Artificial intelligence (AI), including generative AI, is now part of everyday life and work.
Some of your teams openly use it. Others pretend not to but secretly depend on it. Many refuse to even interact with AI at all.
Whatever your current workplace culture, when your approach to AI isn’t clearly defined by leadership, it affects how decisions get made, how data moves and how risk shows up.
This creates a simple problem for business leaders, because you can’t manage what you can’t see.
ISO 42001 helps organisations plug those gaps. It outlines a management system standard specifically tailored to AI, so you can set policy and processes, assign accountability, assess risk and keep improving how the AI tools your business uses are developed and deployed.
On this page, we explain what ISO 42001 certification is and who benefits most from adhering to the standard.
What is ISO 42001?
ISO/IEC 42001:2023 is an international standard for artificial intelligence management systems (AIMS).
It sets the requirements for establishing, implementing, maintaining and continually improving an AIMS within the context of your organisation. An AIMS is the system you use to set rules for AI, decide what good looks like and manage how AI is developed, procured and used.
That’s important. ISO 42001 isn’t a standard for AI tools. It doesn’t tell you how to build your own AI model, which algorithm to use or how to write code. Rather, it provides a framework to help you oversee and manage the tools your organisation does use. That framework includes:
- How you set leadership direction and scope
- How you identify and treat AI risks
- How you define roles, responsibilities and governance
- How you manage AI across its lifecycle
- How you document decisions and keep evidence
- How you audit and improve the system over time
Any organisation can put the work in to meet the ISO standard. However, ISO certification comes in when an independent certification body audits your AIMS against ISO 42001’s requirements. Provided you’re compliant, you’ll achieve certification, which you can use to demonstrate to customers, suppliers, investors, employees and other stakeholders that you operate a structured AI management system.
ISO 42001 doesn’t mean you can claim your AI use is always risk-free. But it does provide evidence that you’re taking steps to minimise that risk.
ISO/IEC 42001 follows the same harmonised structure used across many ISO standards (often referenced via Annexe SL). That makes it easier to integrate with systems such as ISO/IEC 27001, rather than building a parallel governance programme.
Who is ISO 42001 for?
ISO 42001 is for organisations that develop, provide or use AI systems. If AI sits anywhere in your products, services, internal operations or decision-making, you’re in scope. That might sound broad, because it is. ISO 42001 is designed to work across all sectors and AI maturity levels.
Here are the most common cases where ISO 42001 fits in practice:
- Organisations using AI for decisions – If AI influences any business decisions or outcomes, you need clarity on accountability, documentation, oversight and risk.
- Organisations operating in regulated or high-scrutiny environments – Many organisations are watching AI regulation develop in the UK, EU and beyond. Now, ISO standards and legislation aren’t the same thing, but ISO 42001 can help you put governance in place so you can provide evidence-based responses to existing and upcoming regulatory expectations.
- Organisations building AI into products and services – If you develop AI systems or provide a product that uses AI, you need consistent controls over its design, validation, monitoring and continuous improvement. ISO 42001 gives you a systematic approach to govern those activities.
- Organisations with lots of ‘unofficial’ AI use – Even if you don’t have any company-wide AI systems or policies, your teams may well be using it to create content, analyse data, summarise reports or respond to customers, perhaps even without consent.
- Organisations that need to prove trust to customers and partners – More customers want to know how you control AI. ISO 42001 certification shows you have clear rules and oversight, even though it doesn’t remove every risk.
Love it or hate it, AI is here to stay, so it’s important to introduce data handling, privacy and security measures. ISO 42001 can help you establish all of these as part of the process of preparing for accreditation.
How organisations can develop ISO 42001-compliant systems
ISO 42001 is a management system standard. Implementation looks much like other ISO projects. Here’s what a practical path to implementing a successful ISO 42001 AIMS might look like:
1) Set scope and leadership accountability
Start by defining what sits inside your AIMS, which business units, which AI tools, which suppliers, etc. Then assign ownership of various categories to your leaders, creating clear accountability and scope for teams.
2) Build an AI inventory and map the lifecycle
You need a live view of:
- Where AI is developed, bought, configured or used
- What it affects
- Where it connects to data, users and decisions
- What good looks like
This is where most organisations find gaps they didn’t know they had. Designate a team to carry out this task, or hire an external expert, like ISO QSL.
3) Put risk management and controls into your normal workflows
To meet ISO 42001 requirements, you must implement a risk-based approach. In practice, that means:
- assessing your AI risks and their potential impacts
- defining controls and acceptance criteria
- documenting decisions and keeping evidence
- managing suppliers and third-party components
4) Write the documentation
Auditors look for evidence that the system exists and operates. That’s where your AIMS documentation comes in. Your documentation should include your AI policies, scope, risk approach, operational controls and records of monitoring, review and change management. Crucially, it must represent and support how your workflows operate, warts and all, not just how you want them to happen.
5) Test the system before certification
Before the external audit, you carry out your own checks, including internal audits, management reviews, fixing issues and planning improvements. In some cases, you may benefit from a ‘test’ audit from an ISO consultant to identify any remaining gaps before the certification audit. This will give you evidence that your AI management system actually works (or doesn’t) in practice, not just on paper. Certification audits are usually conducted in stages, so be prepared.
Where ISO QSL fits in
Many organisations struggle to build an effective AIMS from scratch while still running their business. It’s a significant amount to manage on your own.
ISO QSL can guide you through the process in as little as eight weeks. We can help make sure your AIMS aligns with ISO 42001 requirements and, most importantly, integrates with any other ISO standards you may have, such as ISO 27001. We’ve also launched a new Introduction to ISO 42001 online training module.
Our goal is to help you create an AI management system your teams can operate, maintain and improve, and that you can evidence during a certification audit. So, if you want to explore ISO/IEC 42001 certification, get in touch with our expert team of ISO consultants today.