ISO/IEC 42001:2023 is the first certifiable standard for an AI management system (AIMS). Published in December 2023, it gives an organisation a structured, auditable way to govern how it builds, buys, and operates AI, and lets an accredited body certify that the system actually works. If you already hold ISO 27001, the shape will be familiar: the same management-system clause structure (context, leadership, planning, support, operation, evaluation, improvement), with an AI-specific control set bolted on through Annex A.
This guide covers what ISO 42001 actually requires, the 38 Annex A controls and what evidence each demands, a realistic certification timeline and cost, and how the standard relates to the NIST AI RMF and the EU AI Act so you do not pay for the same governance work twice. It is written for the person who has to deliver the certificate, not pass a quiz on what the acronym stands for.
What ISO 42001 requires in 200 words
ISO 42001 is a management-system standard. That means it does not tell you which AI techniques to use or set a numeric bias threshold. It requires you to run a system that identifies AI risks, decides how to treat them, implements controls, and proves the whole thing operates and improves over time.
The auditable requirements live in clauses 4 to 10. You define the scope of your AIMS (clause 4), get leadership commitment and an AI policy (clause 5), run a risk assessment and set objectives (clause 6), provide competence and documented information (clause 7), operate the controls and run AI system impact assessments (clause 8), monitor and audit (clause 9), and correct nonconformities (clause 10).
Annex A then provides 38 controls across 9 objectives. You pick which apply in a Statement of Applicability and justify any exclusions. Certification is a Stage 1 documentation review followed by a Stage 2 implementation audit. The certificate lasts three years with annual surveillance audits. See the official ISO/IEC 42001:2023 page for the normative scope.
What is an AI management system?
An AI management system is the same idea as a quality management system (ISO 9001) or an information security management system (ISO 27001), applied to AI. It is the set of policies, roles, processes, and controls that govern AI across its lifecycle, plus the evidence that they operate.
The standard exists because AI introduces risk categories that ISO 27001 was never written to cover. ISO 27001 protects the confidentiality, integrity, and availability of information. It says nothing about whether a model is biased, whether its outputs are explainable, whether the training data was appropriate, or whether an automated decision harmed a person. ISO 42001 fills that gap. AWS frames this well: the standard manages risk across the full AI lifecycle, from design and data through deployment, monitoring, and decommissioning.
The harmonised structure matters for cost. ISO 42001 shares the high-level management-system structure used across the ISO 27001 family and other ISO standards. If you are already certified to 27001, clauses 4, 5, 7, 9, and 10 are largely the same machinery. You are extending an existing management system, not building one from scratch, which is why already-certified organisations compress the timeline.
The clause structure: what gets audited
Clauses 1 to 3 are scope, references, and definitions. They are not auditable. The work, and the audit, lives in clauses 4 through 10. Treat each one as a deliverable.
- Clause 4, Context. Identify the internal and external factors that affect your AIMS, which AI systems are in scope, and what interested parties expect. The output is a defined AIMS scope statement. Getting the scope boundary right is the single most consequential early decision: too wide and the audit balloons, too narrow and the certificate is meaningless to customers.
- Clause 5, Leadership. Top management establishes the AI policy, assigns roles and accountability, and commits resources. An AI policy signed by someone with authority is non-negotiable evidence.
- Clause 6, Planning. Run an AI risk assessment that addresses the AI-specific factors: bias, transparency, data quality, reliability, and impacts on individuals and society. Set measurable objectives and plan risk treatments. This is where the AIMS earns its keep or becomes paperwork.
- Clause 7, Support. Personnel competence, awareness of the AI policy across the organisation, and control of documented information.
- Clause 8, Operation. Implement the risk treatments across the AI lifecycle and run AI system impact assessments. This is the operational heart of the standard.
- Clause 9, Performance evaluation. Monitor and evaluate the AIMS through internal audits and a management review. You need at least one full cycle before certification.
- Clause 10, Improvement. Handle nonconformities and corrective actions. Continual improvement is a requirement, not a nicety.
The practical reading: clauses 4 to 7 and 9 to 10 are the management-system scaffolding (the part ISO 27001 holders already know), and clause 8 plus Annex A are the AI-specific substance.
The 38 Annex A controls, grouped and explained
Annex A is where ISO 42001 stops looking like every other ISO standard. It contains 38 controls organised into 9 objectives, A.2 through A.10. The controls are deliberately high-level and principle-based. You do not implement all 38 by default. You select the applicable ones in a Statement of Applicability and implement each proportionate to the risk it addresses, then justify every inclusion and exclusion.
