35-minute read · 38 Annex A controls · 20 mandatory documents

ISO 42001 Requirements — The Complete Guide

ISO 42001 Requirements define what an organisation must establish, implement, maintain, and continually improve to operate a conformant Artificial Intelligence Management System (AIMS). This page provides a complete, clause-by-clause walkthrough of every ISO 42001 requirement, all 38 Annex A controls, mandatory documentation and records, and regulatory mapping against the EU AI Act, NIST AI RMF, UK AI Framework, and India DPDP Act.

Clauses 4 to 10 fully explained

All 38 Annex A controls

20 mandatory documents listed

25 mandatory records listed

Start Your AIMS Certification

Speak to our AIMS expert and receive a customised quotation within four business hours.

About the Standard

ISO/IEC 42001:2023 — at a glance

Full TitleISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system

Publication DateDecember 2023

Issuing BodiesISO (International Organization for Standardization) and IEC (International Electrotechnical Commission)

Technical CommitteeISO/IEC JTC 1/SC 42 — Artificial Intelligence

TypeCertifiable Management System Standard (Type A)

Harmonised StructureYes — uses Annex SL High-Level Structure (HLS), compatible with ISO 27001, 9001, 14001, 45001, 22301, 27701

ScopeEstablish, implement, maintain, and continually improve an AIMS in any organisation that develops, deploys, integrates, sells, or uses AI

Total Annex A Controls38 controls across 9 control categories (A.2 through A.10)

Certification Body RequiredYes — must be accredited under ISO 17021-1 and recognised by an IAF (GAC) signatory accreditation body such as UAF

Structure

Clauses and annexes — what is mandatory and what is informative

ISO/IEC 42001:2023 follows the Annex SL Harmonised Structure used by all modern ISO management system standards, making integration with ISO 27001, ISO 9001, and ISO 27701 straightforward.

ClauseTitleStatus

1ScopeInformative

2Normative ReferencesInformative

3Terms and DefinitionsInformative

4Context of the OrganisationMandatory

5LeadershipMandatory

6PlanningMandatory

7SupportMandatory

8OperationMandatory

9Performance EvaluationMandatory

10ImprovementMandatory

Annex AAI-Specific Controls (Reference)Mandatory (select via SoA)

Annex BImplementation Guidance for Annex AInformative

Annex CAI-Related Organisational Objectives and Risk SourcesInformative

Annex DUse of AIMS Across Domains and SectorsInformative

Mandatory Requirements

Clause-by-clause requirements (Clauses 4 to 10)

Clauses 4 through 10 contain all the mandatory requirements of ISO/IEC 42001:2023. Each clause is explained below with a plain-language walkthrough of what your organisation must demonstrate to achieve and maintain certification.

Context of the Organisation

Understand the internal and external context, identify interested parties, define the AIMS scope.

4.1 Understanding the Organisation and Its Context

Determine external and internal issues relevant to AI activities, including strategic direction, regulatory environment, technology landscape, and stakeholder expectations affecting the AIMS.

4.2 Understanding the Needs and Expectations of Interested Parties

Identify interested parties relevant to AI (customers, regulators, data subjects, suppliers, employees, civil society, investors), determine their relevant requirements, and decide which are addressed by the AIMS.

4.3 Determining the Scope of the AIMS

Define the boundaries and applicability of the AIMS — including which AI systems, business processes, sites, and geographies are within scope. The scope statement must be documented and made available.

4.4 AI Management System

Establish, implement, maintain, and continually improve the AIMS, including the processes needed and their interactions.

Leadership

Top management must demonstrate commitment to responsible AI governance — not merely delegate it.

5.1 Leadership and Commitment

Top management shall ensure the AI Policy and AI objectives are established and aligned to strategy, integrating AIMS requirements into business processes, providing resources, and promoting continual improvement.

5.2 AI Policy

Top management shall establish an AI Policy appropriate to the organisation's purpose, providing a framework for AI objectives, commitment to satisfy applicable requirements, and commitment to continual improvement. The policy must be documented, communicated, and available to interested parties.

5.3 Roles, Responsibilities, and Authorities

Top management shall assign responsibilities and authorities for AIMS roles, including responsibility for ensuring AIMS conforms to ISO 42001 and for reporting performance to top management.

Planning

Combines traditional risk-based thinking with AI Risk Assessment and AI Impact Assessment.

