42001ISO/IEC
International Standard

AI Management Systems

The world's first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a structured framework for the responsible development, provision, and use of AI — balancing innovation with governance, transparency, and ethics.

ISO/IEC 42001:2023World's First AIMS StandardPDCA MethodologyEU AI Act Aligned

Core Governance Pillars

AI Risk Management
Systematic identification, assessment, and mitigation of AI-related risks throughout the system lifecycle, including bias and safety.
Ethics & Transparency
Embedding fairness, explainability, and human oversight into AI systems — ensuring AI decisions are understandable and accountable.
AI Impact Assessment
Evaluation of consequences of AI systems on individuals, groups, and society — required for high-risk AI use cases.
Lifecycle Management
Governance across the full AI system lifecycle — from initial concept and development through deployment, monitoring, and decommissioning.

Mandatory Clauses 4–10

  • 4
    Context of the OrganisationIdentify internal and external factors affecting the AIMS, including the organisation's role as AI provider, developer, or customer.
  • 5
    LeadershipTop management must demonstrate commitment to the AIMS, establish AI policies and objectives, and promote responsible AI culture.
  • 6
    PlanningIdentify and assess AI-related risks and opportunities, define objectives, and select Annex A controls appropriate to the AI use case.
  • 7
    SupportProvide resources, competence, awareness, communication, and documented information for effective AIMS operation.
  • 8
    OperationImplement operational controls, manage AI system development and deployment, and conduct AI Impact Assessments for high-risk systems.
  • 9
    Performance EvaluationMonitor AI system performance, conduct internal audits, and hold management reviews to assess AIMS effectiveness.
  • 10
    ImprovementAddress nonconformities with corrective actions, continuously improve the AIMS, and adapt to evolving AI risks and regulations.

Regulatory & Framework Alignment

EU AI ActISO 42001 certification supports alignment with the EU AI Act's risk-based requirements for AI providers and deployers in the European market.
ISO/IEC 27001Designed with the same Annex SL structure — the two standards integrate seamlessly for organisations managing both AI and information security.
GDPR & DPDPAAI Impact Assessments under ISO 42001 complement data protection impact assessments (DPIAs) required under privacy regulations.
NIST AI RMFCompatible with the NIST AI Risk Management Framework — allowing organisations to align ISO 42001 with US federal AI governance requirements.

Business Benefits

  • Builds trust with customers, partners, and regulators — certification demonstrates responsible and ethical AI governance
  • Enables proactive management of AI risks including bias, hallucination, data security, and accountability gaps
  • Supports alignment with the EU AI Act, GDPR, DPDPA, and other emerging AI regulatory frameworks globally
  • Provides a competitive advantage as customers and enterprise procurement increasingly require responsible AI evidence
  • Integrates with ISO 27001 using the same clause structure — reducing duplication and audit overhead
  • Certification valid for 3 years with annual surveillance — providing ongoing governance maturity assurance