ISO/IEC 42001 is the first international standard for an artificial-intelligence management system (AIMS). Published in December 2023 by the International Organization for Standardization and the International Electrotechnical Commission, it gives organisations a certifiable structure for governing how they develop and use AI. This article explains what the standard is, what certification means, and how it differs from the NIST AI RMF. It is informational and not legal advice.
What a management-system standard is
ISO/IEC 42001 belongs to the same family as well-known standards such as ISO 9001 (quality) and ISO/IEC 27001 (information security). These standards do not assess a product directly; instead they specify requirements for a management system — the policies, roles, processes and continual-improvement loops an organisation puts in place to achieve consistent outcomes. Applied to AI, the standard asks an organisation to establish, implement, maintain and continually improve a system for managing AI-related risks and opportunities. Our pillar page on ISO/IEC 42001 sets out the structure in more detail.
What the standard requires
Following the common high-level structure shared across modern ISO management-system standards, ISO/IEC 42001 addresses areas such as:
- Understanding the organisation’s context and the needs of interested parties.
- Leadership commitment and an AI policy.
- Planning, including AI risk assessment and treatment, and an AI impact assessment.
- Support — resources, competence, awareness and documented information.
- Operation — operational planning and control of the AI lifecycle.
- Performance evaluation — monitoring, internal audit and management review.
- Improvement — corrective action and continual improvement.
The standard also includes annexes offering a reference set of controls and implementation guidance that organisations can select from based on their risk assessment.
What certification actually means
Because ISO/IEC 42001 is a certifiable standard, an organisation can engage an accredited certification body to audit its AI management system against the requirements. A successful audit results in certification, signalling to customers, partners and regulators that an independently assessed management system is in place. Two clarifications matter:
- Certification attests to the management system, not to any individual AI model being “safe” or “unbiased”. It is a statement about governance maturity, not a product guarantee.
- Certification is voluntary and does not, by itself, establish compliance with any specific law such as the EU AI Act, though a robust management system can support an organisation’s wider compliance efforts.
How it differs from the NIST AI RMF
The two instruments are complementary but distinct in nature:
- Certifiability. ISO/IEC 42001 can be independently certified; the NIST AI RMF is a voluntary framework with no certification scheme.
- Focus. ISO/IEC 42001 centres on the management system — the organisational scaffolding for governing AI. The AI RMF centres on the substance of risk management through its Govern, Map, Measure and Manage functions.
- Origin and reach. ISO/IEC 42001 is an international standard developed through ISO/IEC consensus processes; the AI RMF is a US framework from NIST.
- Output. ISO/IEC 42001 yields a certificate that third parties can rely on; the AI RMF yields internal practice and shared language, with no external attestation attached.
Neither is a regulatory requirement on its own, and adopting one does not preclude the other. Many organisations find the distinction practical rather than competitive: one tells them how to think about AI risk, the other gives them an auditable wrapper they can demonstrate to outsiders.
In practice many organisations use both together: the AI RMF (and its generative-AI profile) to inform how they identify and treat risk, and ISO/IEC 42001 to provide an auditable structure within which that work sits.
The AI impact assessment
A distinctive element of ISO/IEC 42001 compared with earlier management-system standards is its explicit attention to the impact of AI systems on individuals and groups, not only on the organisation. The standard contemplates an AI impact assessment process that considers consequences for people and society — for example, fairness, safety and privacy effects — as part of planning and operation. This outward-looking dimension reflects the particular character of AI risk, where harms can fall on third parties such as customers, patients or the public rather than solely on the organisation deploying the system. It is one reason the standard is seen as more than a relabelling of existing security or quality frameworks.
The certification process in practice
Achieving certification typically follows a familiar two-stage audit pattern used across ISO management-system standards. An initial stage reviews documentation and readiness; a second stage assesses whether the management system is implemented and effective in practice. Certification is then maintained through periodic surveillance audits and renewed through recertification over a multi-year cycle. Because the standard is risk-based, the controls an organisation selects from its annexes should follow from its own risk assessment, and an auditor examines whether those choices are justified and operating — not whether the organisation has adopted every possible control.
Why a management-system approach
The appeal of a management-system standard is repeatability and accountability. By embedding AI governance into familiar plan-do-check-act machinery, organisations can integrate it with existing certifications for quality and security rather than building a parallel programme. For organisations already certified to standards such as ISO/IEC 27001, the shared high-level structure means ISO/IEC 42001 can often be layered onto existing governance rather than stood up from scratch. For readers new to terms such as management system, statement of applicability or impact assessment, our dictionary provides plain-language entries.
In summary
ISO/IEC 42001 is the first international AI management-system standard, offering a certifiable structure for governing AI across its lifecycle. It complements rather than replaces risk-management frameworks like the NIST AI RMF, and certification attests to governance maturity rather than product safety or legal compliance. This article is a neutral overview; organisations should consult accredited certification bodies and qualified advisers for their own circumstances.