6.1.2 AI Risk Assessment

Define and apply an AI risk assessment process that establishes risk acceptance criteria, ensures consistent and comparable results, identifies AI risks, analyses consequences and likelihood, and evaluates them.

6.1.3 AI Risk Treatment

Define and apply an AI risk treatment process to select treatment options, determine controls, compare with Annex A, produce a Statement of Applicability (SoA), and formulate an AI risk treatment plan. The SoA must be approved by risk owners.

6.1.4 AI System Impact Assessment

Assess potential consequences of AI systems on individuals, groups, and societies — covering fairness, transparency, individual rights, environmental impact, and societal impact. Required for AI systems that may significantly affect individuals or society.

6.2 AI Objectives and Planning

Establish measurable AI objectives at relevant functions and levels, consistent with the AI Policy, with plans covering what will be done, resources, responsibility, timeline, and evaluation.

6.3 Planning of Changes

When a need for AIMS changes is determined, the changes shall be carried out in a planned manner.

Support

Foundational resources, competence, awareness, communication, and documented information.

7.1 Resources

Determine and provide resources needed for the AIMS, including human, technical, infrastructure, and financial resources.

7.2 Competence

Determine necessary competence of persons affecting AIMS performance, ensure competence through appropriate education, training, or experience, take action where gaps exist, and retain evidence of competence.

7.3 Awareness

Persons shall be aware of the AI Policy, their contribution to AIMS effectiveness, and the implications of non-conformity.

7.4 Communication

Determine internal and external communications relevant to the AIMS — including what, when, with whom, how, and by whom.

7.5 Documented Information

The AIMS shall include documented information required by ISO 42001 and any additional documented information determined as necessary. Documented information shall be identified, formatted, reviewed, approved, controlled, and retained.

Operation

Brings the AIMS into operation — controlling AI activities across their lifecycle and managing change.

8.1 Operational Planning and Control

Plan, implement, and control processes needed to meet AIMS requirements, implement Clause 6 actions, control planned changes, and review consequences of unintended changes. Outsourced processes shall be controlled.

8.2 AI Risk Assessment (Operational)

Perform AI risk assessments at planned intervals and when significant changes are proposed or occur. Documented information shall be retained.

8.3 AI Risk Treatment (Operational)

Implement the AI risk treatment plan and retain documented information of the results.

8.4 AI System Impact Assessment (Operational)

Perform AI System Impact Assessments at planned intervals and when significant changes are proposed or occur. Documented information shall be retained.

Performance Evaluation

Ensures the AIMS is monitored, measured, audited, and reviewed for effectiveness.

9.1 Monitoring, Measurement, Analysis, and Evaluation

Determine what needs to be monitored and measured, the methods, when performed, when results are analysed, and who is responsible. Retain documented information as evidence.

9.2 Internal Audit

Conduct internal audits at planned intervals to determine whether the AIMS conforms to ISO 42001 and the organisation's own requirements, and is effectively implemented and maintained. Report results to relevant management.

9.3 Management Review

Top management shall review the AIMS at planned intervals to ensure continuing suitability, adequacy, and effectiveness. Outputs shall include decisions related to continual improvement and any need for change.

Improvement

Closes the management system cycle — addressing non-conformities and driving continual improvement.

10.1 Continual Improvement

Continually improve the suitability, adequacy, and effectiveness of the AIMS.

10.2 Nonconformity and Corrective Action

When a nonconformity occurs: react to it, evaluate the need to eliminate causes, implement actions, review effectiveness, and make AIMS changes if necessary. Retain documented information.

Annex A

All 38 AI-specific controls explained

Annex A provides a reference set of 38 AI-specific controls organised under 9 control objectives (A.2 to A.10). Organisations select applicable controls through the Statement of Applicability (SoA), justifying inclusion or exclusion. The SoA is mandatory and one of the most heavily audited documents in Stage 1.

A.2Policies Related to AI(3 controls)

A.2.2AI PolicyAn AI Policy shall be defined, approved by management, published, communicated to relevant personnel and interested parties, and reviewed at planned intervals.

A.2.3Alignment with Other Organisational PoliciesThe AI Policy shall be aligned with other organisational policies (e.g., information security, privacy, quality, ethics).

A.2.4Review of the AI PolicyThe AI Policy shall be reviewed at planned intervals and when significant changes occur, to ensure continuing suitability.