The table below lists all nine objectives, the number of controls in each, what the objective covers, and (the part competing guides skip) whether the control is satisfied mainly through process and documentation or through technical infrastructure that produces audit evidence automatically. That distinction decides how much of the work is a policy exercise versus an engineering one.
| Objective | Controls | What it covers | Satisfied primarily by |
|---|---|---|---|
| A.2 Policies related to AI | 3 | A documented AI policy aligned to organisational values and risk appetite | Process / documentation |
| A.3 Internal organisation | 2 | Roles, responsibilities, and a route to report concerns about AI systems | Process, backed by access-control records |
| A.4 Resources for AI systems | 5 | Managing the data, tooling, compute, and human expertise behind AI | Mixed |
| A.5 Assessing impacts of AI systems | 4 | Structured impact assessment on individuals and society across the lifecycle | Process / documentation |
| A.6 AI system life cycle | 9 | Oversight across development, validation, deployment, operation, monitoring | Technical infrastructure |
| A.7 Data for AI systems | 5 | Data quality, provenance, acquisition, and preparation | Technical infrastructure |
| A.8 Information for interested parties | 4 | Transparency, incident communication, stakeholder information | Mixed (logs + documentation) |
| A.9 Use of AI systems | 3 | Responsible deployment aligned to intended purpose and policy | Technical infrastructure (enforcement) |
| A.10 Third-party and customer relationships | 3 | Allocating responsibility across suppliers, partners, customers | Process, backed by contractual + log evidence |
A.6 (AI system life cycle) is the largest objective at 9 controls, and it is mostly technical. It includes controls such as A.6.1.2 (objectives for responsible development), A.6.2.4 (AI system verification and validation), and A.6.2.6 (AI system operation and monitoring). A.7 (data) covers A.7.2 (data for development), A.7.4 (quality of data), and A.7.6 (data preparation). These are the controls where an auditor will ask to see logs and pipelines, not a Word document.
Where the controls become an engineering problem
Most ISO 42001 guides describe the controls and stop. The harder question for whoever owns the certificate is: when the auditor asks for evidence that control A.6.2.6 operates, what do you actually show them? For roughly a third of Annex A, the honest answer is a screenshot of a policy, and that is fine. For the controls in A.6, A.7, A.8, and A.9, a policy is not evidence. The auditor wants to see the system enforcing the control and a record that proves it did.
This is where AI governance stops being a compliance project and becomes an infrastructure one. The pattern that holds up under audit is the same one that holds up under a security review: enforce the control at a chokepoint every request passes through, and emit a structured, tamper-evident log of every decision. If your AI agents call tools through the Model Context Protocol, the MCP transport layer is that chokepoint. Govern there and every model, every client, and every tool inherits the policy, which is exactly the kind of provable enforcement an A.9 or A.6 control needs.
The table below maps a sample of the technically-demanding controls to the specific evidence that satisfies them. Use it to triage which controls your current tooling already covers and which need work before Stage 2.
| Annex A control | What the auditor wants to see | Technical evidence that satisfies it |
|---|---|---|
| A.6.2.6 AI system operation and monitoring | The system is monitored in production and events are recorded | Structured, immutable event logs of every agent session, tool call, and outcome |
| A.7.x Data for AI systems | Provenance and quality of data the AI uses | Data lineage records; logged record of which data each request accessed |
| A.9.x Responsible use of AI systems | Use is constrained to the intended purpose | Real-time policy enforcement: scope checks, allowlists, blocklists, with a record of every allow and deny |
| A.3 Internal organisation | Who can do what, and who reported what | Role-based access control with tiered permissions and an audit trail of grants and denials |
| A.8 Information for interested parties | Incidents are detected and communicated | Hook-driven event capture (session, tool call, permission change) feeding incident workflows |
| A.10 Third-party relationships | Control over external tools and suppliers | An enforced allowlist of approved MCP servers and external tools, plus logged tool-call provenance |
The takeaway for planning: the controls in A.6, A.7, A.8, and A.9 are roughly 20 of the 38, and they cannot be closed with documentation alone. If your AI agent activity is currently a blind spot (no centralised log of what agents call, no enforcement on tool use), those controls are your critical path. Closing them is an architecture decision, not a paperwork sprint, so start there.
The certification process and a realistic timeline
Certification follows the standard ISO two-stage model. The phases below assume an organisation that is not yet running a formal AIMS.
- Preparation (3 to 6 months). Gap assessment against the standard, then build the management system: scope, AI policy, risk assessment, Statement of Applicability, and the selected Annex A controls. You must complete at least one internal audit cycle and one management review before an external body will audit you. This is the longest phase and the one organisations underestimate.
- Stage 1 audit (1 to 2 days). The certification body reviews your documentation to confirm the AIMS is designed correctly and you are ready for Stage 2. Expect findings here; they are direction, not failure.
- Stage 2 audit (typically 3 to 5 days for a mid-sized organisation). Auditors examine the implemented system through interviews, evidence review, process observation, and control verification. If there are no major nonconformities, the body issues the certificate.
