ISO 42001 Certification: What It Means and How to Prepare

What Is ISO 42001?

ISO/IEC 42001:2023 specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organisations. It follows the Annex SL high-level structure used by ISO 9001 (Quality), ISO 27001 (Information Security), and ISO 14001 (Environment) — which means organisations with existing ISO management system certifications will find the structure familiar.

The standard applies to any organisation that develops, provides, or uses AI systems. Unlike the EU AI Act, ISO 42001 is not legally mandatory — but it is:

• Increasingly required in enterprise procurement questionnaires and vendor assessments
• Referenced by the EU AI Act as a harmonised standard for demonstrating conformity
• Aligned with NIST AI RMF, allowing a single implementation to satisfy both
• Recognised by the UK AI Safety Institute as a relevant management system standard

The Structure of ISO 42001

ISO 42001 follows the Plan-Do-Check-Act (PDCA) cycle and is organised into 10 clauses:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation — understanding external/internal issues and stakeholder expectations
5. Leadership — top management commitment, AI policy, roles and responsibilities
6. Planning — risk and opportunity assessment, AI objectives
7. Support — resources, competence, awareness, communication, documented information
8. Operation — operational planning, AI system impact assessment, AI supply chain
9. Performance evaluation — monitoring, internal audit, management review
10. Improvement — nonconformity and corrective action, continual improvement

The standard also includes normative Annex A (objectives and controls — 39 in total) and several informative annexes covering AI concepts, responsible AI considerations, risk management guidance, and data governance.

The 39 ISO 42001 Annex A Controls

Annex A controls are grouped into 8 domains. Not all controls are mandatory — the organisation must justify any exclusions in a Statement of Applicability (SoA):

• A.2 Policies for AI — AI policy, responsible use, human oversight policies
• A.3 Internal organisation — roles, resources, competencies for AI
• A.4 Resources for AI systems — data, compute, tooling governance
• A.5 Assessing impacts of AI systems — impact assessment methodology
• A.6 AI system life cycle — design, development, testing, deployment, decommission
• A.7 Data for AI systems — data governance, quality, provenance, privacy
• A.8 Information for interested parties — transparency, labelling, disclosure
• A.9 Use of AI systems by customers and third parties — supply chain, third-party management

Preparing for ISO 42001 Certification: A Phased Approach

Phase 1: Gap Assessment (Weeks 1–4)

Run an assessment against all 10 clauses and 39 Annex A controls. For each requirement, determine: fully met, partially met, not met. Document your current state. This becomes the baseline for your implementation plan.

Use Governer's ISO 42001 scanner to automate the technical controls portion of this assessment — particularly the data governance, AI system lifecycle, and logging and monitoring controls.

Phase 2: Documentation Build (Weeks 5–12)

ISO 42001 requires specific documented information. The minimum document set includes:

• AI policy (Clause 5.2)
• AIMS scope document (Clause 4.3)
• Risk assessment and treatment methodology (Clause 6.1)
• Statement of Applicability (Annex A)
• AI system impact assessment records (A.5)
• AI system inventory (Clause 8)
• Internal audit procedure and records (Clause 9.2)
• Management review records (Clause 9.3)
• Nonconformity and corrective action records (Clause 10.2)

Phase 3: Implementation and Evidence Collection (Weeks 13–24)

Implement the controls identified in your gap assessment. Collect evidence of implementation: training records, meeting minutes, system logs, test results, and process artefacts. Run at least one full internal audit cycle before the certification audit.

Phase 4: Certification Audit (Months 6–9)

Select an accredited certification body (e.g. BSI, Bureau Veritas, SGS, TÜV). The certification audit is a two-stage process: Stage 1 (document review and readiness assessment) and Stage 2 (on-site implementation audit). Successful completion results in ISO 42001 certification, valid for 3 years with annual surveillance audits.

ISO 42001 and the EU AI Act

The European Commission has initiated the process to harmonise ISO 42001 with the EU AI Act. When harmonised, conformity to ISO 42001 will create a presumption of conformity with specific EU AI Act requirements — substantially simplifying the compliance path for high-risk AI system providers already certified to ISO 42001.

Getting Started

The fastest path to ISO 42001 starts with understanding your current gap. Run a free Governer compliance scan to get an ISO 42001 readiness score alongside your EU AI Act and NIST AI RMF scores — in under 60 seconds. Use the output to prioritise your Phase 1 gap assessment and build your implementation roadmap.