Skip to main content
ISO 42001ISO/IEC 42001AI management systemAIMSAI governanceAI certificationresponsible AI

What Is ISO 42001 (AI Management System)?

ISO/IEC 42001:2023 is the world's first international standard for an AI management system (AIMS). Published in December 2023, it specifies the requirements for establishing, implementing, maintaining, and continually improving a management system for the responsible development and use of artificial intelligence within an organization. Where the EU AI Act is a law that tells you what you must achieve, ISO 42001 is a voluntary, certifiable framework that tells you how to run your organization so that you achieve it --- and can prove you do.

ISO 42001 matters because it gives "responsible AI" an operational backbone. Principles like fairness, transparency, and accountability are easy to state and hard to systematize; ISO 42001 turns them into a repeatable management discipline with defined roles, risk assessments, controls, and audits. Because it follows the same structure as widely adopted standards like ISO 27001 (information security), organizations can slot AI governance into management systems they already operate --- and earn third-party certification that signals trustworthiness to customers, partners, and regulators.

TL;DR

ISO/IEC 42001 is the first international standard for an AI management system (AIMS) --- a certifiable framework for governing AI responsibly across its lifecycle. It uses the same Plan-Do-Check-Act, Annex SL structure as ISO 27001, with clauses on context, leadership, planning, support, operation, evaluation, and improvement, plus Annex A controls specific to AI (impact assessment, data management, transparency, lifecycle). It is voluntary and certifiable, complements the binding EU AI Act, and --- like the Act --- depends on documented, well-governed data to satisfy its evidence requirements.

ISO 42001 Defined

ISO 42001 is a management system standard (MSS). It does not certify an AI product or model as "safe"; it certifies that an organization has a working system for governing AI --- identifying risks, setting policies, assigning responsibility, operating controls, and improving over time. The unit of certification is the management system, not the algorithm. This is the same logic as ISO 27001: you are not certifying that no breach can happen, but that you run a disciplined process to manage information-security risk.

Its defining characteristics:

  • Process-oriented --- It governs how decisions about AI are made and reviewed, not the technical internals of any single model.
  • Risk- and impact-based --- It centers on assessing risks and, distinctively for AI, impacts on individuals and society --- not just on the organization.
  • Certifiable --- An accredited body can audit and certify conformity, just as with ISO 27001 or ISO 9001.
  • Harmonized structure --- It uses ISO's common "Annex SL" high-level structure, so it integrates cleanly with other management systems.

How the Standard Is Structured

ISO 42001 follows the Plan-Do-Check-Act (PDCA) cycle expressed through the standard clauses 4---10, sitting on top of a set of AI-specific controls in its annexes.

ISO 42001 --- AI Management System Structure ISO/IEC 42001 --- AI MANAGEMENT SYSTEM (AIMS) PLAN Cl. 4 Context · Cl. 5 Leadership & policy Cl. 6 Planning --- risks, objectives, AI impact assessment DO Cl. 7 Support --- resources, competence, documented info Cl. 8 Operation --- run the controls CHECK Cl. 9 Performance evaluation --- monitoring, internal audit, review ACT Cl. 10 Improvement --- nonconformity & continual improvement ANNEX A --- AI-SPECIFIC CONTROLS AI policy · roles & responsibilities · AI impact assessment · data for AI systems lifecycle management · transparency to users · third-party & supplier management Annexes B---D give implementation guidance, objectives, and sector application EVIDENCE --- documented, governed data Data provenance · quality · classification · lineage · documentation Certification depends on being able to show this on demand
Click to enlarge

Clauses 4---10 are the management-system core, shared with other ISO standards:

  • Clause 4 --- Context. Understand the organization, its AI uses, interested parties, and the AIMS scope.
  • Clause 5 --- Leadership. Top-management commitment, an AI policy, and assigned roles.
  • Clause 6 --- Planning. Risk assessment, AI risk treatment, objectives, and --- distinctively --- an AI system impact assessment on individuals and society.
  • Clause 7 --- Support. Resources, competence, awareness, and documented information.
  • Clause 8 --- Operation. Run the AIMS: operationalize the controls across the AI lifecycle.
  • Clause 9 --- Performance evaluation. Monitoring, measurement, internal audit, and management review.
  • Clause 10 --- Improvement. Handle nonconformities and improve continually.

