Is ISO 42001 mandatory? Understanding your compliance obligations

Artificial intelligence (AI) is developing at an incredible pace. It’s moving faster than many businesses can keep up with, which makes governance and oversight a real challenge. With or without your consent, your teams are almost certainly already using it for data analysis, content creation, automation and support when making decisions.

Meanwhile, everyone’s starting to ask the same question, ‘who’s responsible for how your AI systems behave?’.

Well, that’s where ISO 42001, an AI management system (AIMS) framework, comes in. You may be wondering whether ISO 42001 is something your business needs or can safely ignore without any fear of repercussions.

The short answer? ISO 42001 is not mandatory. But that doesn’t mean it’s not valuable. This blog explains why.

So, is ISO 42001 mandatory?

ISO/IEC 42001:2023 (to give it its full, current name) is not a law. The Government doesn’t make it legally mandatory for organisations to hold certification. In fact, there are currently no countries in the world that require any business to hold ISO 42001 certification.

ISO 42001 is an international management system standard tailored to AI. This means it’s something organisations choose to adopt. Certification is granted by an independent certification body after an audit.

Like other ISO standards (for example, ISO 9001 or ISO 27001), ISO 42001 can still be used as evidence that an organisation operates a structured governance system. In other words, meeting ISO standards can help your business demonstrate its alignment and compliance with your regulatory obligations.

So, while your business isn’t legally required to be ISO 42001 certified, you may still be expected to demonstrate control over your AIMS. And with the pace that AI is evolving, that expectation is becoming increasingly prevalent and relevant.

What regulations apply to AI right now?

So, if ISO 42001 isn’t mandatory, what laws do you have to take into account? Here are a few of the key legal and regulatory frameworks that currently apply to AI. Note that most of these come from existing laws, but applied to AI. Depending on where you operate, these can include:

Data protection and privacy law

If your AI processes personal data, you are already subject to requirements such as:

• UK GDPR
• EU GDPR
• sector-specific privacy rules

These require you to understand the following about your AIMS:

• where data is stored
• how data is used
• privacy policies and consent
• how decisions are made
• the risks for all users and participants

Emerging AI-specific regulation

In some regions, we’re starting to see dedicated AI regulation. For example:

• The EU AI Act (being introduced in phases from 2024 onwards, to be fully deployed in August 2026) introduces risk-based obligations for certain AI uses
• UK regulators are issuing more guidance on responsible AI governance
• Sector regulators (finance, healthcare, public sector) are publishing their own expectations

These frameworks do not require ISO 42001 certification, but they do require:

• documented risk management
• oversight
• accountability
• lifecycle control

Because those are the exact areas ISO 42001 is designed to formalise, certification can be a simple way to prove your compliance.

Contractual and procurement requirements

Even if there are no legal requirements for ISO 42001, your customers and stakeholders have a vested interest in how you govern AI. Many people are still very wary of how much data AI stores about them. They’ll ask questions such as:

• How do you keep my data safe in your AIMS?
• How do you control AI risk?
• How do you manage bias?
• Who approves AI changes?
• What governance is in place?

ISO 42001 provides a structured way to have those answers in place, with evidence and documentation all ready and available.

Do I need ISO 42001?

If your organisation doesn’t use AI and has no plans to, ISO 42001 may not be relevant. However, most organisations are forecast to embrace it sooner or later. In the meantime, you’re more likely to benefit from ISO 42001 if: 

Your products or services include AI

If AI directly affects customer outcomes, clients will expect evidence that you’re controlling and monitoring it.

Your decisions affect people or financial outcomes

The higher the impact (as determined by risk assessments), the stronger the expectation for documented oversight.

You operate in a regulated or high-trust sector

such as finance, healthcare, public sector, legal, infrastructure or education

You already hold other ISO certifications

If you already hold ISO 27001 or ISO 9001, your clients and auditors may expect similar discipline for AI. Because ISO 42001 uses the same management system structure, it’s often the natural next step. Ensuring your AIMS meets the same management standards means you’re well on your way to certification.

So what are your real compliance obligations?

Your overall objective is to show that your AIMS is governed, controlled and accountable.

And the best way to do that is to adopt a recognised management system standard.

ISO 42001 is internationally recognised and aligns with other ISO system frameworks (such as ISO 27001). Importantly, it provides auditable evidence of your approach to AI governance.

So, if you already use AI in your business, formally or informally, the first thing to do is ask yourself the following questions: 

• Where do we use AI across the organisation?
• What decisions does it influence?
• What data does it rely on?
• Who owns each system?
• How is that data protected?
• How are risks assessed and reviewed?

If any of those answers are unclear, you already have a governance gap. That doesn’t automatically mean you need ISO 42001 certification tomorrow. It does, however, mean you need to implement a more structured approach.

At ISO QSL, we can help your business assess its current AI use, define a scope of governance and build a practical ISO 42001-aligned management system. We’ve also launched a new Introduction to ISO 42001 online training module.

If you want to understand the importance of ISO 42001 for your organisation, let’s start with an initial discovery call. We’ll map out where AI is used, what outcomes it affects and what your current AI controls look like. From there, you can decide whether formal certification, or simply a stronger internal framework, is the best next step.