A.3Internal Organisation(2 controls)

A.3.2AI Roles and ResponsibilitiesAI-related roles and responsibilities shall be defined and allocated according to organisational needs.

A.3.3Reporting of ConcernsThe organisation shall define and provide mechanisms for reporting concerns about AI throughout its lifecycle.

A.4Resources for AI Systems(5 controls)

A.4.2Resource DocumentationResources used by AI systems shall be identified and documented.

A.4.3Data ResourcesData resources used in the AI system shall be documented as part of resource management.

A.4.4Tooling ResourcesTools used to support the AI system lifecycle shall be documented.

A.4.5System and Computing ResourcesSystem and computing resources used by the AI system shall be documented.

A.4.6Human ResourcesDocument information about human resources and their competencies as required for the AI system.

A.5Assessing Impacts of AI Systems(4 controls)

A.5.2AI System Impact Assessment ProcessEstablish a process for assessing the potential impacts of AI systems on individuals, groups, and societies.

A.5.3Documentation of AI System Impact AssessmentsDocumentation of AI System Impact Assessments shall be retained.

A.5.4Assessing AI System Impact on Individuals or GroupsAssess and document the potential impacts of AI systems on individuals or groups, including those potentially vulnerable.

A.5.5Assessing Societal Impacts of AI SystemsAssess and document potential societal impacts of AI systems.

A.6AI System Lifecycle(9 controls)

A.6.1.2Objectives for Responsible Development of AIDefine objectives to guide the responsible development of AI systems.

A.6.1.3Processes for Responsible AI Design and DevelopmentEstablish processes for the responsible design and development of AI systems.

A.6.2.2AI System Requirements and SpecificationsRequirements and specifications for AI systems shall be documented.

A.6.2.3Documentation of AI System Design and DevelopmentThe design and development of AI systems shall be documented.

A.6.2.4AI System Verification and ValidationMeasures for verification and validation of AI systems shall be defined and used.

A.6.2.5AI System DeploymentAI systems shall be deployed according to a deployment plan and only after meeting acceptance criteria.

A.6.2.6AI System Operation and MonitoringAI systems in operation shall be monitored.

A.6.2.7AI System Technical DocumentationTechnical documentation shall be created and maintained for AI systems.

A.6.2.8AI System Recording of Event LogsEvent logs shall be recorded during the operation of AI systems.

A.7Data for AI Systems(5 controls)

A.7.2Data for Development and EnhancementDefine and document processes for the management of data used to develop and enhance AI systems.

A.7.3Acquisition of DataDetermine and document details about acquisition and selection of data used in AI systems.

A.7.4Quality of Data for AI SystemsDefine and document data quality requirements and ensure data used in AI systems meets these.

A.7.5Data ProvenanceDefine and document processes for recording the provenance of data used in AI systems.

A.7.6Data PreparationDefine and document data preparation criteria and methods used in AI systems.

A.8Information for Interested Parties(4 controls)

A.8.2System Documentation and Information for UsersDetermine and provide information about AI systems to users.

A.8.3External ReportingMechanisms shall be in place to enable third-party reporting of issues with AI systems.

A.8.4Communication of IncidentsCommunicate incidents related to AI systems to relevant interested parties.

A.8.5Information for Interested PartiesDetermine and document the approach to provide information to interested parties.

A.9Use of AI Systems(3 controls)

A.9.2Processes for Responsible Use of AI SystemsDefine and document processes for the responsible use of AI systems.

A.9.3Objectives for Responsible UseObjectives for the responsible use of AI systems shall be identified.

A.9.4Intended Use of AI SystemsEnsure AI systems are used in accordance with their intended uses, including any conditions of use.

A.10Third-Party Relationships(3 controls)

A.10.2Allocation of ResponsibilitiesEnsure allocation of responsibilities between the organisation, partners, suppliers, customers, and third parties is clearly defined.

A.10.3SuppliersEstablish processes to ensure use of AI services, products, and materials provided by suppliers aligns with the AIMS.

A.10.4CustomersEnsure responsibilities allocated between the organisation and customers regarding AI systems are clear and documented.

Informative Annexes

Annexes B, C, and D — implementation guidance and reference material

Annex B — Implementation Guidance

Provides implementation guidance for each Annex A control. Not certifiable, but provides essential interpretive context that auditors rely on when assessing how controls have been implemented. Key themes include AI ethics in operational terms, data lifecycle management, model lifecycle management, performance metrics, human oversight mechanisms, bias and fairness testing, and AI-specific incident response.