Key Requirements & Controls

Beyond the clause structure, Annex A lists reference controls specific to AI, which an organization selects and applies based on its risk and impact assessments. The themes that recur --- and that most distinguish ISO 42001 from generic management standards --- are:

  • AI impact assessment --- Assessing consequences for individuals and society, not just risk to the organization. This societal lens is the standard's signature feature.
  • Data for AI systems --- Controls covering data provenance, quality, and management for AI --- the standard explicitly ties good AI to governed AI-ready data.
  • Lifecycle management --- Governance across design, development, deployment, operation, and retirement.
  • Transparency & information --- Telling users and affected parties how AI is used and what it does.
  • Third-party and supplier management --- Extending governance to AI components and models you did not build yourself.

Annexes B, C, and D add implementation guidance, potential objectives and risk sources, and guidance on applying the AIMS in specific domains.

Certification & the EU AI Act

ISO 42001 is certifiable: an accredited certification body audits the AIMS and, if it conforms, issues a certificate --- typically maintained through surveillance audits and periodic recertification, exactly as with ISO 27001. Certification is voluntary, but it is fast becoming a market expectation and a procurement requirement for AI vendors.

Its relationship to the EU AI Act is complementary, not redundant:

  • The Act is binding law; ISO 42001 is a voluntary framework. Conformity with the standard is not automatic legal compliance with the Act.
  • But the standard is strong evidence of due diligence. An operating AIMS demonstrates exactly the kind of risk management, documentation, and oversight the Act demands, and maps closely onto its obligations.
  • Harmonized standards bridge the two. As the EU develops harmonized standards for AI Act conformity, a mature ISO 42001 program positions an organization to adopt them with far less effort.

In short, ISO 42001 is the practical way many organizations will operationalize their journey toward AI Act readiness --- and toward broader AI governance.

Data Governance for an AIMS

Every clause and control in ISO 42001 eventually asks the same question: can you show it? Auditors do not accept intentions; they require evidence. And most of that evidence is information about data --- what data trained and feeds your AI systems, where it came from, how its quality was assured, who is accountable for it, and how its use is documented.

This makes data governance the substrate of a certifiable AIMS:

Dawiso's AI governance approach is to make this evidence a by-product of normal operations: the catalog, glossary, and lineage maintained day to day become the documented, auditable record an ISO 42001 assessment depends on. The management system is the discipline; governed data is what makes it provable.

Conclusion

ISO 42001 is how responsible AI becomes a system rather than a slogan. By wrapping AI governance in the familiar, certifiable machinery of a management standard, it lets organizations operate AI with the same rigor they already apply to quality and security --- and demonstrate it to anyone who asks. It does not replace the EU AI Act, but it is one of the clearest paths toward meeting it. And like every governance framework, it ultimately rests on a single capability: knowing, documenting, and trusting the data behind your AI.

See it in action

AI Governance

Trust and transparency in your AI use cases.

Table of contents

ISO 42001 DefinedHow the Standard Is StructuredKey Requirements & ControlsCertification & the EU AI ActData Governance for an AIMS

Related Terms

What Is AI Governance?

AI governance defines the policies, frameworks, and oversight for responsible AI use. Learn about EU AI Act, NIST AI RMF, ISO 42001, and the US-China-EU regulatory divergence.

Read more →

What Is Responsible AI?

Responsible AI is the practice of developing and deploying AI systems that are fair, transparent, accountable, and safe. Learn the core principles, regulatory landscape, and why data governance is the foundation of responsible AI.

Read more →

What is context understanding in AI

Explore context understanding in AI, how systems comprehend situations, and why it's crucial for intelligence

Read more →

What is RAG in AI

Understand RAG (Retrieval-Augmented Generation) in AI, how it works, and why it's essential for accuracy

Read more →

Why is C AI asking my age

Learn why AI systems request age information for legal compliance, safety, and personalization

Read more →