ISO 42001

ISO/IEC 42001 is the international standard for an AI management system, the AI-specific cousin of ISO 27001. Published December 2023 by ISO/IEC.

What is ISO 42001?

ISO/IEC 42001:2023 is the first international standard for an AI management system (AIMS). Published in December 2023, it follows the same management-system structure as ISO 27001 (information security) and ISO 9001 (quality) — adapted for the AI lifecycle. It applies to any organization that develops, deploys, or uses AI systems regardless of industry.

The standard is certifiable: an accredited certification body audits an organization's AIMS against the standard's clauses 4-10 and 38 controls in Annex A, then issues a certificate valid for three years with annual surveillance audits — same pattern as ISO 27001.

Why ISO 42001 is gaining traction

ISO 42001 is rapidly becoming the answer to "how do you systematically manage AI risk?" for organizations procuring AI vendors. It complements but does not replace AI-specific regulations like the EU AI Act — the standard provides the management system, the regulation provides the risk classification and mandatory obligations. Mature AI vendors increasingly pursue ISO 42001 alongside ISO 27001 and SOC 2.

What buyers should ask

When a vendor claims ISO 42001 alignment or certification, ask: is this active certification from an accredited body or self-declared alignment? What is the scope statement — does it cover the specific AI system you're procuring? When was the most recent surveillance audit? Self-declared alignment is meaningful as a maturity signal but is not an external attestation.