Annex C — Objectives and Risk Sources

Provides a reference list of AI-related organisational objectives and AI risk sources to help organisations during Clause 6 planning. Ensures organisations do not omit important AI risk categories. Common objectives include accountability, AI expertise, fairness, privacy, robustness, safety, security, transparency, and sustainability. Common risk sources include explainability gaps, automation levels, bias and discrimination, system lifecycle issues, adversarial threats, and environmental impact.

Annex D — Use Across Domains and Sectors

Acknowledges that ISO 42001 is sector-agnostic but can be tailored for specific domains. Identifies how AIMS interacts with existing sector-specific frameworks and standards in healthcare, finance, automotive, public sector, and others. Does not add requirements — helps organisations contextualise AIMS for their sector.

Mandatory Documentation

Complete list of ISO 42001 mandatory documents

ISO 42001 does not prescribe document formats. Documents may exist as standalone policies, integrated within an Integrated Management System manual, or as wiki articles, provided the required content is present, version-controlled, and accessible.

#DocumentClause / ControlPurpose

1AIMS Scope StatementClause 4.3Defines AI systems, business processes, sites, and geographies in scope

2AI PolicyClause 5.2 and A.2.2Approved, communicated AI Policy

3Roles, Responsibilities, and AuthoritiesClause 5.3 and A.3.2Documented assignment of AIMS responsibilities

4AI Risk Assessment MethodologyClause 6.1.2Documented methodology including risk acceptance criteria

5AI Risk RegisterClause 6.1.2Risks identified, analysed, evaluated, treated, with risk owners

6AI Risk Treatment PlanClause 6.1.3Controls selected with target dates, owners, and review schedule

7Statement of Applicability (SoA)Clause 6.1.3Annex A controls selected with justification for inclusion or exclusion

8AI System Impact Assessment ProcedureClause 6.1.4 and A.5.2Process for assessing potential impacts on individuals, groups, society

9AI System Impact Assessments (per significant AI system)Clause 6.1.4 and A.5.3Completed impact assessments retained as documented information

10AI ObjectivesClause 6.2Measurable AI objectives at relevant functions

11Competence RecordsClause 7.2Evidence of competence (qualifications, training, experience)

12Communication Plan and RecordsClause 7.4Internal and external AI communications

13AI System Inventory / Use Case RegisterClauses 4, 6, 8 and A.4Register of AI systems in scope

14AI System Lifecycle ProcedureClause 8.1 and A.6Operational control of the AI lifecycle: design, develop, verify, validate, deploy, monitor, decommission

15Data Management ProcedureA.7Acquisition, quality, provenance, preparation of data for AI

16AI System Technical Documentation (per system)A.6.2.7Model cards, data sheets, design records per AI system

17Information for Users / External StakeholdersA.8Documented information made available to users and interested parties

18Third-Party AI Management ProcedureA.10Supplier, partner, and customer responsibility allocation and management

19Internal Audit Programme and ProcedureClause 9.2Planned audits, criteria, scope, methods

20Nonconformity and Corrective Action ProcedureClause 10.2Response, evaluation, action, review

Mandatory Records

Complete list of ISO 42001 mandatory records

Records demonstrate that the AIMS is operating, not just documented. ISO 42001 does not prescribe specific retention periods — the organisation must define retention based on regulatory, contractual, and stakeholder requirements. Typical retention is 3 to 7 years.

#RecordClause / ControlPurpose

1Records of Top Management CommitmentClause 5.1Meeting minutes, decisions, resource approvals signed by leadership

2AI Policy Review RecordsA.2.4Evidence of periodic review and update of AI Policy

3AI Risk Assessment RecordsClauses 6.1.2 and 8.2Completed assessments at planned intervals and on change

4AI Risk Treatment RecordsClauses 6.1.3 and 8.3Implementation evidence per planned control

5Approved Statement of Applicability (versioned)Clause 6.1.3Current SoA with approval signature and date

6AI System Impact Assessment RecordsClause 8.4 and A.5.3Completed AI Impact Assessments retained per AI system

7Training Records and Competence EvidenceClause 7.2Qualifications, completed training, on-the-job experience evidence

