Definition · Plain-language
ISO 42001 — AI management system
ISO/IEC 42001:2023 is the first international standard specifying requirements for an artificial intelligence management system (AIMS), published in December 2023.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What ISO/IEC 42001 is
ISO/IEC 42001:2023 was published in December 2023 as a joint publication of ISO and the International Electrotechnical Commission. It is the first international management system standard specifically for artificial intelligence, providing certifiable requirements — not guidance only — for establishing, implementing, maintaining and continually improving an AI management system (AIMS). The standard follows Annex SL (the High-Level Structure common to all modern ISO management system standards), which is the same clause structure used by ISO 9001, ISO 14001 and ISO/IEC 27001, enabling organisations to integrate their AIMS with existing management systems. It applies to any organisation, regardless of size, sector or AI maturity, that develops or uses AI systems.
Key requirements
ISO/IEC 42001 organises its requirements across the standard clause structure. Clause 4 requires organisations to understand the context in which they operate, including the purpose and nature of their AI use, and to identify interested parties and establish the AIMS scope. Clause 5 requires top management commitment, an AI policy and defined roles and responsibilities. Clause 6 requires AI risk assessment and AI impact assessment processes, with objectives and plans to achieve them. Clause 8 addresses operations, including an AI system inventory, AI impact assessment implementation, management of AI suppliers and third parties, and design of human oversight mechanisms. Clause 9 covers monitoring, measurement, internal audit and management review. Annex A provides a reference set of controls for AI management, mapped to the requirements of the main clauses.
AI risk and impact assessment
Central to ISO/IEC 42001 are two interrelated processes: AI risk assessment and AI impact assessment. The AI risk assessment identifies risks to the organisation arising from its AI activities — including operational, reputational, legal and compliance risks — and informs the design of controls and treatment measures. The AI impact assessment evaluates the potential effects of AI systems on individuals and society, including impacts on rights, fairness, privacy and human autonomy. Both assessments must be documented and kept under review. The AI impact assessment process in ISO/IEC 42001 shares methodology with the Data Protection Impact Assessment required under GDPR Article 35 but is broader in scope, covering societal and rights impacts beyond privacy. It supports compliance with the Fundamental Rights Impact Assessment required under EU AI Act Article 27 for certain high-risk AI deployers.
Relationship to EU AI Act and NIST AI RMF
ISO/IEC 42001 is a voluntary standard but is increasingly cited as a means of demonstrating conformity with regulatory expectations. Annex C of the standard provides a mapping between ISO/IEC 42001 requirements and the EU AI Act, assisting organisations in understanding how AIMS implementation supports compliance with the Regulation. The NIST AI RMF GOVERN function overlaps substantially with the governance, accountability and culture requirements of ISO/IEC 42001, enabling organisations that have adopted the NIST framework to build toward ISO/IEC 42001 certification. Certification is available through accredited third-party certification bodies using the same audit and certification process as ISO 9001 and ISO/IEC 27001. Together, ISO/IEC 42001, the NIST AI RMF and the EU AI Act form the de facto architecture for organisational AI governance programmes in 2025 and beyond.
Key facts
At a glance
- Published: December 2023 (ISO/IEC 42001:2023)
- Scope: first international AI management system standard
- Structure: Annex SL (High-Level Structure, Plan-Do-Check-Act) — same as ISO 9001 and ISO/IEC 27001
- Certifiable: yes, by accredited third-party certification bodies
- Key requirement: AI risk assessment plus AI impact assessment
- Relationship: Annex C maps to EU AI Act; complements NIST AI RMF
Common misconceptions
What people often get wrong
Often heard: ISO 42001 is the same as ISO 27001.
Actually: They are distinct standards for different management systems. ISO/IEC 42001 establishes requirements for an AI management system; ISO/IEC 27001 establishes requirements for an information security management system. An organisation may hold certifications to both, and their Annex SL structure makes integration straightforward.
Often heard: ISO 42001 certification guarantees EU AI Act compliance.
Actually: ISO/IEC 42001 certification demonstrates that an organisation has established a systematic AI management system aligned with international best practice. Formal EU AI Act compliance depends on meeting the specific legal obligations imposed by the Regulation, which vary by AI system risk tier and role. Annex C of the standard assists in mapping requirements but certification alone does not constitute legal compliance.
Often heard: ISO 42001 only applies to AI developers and technology companies.
Actually: ISO/IEC 42001 applies to any organisation that develops or uses AI systems, including organisations that procure and deploy AI from third-party providers. Deployers, public-sector bodies and research institutions are all within scope alongside technology developers.
Going deeper