- Surveillance and recertification (ongoing). The certificate is valid for three years. Annual surveillance audits confirm continued conformity, and a recertification audit happens before the three-year cycle expires.
Overall, plan for 6 to 12 months from decision to certificate. Organisations already certified to another ISO management standard can compress this to 4 to 8 months because clauses 4, 5, 7, 9, and 10 reuse existing machinery. These timelines come from current certification-body guidance and the shared ISO management-system structure; confirm specifics with your chosen accredited body, since durations scale with organisation size and AIMS scope.
What goes in the Statement of Applicability
The Statement of Applicability (SoA) is the document that ties the standard to your specific AI portfolio. For each of the 38 Annex A controls, the SoA records whether you have implemented it, whether you have excluded it, and the justification for that decision. A control is reasonably excluded if it does not apply to your AI systems (for example, third-party relationship controls if you build everything in-house). An auditor reads the SoA first, because it tells them what evidence to ask for. Treat it as the index to your entire certification, not a formality.
The AI system impact assessment, in depth
Clause 8 and control A.5 introduce a requirement that has no direct equivalent in ISO 27001: the AI system impact assessment (AIIA). It is the document that separates a real AIMS from a relabelled security programme, and it is the artefact auditors scrutinise hardest because it is the one organisations are least practised at producing.
An AIIA evaluates the consequences of an AI system on individuals, groups, and society, across the lifecycle, not just at launch. It is not a data protection impact assessment (DPIA) wearing a different hat. A DPIA asks whether you process personal data lawfully. An AIIA asks a broader question: what happens to the people affected by this system's outputs, including when it is wrong, when it is biased, when it degrades, and when it is used outside its intended purpose. A loan-scoring model and a document-summarisation agent need different AIIAs because their failure modes harm different people in different ways.
A defensible AIIA covers at least five things: the intended purpose and the foreseeable misuses, the categories of people affected and how, the failure modes and their severity, the data the system depends on and its limitations, and the controls that reduce each identified harm. The assessment is iterative. You revisit it when the system changes materially, when monitoring surfaces a new failure mode, or on a defined review cadence. Auditors will ask to see the version history, not a single snapshot, because a one-off assessment that was never revisited signals a paper exercise rather than a live control.
The link back to infrastructure is direct. Several of the harms an AIIA identifies are only detectable in production through monitoring, which is control A.6.2.6. If your AIIA says "the agent could exfiltrate sensitive data through an unsanctioned tool call" but you have no enforced allowlist and no log of tool calls, the assessment has identified a risk you cannot actually see or treat. The AIIA and the technical controls are two halves of the same loop: the assessment names the harm, the infrastructure enforces against it and proves the enforcement held.
ISO 42001 vs NIST AI RMF vs the EU AI Act
The most common planning mistake is treating these three as alternatives. They operate at different levels and are designed to be used together. Choosing one and ignoring the others usually means redoing the same risk analysis in a different format later.
| Dimension | ISO/IEC 42001 | NIST AI RMF 1.0 | EU AI Act |
|---|---|---|---|
| Type | Certifiable management-system standard | Voluntary risk framework | Binding regulation |
| Structure | 7 auditable clauses + 38 Annex A controls | 4 functions: Govern, Map, Measure, Manage | Risk tiers (unacceptable, high, limited, minimal) |
| Certifiable | Yes, by accredited body | No external assurance | Conformity assessment for high-risk systems |
| Legal force | None directly (contractual / market driven) | None | Legally binding in the EU |
| Best used for | Provable, auditable AI governance customers can trust | Designing defensible risk processes | Meeting a legal obligation for EU-market AI |
| Source | ISO 42001 | NIST AI 100-1 | Reg. 2024/1689 |
The NIST AI RMF, published January 2023, is the easiest of the three to start with. Its four functions (Govern, Map, Measure, Manage) and 72 subcategories give you a vocabulary for AI risk without committing to an audit. The practical sequence most organisations land on: use the RMF to do the risk thinking, use ISO 42001 to make that thinking auditable and certifiable, and use both to evidence conformity for the high-risk obligations the EU AI Act imposes. NIST publishes a crosswalk between the RMF and ISO 42001 precisely so you map controls once rather than maintaining parallel programmes; the NIST AI RMF Playbook is the companion that turns the functions into actions.
The EU AI Act is the one with teeth. It is binding regulation, not a voluntary framework, and its high-risk classification triggers conformity-assessment obligations. ISO 42001 does not automatically satisfy the Act, but a conforming AIMS produces much of the documentation, risk assessment, and lifecycle evidence the Act's high-risk regime demands, which is why the two are increasingly run in tandem.
A practical ISO 42001 checklist
If you want a single list to assess readiness, work through these. Each item is something an auditor will ask to see.