8AI Awareness RecordsClause 7.3Evidence personnel are aware of AI Policy and AIMS responsibilities

9Internal AI Communication RecordsClause 7.4Internal communications about the AIMS and AI changes

10External AI Communication RecordsClause 7.4 and A.8External information published or shared with interested parties

11AI System Design and Development RecordsA.6.2.3Design rationale, architecture decisions, design review minutes

12AI System Verification and Validation RecordsA.6.2.4Test plans, test results, validation outcomes per AI system

13AI System Deployment RecordsA.6.2.5Deployment plan execution and acceptance evidence

14AI System Monitoring RecordsA.6.2.6Performance monitoring outputs, drift detection, intervention logs

15AI Event LogsA.6.2.8Operational event logs of AI system behaviour and decisions

16Data Acquisition and Selection RecordsA.7.3Provenance, lawful basis, dataset selection criteria evidence

17Data Quality RecordsA.7.4Testing of data quality against documented criteria

18Data Provenance RecordsA.7.5Recorded provenance of training and operational data

19AI Incident RecordsA.8.4Incidents, root cause analysis, corrective actions, communications

20Third-Party AI Due Diligence RecordsA.10Supplier assessments, contract reviews, performance monitoring

21Monitoring and Measurement ResultsClause 9.1Outcomes from monitoring and measurement of AIMS performance

22Internal Audit RecordsClause 9.2Audit plan, findings, reports, follow-up

23Management Review RecordsClause 9.3Agenda, attendance, inputs, outputs, decisions

24Nonconformity RecordsClause 10.2Nonconformities identified, root cause analysis, action taken, review

25Continual Improvement RecordsClause 10.1Improvement initiatives tracked, performance trended

Cornerstone Requirement

AI System Impact Assessment — scope, triggers, and DPIA relationship

Unlike traditional risk assessment which focuses on risks to the organisation, AI Impact Assessment focuses on potential consequences of an AI system on individuals, groups, and societies. It is required by Clauses 6.1.4 and 8.4, and by controls A.5.2 through A.5.5.

Scope of AI Impact Assessment

Impact on fundamental rights and freedoms — privacy, dignity, non-discrimination

Impact on individuals — both intended users and affected third parties

Impact on vulnerable groups — minors, elderly, persons with disabilities, marginalised communities

Impact on society — democratic processes, employment, public discourse, social cohesion

Environmental impact — compute, water, energy, carbon footprint

Impact on economic interests — financial impact on individuals or markets

Health and safety impact — physical or psychological harm

When AI Impact Assessment Is Performed

Before deploying a new AI system

Before significant changes to an existing AI system (new use case, retraining on new data, new user group)

At planned intervals during AI operation (typically annually for medium and high-risk systems)

On a triggering incident or external development (regulatory change, near-miss, complaint)

Relationship to GDPR DPIA

Where AI processes personal data, AI Impact Assessment may overlap with the GDPR Article 35 DPIA. Organisations may perform a single combined assessment, provided both ISO 42001 and GDPR requirements are met. AI Impact Assessment is broader: it considers impact beyond personal data, including societal and group impacts.

Regulatory Alignment

ISO 42001 vs EU AI Act, NIST AI RMF, UK AI Framework, India DPDP

ISO 42001 is a voluntary international standard. EU AI Act, NIST AI RMF, UK AI regulation, and India DPDP are sectoral or regional. They are complementary — ISO 42001 certification is increasingly accepted as substantial evidence of compliance with the spirit of these regulations.

FrameworkNatureHow ISO 42001 Supports Compliance

EU AI ActBinding EU regulation. Risk-based approach (unacceptable, high, limited, minimal risk).Substantially overlaps on risk management, human oversight, transparency, accuracy, robustness, data governance, and post-market monitoring. Increasingly cited as evidence of conformity.

NIST AI RMF (United States)Voluntary framework. Function categories: Govern, Map, Measure, Manage.Highly aligned with all NIST AI RMF functions. Organisations implementing ISO 42001 satisfy almost all NIST RMF objectives.

UK AI Regulation FrameworkPrinciples-based, sector-led. Five core principles: safety, transparency, fairness, accountability, contestability.Directly addresses all five UK AI principles. Certification provides demonstrable evidence to UK sector regulators.

