ISO 42001 (ISO/IEC 42001:2023) is the first international standard specifying requirements for an Artificial Intelligence Management System (AIMS) — the governance framework an organisation puts around how it designs, procures, deploys and monitors AI. For a research institution, certification means running a documented, audited system of AI policies, risk assessments and human-oversight controls, not simply buying compliant software. It follows the same Plan-Do-Check-Act structure as ISO 27001, but its controls are built around AI-specific harms: algorithmic bias, opacity, data quality and misuse.
ISO/IEC 42001:2023 is defined by the International Organization for Standardization as a management-system standard for establishing, implementing, maintaining and continually improving an AI management system within an organisation of any size or sector.
Contents
- What is ISO/IEC 42001 and what does an AIMS cover?
- What does ISO 42001 certification actually involve?
- How does ISO 42001 differ from ISO 27001?
- Does ISO 42001 satisfy EU AI Act conformity assessment?
- Is it worth pursuing for a research institution?
- Common questions about ISO 42001 certification
What is ISO/IEC 42001 and what does an AIMS cover?
An AI Management System is a structured set of policies, roles, risk processes and records that governs how an organisation develops, procures or uses AI across its lifecycle. ISO/IEC 42001:2023 sets requirements for that system in its main clauses (4–10), plus an AI-specific Annex A control set — AI policy, resourcing, AI system impact assessment, data for AI systems, and third-party AI relationships.
Unlike a product certification, ISO 42001 does not certify a specific model as “safe”. It certifies that the organisation has a working management system for whichever AI systems fall inside its declared scope — a research-grants triage tool, an admissions-screening system, or a plagiarism-detection service, for example.
What does ISO 42001 certification actually involve?
Certification is run by an accredited, independent certification body — in the UK, accreditation is overseen by the United Kingdom Accreditation Service (UKAS). The organisation implements first; the certification body then verifies.
- Scope and gap analysis: define which AI systems, departments and data flows the AIMS covers, then assess current practice against ISO 42001’s clauses and Annex A controls.
- AI system impact assessment: a formal review of the potential effects of each in-scope AI system on individuals and groups — bias, fairness, transparency, data provenance and human oversight.
- Risk treatment and controls: implement policies, technical controls and role assignments (an “AI owner” is typically named for each system) to treat identified risks.
- Internal audit and management review: test the system internally before the external audit and correct nonconformities.
- Stage 1 audit: the certification body reviews documentation and AIMS design for readiness.
- Stage 2 audit: the certification body tests whether the AIMS is operating effectively in practice, not just on paper.
Once granted, certification is valid for three years, with annual surveillance audits to confirm the AIMS is still being maintained. This mirrors the certification cycle used for ISO 27001 and ISO 9001, since all three share the same Annex SL high-level structure.
How does ISO 42001 differ from ISO 27001?
ISO 42001 governs the management of AI systems; ISO 27001 governs the management of information security. They share the same clause numbering and audit mechanics, so organisations already certified to ISO 27001 typically find AIMS implementation faster — but the two standards are not interchangeable and neither certifies the other.
| Feature | ISO/IEC 42001:2023 | ISO/IEC 27001:2022 |
|---|---|---|
| Primary focus | Governance of AI systems across their lifecycle | Confidentiality, integrity and availability of information assets |
| Distinctive controls | AI impact assessment, data quality for AI, AI system life cycle, third-party AI relationships | Access control, cryptography, physical security, supplier security |
| Typical risk concerns | Bias, opacity, misuse, unintended AI behaviour | Breach, unauthorised access, data loss |
| Structure | Annex SL clauses 4–10 + Annex A | Annex SL clauses 4–10 + Annex A |
| Certification cycle | 3 years, annual surveillance audits | 3 years, annual surveillance audits |
In practice, most institutions treat ISO 42001 as an addition to an existing information-security baseline rather than a replacement for it — an AI management system without underlying information-security controls leaves the data feeding those AI systems unprotected.
