AI Act readiness, but it is not legal equivalence. Its risk management, data governance, transparency, and human-oversight controls map closely to the Act's expectations, yet the Act adds obligations ISO 42001 does not cover: conformity assessment, CE marking, EU database registration, and serious-incident reporting. ISO 42001 is the management-system foundation, not a compliance certificate.
| EU AI Act expectation | Maps to ISO 42001 |
|---|---|
| Risk management system (Art. 9) | Clause 6.1; Clause 8.2 |
| Data and data governance (Art. 10) | Annex A.7 |
| Technical documentation (Art. 11 / Annex IV) | Clause 7.5; A.6.2 |
| Record-keeping and logging (Art. 12) | A.6.2; Clause 9 |
| Transparency to users (Art. 13) | Annex A.8 |
| Human oversight (Art. 14) | Annex A.9; A.6.2 |
| Accuracy, robustness, security (Art. 15) | Clause 8; A.6.2; ISO 27001 linkage |
| Quality management system (Art. 17) | The whole AIMS (Clauses 4 to 10) |
| Not covered by ISO 42001 | Conformity assessment, CE marking, EU database registration, serious-incident reporting |
ISO 42001 sits in a growing family. ISO/IEC 42005:2025 is the guidance standard for AI system impact assessment; it operationalizes control A.5 and helps you document how a specific AI system, and its foreseeable misuse, may affect individuals and society. ISO/IEC 42006:2025 sets the competence and consistency requirements for the bodies that audit and certify AIMS, which is what underpins an accredited certificate. Both are worth knowing when you choose an auditor and design your impact assessments.
Acuna lets you run ISO 42001 alongside your other frameworks rather than as a separate project. It builds and maintains the AI system inventory, runs AI risk and impact assessments, generates and version-controls the Statement of Applicability, maps Annex A controls to evidence, and keeps controls monitored for surveillance audits. Requirements map once and reuse, so a team already running ISO 27001 extends into ISO 42001 efficiently. See how Acuna maps ISO 42001.
EXPLORE
How the AI standard and the security standard differ, and whether you need both.
Each control, its objective, and what evidence an auditor expects.
What each clause requires and how it is audited.
Stage 1, Stage 2, surveillance, and what it costs.
When to use each, and how they pair together.
How ISO 42001 maps to the Act, article by article.
A five-phase checklist from governance foundation to certification.
How to build the SoA: the primary Stage 1 audit deliverable.
Using the companion standard to document AI system impact.
What auditors look for in Stage 2, and where most teams slip.
How Acuna maps and runs ISO 42001 alongside your other frameworks.
GET STARTED
Book a 30-minute demo scoped to your AI governance program and the other frameworks you run.