- AIMS scope statement with a defined boundary (clause 4)
- An AI policy signed by top management (clause 5, control A.2)
- Assigned roles, accountability, and a route to raise AI concerns (clause 5, control A.3)
- An AI risk assessment covering bias, transparency, data quality, reliability, and societal impact (clause 6)
- A risk treatment plan with measurable objectives (clause 6)
- A Statement of Applicability covering all 38 Annex A controls with justifications
- AI system impact assessments for in-scope systems (clause 8, control A.5)
- Lifecycle controls: development objectives, validation, deployment, operation, monitoring (control A.6)
- Data governance: provenance, quality, preparation records (control A.7)
- Transparency documentation for affected parties and an incident-communication process (control A.8)
- Enforcement that constrains AI use to its intended purpose, with logged decisions (control A.9)
- Third-party and tool-supplier controls (control A.10)
- One completed internal audit (clause 9)
- One completed management review (clause 9)
- A corrective-action process for nonconformities (clause 10)
The items that fail Stage 2 most often are not the policies. They are the operational controls in A.6 through A.9 where the organisation has a policy but cannot produce the running evidence that the policy is enforced. Build the evidence pipeline before you book the audit.
The nonconformities that show up at Stage 2
Stage 2 findings cluster in predictable places, and most of them trace back to the same root cause: a control that exists on paper but produces no record an auditor can inspect. Knowing the common failure points lets you close them before the auditor finds them, because a major nonconformity at Stage 2 means a corrective-action cycle and a return visit before the certificate issues.
- A policy with no operating evidence. The AI policy exists and is signed, but there is no log, ticket, or record showing the policy was applied to a real decision. A signed document is necessary and not sufficient; the auditor asks for the decision the policy governed.
- An impact assessment that was never revisited. A single AIIA dated at launch, with no version history and no link to any monitoring output, reads as a one-off compliance artefact rather than a live control. Clause 8 expects the assessment to be iterative.
- Annex A controls in the Statement of Applicability marked "implemented" with no evidence behind them. The SoA is the index the auditor reads first. Every control you marked applicable becomes a request for proof. A control marked implemented that cannot be evidenced is a direct nonconformity.
- No record of enforced tool use. A.9 expects use constrained to intended purpose. If agents can call arbitrary tools and there is no allowlist and no log of allow/deny decisions, the control is asserted but not operating.
- An internal audit that found nothing. An internal audit (clause 9) that reported zero findings signals the audit was not rigorous, not that the AIMS is perfect. Auditors expect a real internal audit to surface and close findings before Stage 2.
The pattern across all five is the same: the gap is not the absence of a policy, it is the absence of the evidence that the policy operated. That evidence is a logging and enforcement property of the system, decided by architecture, which is why the controls in A.6 to A.9 are the ones to close first.
What ISO 42001 costs, and where the cost actually lands
There is no list price, because the cost is dominated by internal effort, not by certification-body fees. The audit itself is a known quantity: Stage 1 and Stage 2 together are a handful of auditor-days, repeated as annual surveillance, scaling with organisation size and AIMS scope. That is the predictable line item. The unpredictable cost is everything in the preparation phase.
For an organisation already certified to ISO 27001, the marginal cost is modest because the management-system scaffolding already exists. The new work is concentrated in clause 8 and the technical Annex A controls: building AI system impact assessments, standing up lifecycle controls, and producing the operational evidence for A.6 through A.9. For an organisation with no existing ISO certification, the cost is higher because clauses 4, 5, 7, 9, and 10 must be built from nothing, and that is months of policy, role definition, and internal-audit work before any AI-specific control is touched.
The cost trap that catches teams is treating ISO 42001 as a documentation project and discovering at Stage 2 that the technical controls have no evidence. Writing a policy that says "AI use is monitored" takes an afternoon. Producing twelve months of immutable logs proving every agent session and tool call was monitored takes twelve months, unless the logging was already running. The organisations that certify fastest and cheapest are the ones that had the enforcement and audit infrastructure in place before they started the standard, because for them the technical controls were already generating evidence. The lesson generalises: the standard is cheap to certify against and expensive to become ready for, and readiness is mostly an infrastructure question decided long before the auditor arrives.
What to do next
Start with two things in parallel. First, scope your AIMS honestly, because the boundary decides everything downstream. Second, audit your AI agent activity for the A.6 to A.9 controls: if you cannot today produce an immutable log of what your AI agents call and a record of enforced policy decisions, that gap is your critical path, and it is an architecture problem, not a documentation one. Map your risk work to the NIST AI RMF first to avoid duplication: the AI risk management guide shows how, and the AI governance framework guide sets ISO 42001 alongside NIST and the EU AI Act in one stack. For the deployment side of that evidence pipeline, see the companion guides on self-hosted AI governance and AI agent audit trails for SIEM.