Does ISO 42001 satisfy EU AI Act conformity assessment?
ISO 42001 certification does not, by itself, satisfy EU AI Act conformity assessment obligations for high-risk AI systems. Regulation (EU) 2024/1689 (the AI Act) entered into force on 1 August 2024, with obligations for high-risk systems applying progressively from 2 August 2026. The Act’s presumption-of-conformity mechanism (Article 40) attaches to harmonised European standards, which are being drafted separately by CEN-CENELEC Joint Technical Committee 21 — ISO 42001, an international rather than harmonised European standard, is not automatically one of them.
This matters directly for universities. Annex III of the AI Act lists AI systems used to determine access or admission to education, or to evaluate learning outcomes, as high-risk by default. A university deploying an AI-assisted admissions or grant-triage tool is a “deployer” under the Act regardless of ISO 42001 status, carrying deployer obligations — human oversight, logging, incident reporting — regardless.
What ISO 42001 does provide is a documented, auditable governance framework that maps cleanly onto many AI Act requirements — risk management, data governance, human oversight, technical documentation — making a future conformity assessment faster to prepare for, even though it is not a substitute for one.
Is it worth pursuing for a research institution?
For a research office or university IT/AI-governance function, the case for ISO 42001 rests less on legal necessity and more on institutional risk management and funder or partner assurance. Certification demonstrates that AI used in grant review, research-integrity screening, or student-facing systems is governed by a documented, externally audited process rather than ad hoc practice.
Costs mirror any ISO management-system certification: staff time for gap analysis and internal audit, the certification body’s audit fees, and ongoing annual surveillance costs. Institutions already holding ISO 27001 (or ISO 9001), with a research administration function already handling risk registers and compliance documentation, will find the incremental lift smaller than a first-time management-system project.
The pragmatic sequencing: map which AI systems are actually in scope (research-tools procurement, admissions, integrity-checking), run a gap analysis against Annex A, then decide whether formal certification adds enough external assurance value to justify the audit cost — before, not instead of, tracking the EU AI Act’s phased high-risk obligations, which apply irrespective of certification status.
Common questions about ISO 42001 certification
What is ISO 42001 certification standard?
It is third-party verification that an organisation’s AI management system meets the requirements of ISO/IEC 42001:2023 — covering AI policy, risk treatment, impact assessment and continual improvement — confirmed through a two-stage audit by an accredited certification body and maintained via annual surveillance audits.
What is the difference between ISO 27001 and ISO 42001?
ISO 27001 manages information security risk (confidentiality, integrity, availability of data); ISO 42001 manages AI-specific risk (bias, transparency, data quality, human oversight) across an AI system’s lifecycle. Both share the same clause structure, so many controls and much documentation can be reused between them.
Is ISO 42001 certification worth it?
It is worth it where an institution needs demonstrable, externally audited AI governance for funders, partners or regulators — particularly if it already holds ISO 27001. It is less clearly worth it as a standalone first management-system project, given the audit cost and the fact that certification alone does not satisfy EU AI Act conformity-assessment duties.
Is ISO 27001 mandatory in the UK?
No. ISO 27001 is voluntary in the UK; it is not a statutory requirement under UK GDPR or the Data Protection Act 2018, though it is widely used to evidence the “appropriate technical and organisational measures” those laws require. The same voluntary status applies to ISO 42001 — no UK or EU law currently mandates it.
AI governance of this kind sits within the broader discipline of research administration, where risk, compliance and data-governance functions increasingly have to account for AI tools used across the grant and research lifecycle.
What this means for research offices next
Expect ISO 42001 adoption in the research sector to track two forces: institutional risk appetite around AI-assisted decision-making, and the EU AI Act’s phased high-risk obligations landing through August 2026 and August 2027. CEN-CENELEC’s harmonised standards work will eventually clarify how far ISO 42001 conformity can be credited toward AI Act presumption of conformity — research offices tracking AI governance now will be better placed when that mapping firms up.








