Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

ISO/IEC 42001

ISO/IEC 42001 is the international standard specifying requirements for an AI management system (AIMS) — the AI equivalent of a management-system standard like ISO 9001.

CASRAI research-methods explainer — ISO/IEC 42001

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What an AI management system is

An AI management system (AIMS) is the organisational structure of policies, objectives, processes and controls through which an organisation manages AI responsibly. ISO/IEC 42001 specifies what such a system must contain: leadership commitment, an AI policy, defined roles, risk and impact assessment, operational controls, monitoring and continual improvement. Like other ISO management-system standards it follows the common high-level structure, so it integrates with ISO 9001 (quality) or ISO/IEC 27001 (information security) an organisation may already run. The standard is requirements-based — it states what must be in place, not a single prescribed method.

The PDCA cycle and Annex controls

ISO/IEC 42001 is built on the Plan-Do-Check-Act improvement cycle: plan the management system and its AI risk treatment, implement it, check performance through monitoring and audit, and act to improve. It includes annexes that set out a reference list of controls and implementation guidance — covering areas such as AI policies, resource and data management, lifecycle processes and impact on individuals — that organisations select from based on their risk assessment. This structure makes the standard adaptable across sectors and AI maturity levels while keeping a consistent, auditable backbone.

Certification and what it signals

Because it is a management-system standard, ISO/IEC 42001 is certifiable: an accredited body can audit an organisation and issue a certificate confirming its AIMS meets the requirements. Certification signals to customers, partners and regulators that the organisation manages AI risk systematically rather than informally. It does not certify that any individual AI model is "safe"; it certifies the management system around AI development and use. Many organisations pair the standard with the NIST AI RMF, using the RMF’s functions to populate operational practice within the certified system.

Key facts

At a glance

  • Definition: international standard for an AI management system (AIMS)
  • Published: December 2023 by ISO and IEC
  • Type: certifiable, risk-based management-system standard
  • Model: Plan-Do-Check-Act (PDCA) continual improvement
  • Analogy: ISO 9001 for quality, but for AI management
  • Integrates with: ISO/IEC 27001, ISO 9001 (shared high-level structure)

Common misconceptions

What people often get wrong

Often heard: ISO/IEC 42001 certifies that a specific AI model is safe.

Actually: The standard certifies an organisation’s AI management system — its policies, processes and controls — not the safety of any individual model. It demonstrates systematic management, not product-level guarantees.

Often heard: ISO/IEC 42001 and the NIST AI RMF are competing alternatives.

Actually: They operate at different levels and are complementary. ISO/IEC 42001 is a certifiable management-system standard; the NIST AI RMF is voluntary operational guidance whose functions can populate practice inside an AIMS.

Often heard: Only AI developers need ISO/IEC 42001.

Actually: The standard applies to any organisation that develops, provides or uses AI systems, including those that procure and deploy third-party AI. The controls scale to the organisation’s role and risk.

Going deeper

Related CASRAI guidance

NIST AI RMFNIST AI RMF vs ISO/IEC 42001AI complianceAI governance frameworkStandards comparedStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →