Is ISO 42001 certification mandatory or voluntary?

ISO 42001 certification is voluntary. However, it is increasingly referenced in procurement requirements, customer contracts, and regulatory contexts such as the EU AI Act, where certification may serve as evidence of conformity for certain obligations, particularly for general-purpose AI model providers.

Can ISO 42001 certification satisfy EU AI Act conformity assessment requirements?

Not fully, but it can help. EU regulators have indicated that ISO 42001 certification may constitute relevant evidence of compliance with certain EU AI Act obligations, especially for general-purpose AI providers. It does not replace mandatory conformity assessments for high-risk AI systems under the Act.

How does ISO 42001 integrate with ISO 27001 or ISO 9001 if we are already certified?

ISO 42001 uses the same High-Level Structure common to all ISO management system standards, making it architecturally compatible with ISO 27001 and ISO 9001. Organizations already certified to those standards can extend their existing management system to cover AI governance without building a separate parallel program.

Which types of organizations must comply with ISO 42001?

ISO 42001 is applicable to any organization that develops, deploys, or provides AI-based products or services, regardless of size, sector, or geography. This includes AI developers, enterprises using AI in operations, cloud platform vendors, and third-party AI service providers acting as operators or consumers.

What is the difference between ISO 42001 normative clauses and Annex A controls?

Clauses 4 through 10 contain the mandatory requirements an organization must satisfy to achieve certification, covering governance, risk planning, operations, and continual improvement. Annex A is informative and provides an extended set of AI-specific controls, such as data governance and human oversight mechanisms, that organizations select and implement based on their risk profile.

How long does it typically take to achieve ISO 42001 certification and what does the process involve?

Most organizations complete implementation and third-party certification within 9 to 18 months, depending on existing governance maturity. The process typically involves a gap assessment, remediation of deficiencies across all normative clauses, internal auditing, and a two-stage audit conducted by an accredited certification body.

← Directory Compare with another →

VoluntaryFramework ISO/OECD/UN

ISO/IEC 42001:2023 – Information Technology – Artificial Intelligence – Management System

Issued by

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee ISO/IEC JTC 1, Subcommittee SC 42

liveEffective 2023-12-18ISO 42001:2023Verified April 2026

Official document →

The first internationally certified AI management system standard, providing a structured framework for establishing, implementing, maintaining, and continually improving an organization's AI management system (AIMS), with certifiable requirements applicable to any organization that develops, provides, or uses AI-based products and services.

Applies To

AI system developers and technology companies building AI-powered products and services for global marketsEnterprises deploying AI systems in operational and customer-facing contexts across all industry sectorsOrganizations subject to the EU AI Act, for whom ISO 42001 certification may constitute relevant conformity evidenceMultinational corporations seeking a single internationally recognized AI governance standard applicable across multiple jurisdictionsGovernment contractors and public sector entities in jurisdictions adopting ISO standards for AI procurement requirementsFinancial institutions, healthcare providers, and critical infrastructure operators facing sector-specific AI governance obligationsThird-party AI service providers and cloud platform vendors subject to customer due diligence and contractual AI governance requirementsOrganizations already certified to ISO 27001 or ISO 9001 seeking integrated management system extensions to cover AI

Overview

ISO/IEC 42001:2023 is the foundational international standard for artificial intelligence management systems, developed by ISO/IEC JTC 1/SC 42, the joint technical committee responsible for AI standardization. It establishes the requirements for an AI Management System (AIMS)-a systematic organizational structure encompassing policies, processes, roles, and controls that an organization uses to govern the responsible development and deployment of AI. The standard follows the High-Level Structure (HLS) common to all ISO management system standards, meaning it is architecturally compatible and integrable with ISO 9001 (quality management), ISO 27001 (information security management), and ISO 31000 (risk management), enabling organizations to implement a unified, auditable governance posture across multiple domains. ISO 42001 applies to any organization-regardless of size, sector, or geographic location-that develops AI-based products or services, deploys AI-based systems in operational contexts, or provides third-party AI-related services. It is equally applicable to organizations acting as AI providers, AI operators, and AI consumers. The standard includes normative requirements (Clauses 4–10) covering organizational context, leadership and governance, planning, support, operations, performance evaluation, and continual improvement. It also includes informative annexes addressing AI concepts and considerations unique to AI systems, including data quality governance, AI system impact assessments, and responsible AI objectives. Annex A provides an extended set of AI-specific controls organized around themes including AI policy, AI risk management, human oversight, data governance, system impact assessment, and AI lifecycle management-functioning similarly to the Annex A controls structure in ISO 27001. Third-party certification against ISO 42001 is available from accredited certification bodies, providing enterprises with an externally validated attestation of AI governance maturity that is increasingly recognized by regulators, customers, and procurement authorities worldwide. The EU AI Act explicitly references ISO standards for conformity assessment, and EU regulators have indicated that ISO 42001 certification may serve as relevant evidence of compliance with certain AI Act obligations, particularly for providers of general-purpose AI models. The standard is also aligned with the OECD AI Principles and the UNESCO Recommendation on the Ethics of AI, supporting its adoption across jurisdictions with divergent regulatory approaches.

Key Requirements

•Clause 4 – Organizational Context: Define the internal and external factors relevant to the AIMS, identify interested parties and their requirements, and determine the AIMS scope.
•Clause 5 – Leadership: Demonstrate top management commitment, establish an AI policy aligned with organizational objectives, and assign AI governance roles, responsibilities, and authorities.
•Clause 6 – Planning: Conduct AI risk and opportunity assessments, define AI objectives, and plan actions to address identified risks including impacts on individuals and society.
•Clause 7 – Support: Ensure adequate resources, competence, awareness, and communication for the AIMS; establish and maintain documented information as evidence of conformity.
•Clause 8 – Operations: Implement AI risk treatment processes, conduct AI system impact assessments, manage the AI system lifecycle (design, development, testing, deployment, monitoring, and decommissioning), and govern third-party and supply chain AI relationships.
•Clause 9 – Performance Evaluation: Monitor, measure, analyze, and evaluate AIMS performance; conduct internal audits; perform management reviews.
•Clause 10 – Improvement: Address nonconformities, implement corrective actions, and pursue continual improvement of the AIMS.
•Annex A Controls: Implement applicable controls from the extended AI-specific control set, including AI policy formulation, documentation of AI system objectives, data governance processes, human oversight mechanisms, AI system incident response, and stakeholder engagement.

What Your Organization Must Do

→Establish an AI Management System (AIMS) scope document by assigning a named senior owner (such as Chief AI Officer or Chief Compliance Officer) who will lead implementation and be accountable to top management for all Clause 4 through Clause 10 obligations under ISO/IEC 42001:2023.
→Commission a gap assessment against all normative clauses and Annex A controls within 60 days of adoption, mapping current AI governance policies, roles, and processes to identify deficiencies requiring remediation before pursuing third-party certification.
→Formulate and ratify a board-approved AI policy aligned with organizational objectives, documenting assigned governance roles, authority boundaries, and escalation paths for AI-related decisions as required under Clause 5.
→Conduct AI system impact assessments for each AI application in scope, prioritizing high-risk and customer-facing systems, and integrate these assessments into the standard AI lifecycle workflow covering design, development, testing, deployment, monitoring, and decommissioning under Clause 8.
→Implement a third-party AI supply chain review process requiring vendors and AI service providers to demonstrate governance controls consistent with Annex A, and embed contractual obligations for ongoing disclosure of AI system changes.
→Schedule annual internal AIMS audits and management reviews per Clause 9, track nonconformities and corrective actions in a documented register, and engage an accredited certification body to pursue formal ISO/IEC 42001 certification, leveraging certification evidence proactively in EU AI Act conformity submissions and customer due diligence responses.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

24What does audit-ready AI documentation look like in practice?27How do we perform an AI risk assessment?02Who owns AI governance within the organization?32How do we manage third-party AI vendors safely throughout the vendor lifecycle?33What do we do when an AI system causes harm or fails?

Frequently Asked Questions

Is ISO 42001 certification mandatory or voluntary?: ISO 42001 certification is voluntary. However, it is increasingly referenced in procurement requirements, customer contracts, and regulatory contexts such as the EU AI Act, where certification may serve as evidence of conformity for certain obligations, particularly for general-purpose AI model providers.
Can ISO 42001 certification satisfy EU AI Act conformity assessment requirements?: Not fully, but it can help. EU regulators have indicated that ISO 42001 certification may constitute relevant evidence of compliance with certain EU AI Act obligations, especially for general-purpose AI providers. It does not replace mandatory conformity assessments for high-risk AI systems under the Act.
How does ISO 42001 integrate with ISO 27001 or ISO 9001 if we are already certified?: ISO 42001 uses the same High-Level Structure common to all ISO management system standards, making it architecturally compatible with ISO 27001 and ISO 9001. Organizations already certified to those standards can extend their existing management system to cover AI governance without building a separate parallel program.
Which types of organizations must comply with ISO 42001?: ISO 42001 is applicable to any organization that develops, deploys, or provides AI-based products or services, regardless of size, sector, or geography. This includes AI developers, enterprises using AI in operations, cloud platform vendors, and third-party AI service providers acting as operators or consumers.
What is the difference between ISO 42001 normative clauses and Annex A controls?: Clauses 4 through 10 contain the mandatory requirements an organization must satisfy to achieve certification, covering governance, risk planning, operations, and continual improvement. Annex A is informative and provides an extended set of AI-specific controls, such as data governance and human oversight mechanisms, that organizations select and implement based on their risk profile.
How long does it typically take to achieve ISO 42001 certification and what does the process involve?: Most organizations complete implementation and third-party certification within 9 to 18 months, depending on existing governance maturity. The process typically involves a gap assessment, remediation of deficiencies across all normative clauses, internal auditing, and a two-stage audit conducted by an accredited certification body.