India DPDP Act and AI AdvisoriesDPDP Act covers personal data; emerging AI advisories address algorithmic accountability.ISO 42001 + ISO 27701 integration covers personal data in AI. Increasingly expected in IT/ITES sector RFPs.

Singapore AI VerifyVoluntary testing framework for AI systems.Combining AI Verify testing with ISO 42001 management system certification provides complementary assurance.

Canada AIDA (proposed)Artificial Intelligence and Data Act — risk-based regulation.Highly aligned with ISO 42001 obligations.

Integration

ISO 42001 integration with ISO 27001, ISO 9001, ISO 27701, and more

Because ISO 42001 uses the Annex SL Harmonised Structure, it integrates naturally with other ISO management system standards. Integration significantly reduces effort, cost, and audit time.

ISO/IEC 27001 — Information Security

Shared risk management framework. Controls for access, encryption, secure development, supplier security, and incident response apply directly to AI assets, training data, and model artefacts. Integrated audits typically 20 to 40 percent faster.

ISO 9001 — Quality Management

Shared management system structure — leadership, risk-based thinking, process control, internal audit, management review, continual improvement. The single foundation supports both standards.

ISO/IEC 27701 — Privacy Information Management

Critical where AI processes personal data. Shared controls for data subject rights, lawful basis, privacy by design. ISO 42001 plus ISO 27701 is the dominant combination for AI in regulated personal-data sectors.

ISO 22301 — Business Continuity

Shared resilience framework. Relevant for organisations whose AI services are business-critical or customer-facing.

ISO/IEC 23894 — AI Risk Management

Non-certifiable guidance standard. Provides detailed AI risk management techniques that operationalise ISO 42001 requirements. Treat as a companion implementation guide.

ISO 14001 — Environmental

Relevant for managing the environmental impact of compute-intensive AI training and inference — energy consumption, water, e-waste.

ISO 45001 — Occupational Health and Safety

Relevant where AI is used in physical environments or affects worker safety (manufacturing, logistics, healthcare).

Implementation Roadmap

Phased approach to ISO 42001 certification

Typical implementation timeline: 8 to 16 weeks for medium organisations with existing ISO 27001 or ISO 9001. Up to 26 weeks for organisations starting without any prior management system.

Phase 1

Foundation

Weeks 1 to 2

Senior management decision and AIMS sponsorship

Scope definition workshop — identify AI systems, business processes, sites

Identification of interested parties and their AI-related expectations

Gap analysis against ISO 42001 (optional but strongly recommended)

Phase 2

Policy and Governance

Weeks 2 to 4

Drafting and approval of the AI Policy

Definition of AIMS roles and responsibilities

Establishment of an AI Steering Committee or governance forum

Definition of AI objectives at appropriate functions

Phase 3

Risk and Impact

Weeks 4 to 8

Build the AI Use Case Inventory (including third-party LLMs and AI services)

Define AI Risk Assessment Methodology

Conduct first AI Risk Assessment and document the AI Risk Register

Develop AI Risk Treatment Plan and Statement of Applicability

Conduct AI System Impact Assessments for significant systems

Phase 4

Operational Controls

Weeks 6 to 10

Define AI System Lifecycle Procedure (design, develop, verify, validate, deploy, monitor, decommission)

Define Data Management Procedure (acquisition, quality, provenance, preparation)

Define Human Oversight Procedure

Define Third-Party AI Management Procedure

Define AI Incident Management Procedure

Phase 5

Performance and Monitoring

Weeks 10 to 12

Define AIMS monitoring and measurement plan

Plan and conduct first internal AIMS audit

Conduct first management review

Address findings; demonstrate continual improvement

Phase 6

Certification

Weeks 12+

Submit application to TNV Global

Stage 1 Audit — documentation review

Stage 2 Audit — implementation audit

Independent Technical Review and Certificate Issuance

Common Myths

15 common misinterpretations of ISO 42001 requirements

Avoiding these misinterpretations is the single most effective way to ensure successful first-time certification.

“ISO 42001 only applies if we build our own AI.”

ISO 42001 applies equally to organisations that develop, deploy, integrate, sell, or use AI. Organisations using third-party LLMs (such as OpenAI, Anthropic, Google) are also in scope and must include those systems in their AIMS.

“We already have ISO 27001, so we don't need ISO 42001.”

ISO 27001 addresses information security; ISO 42001 addresses AI-specific governance, ethics, impact, and lifecycle. The two are complementary, and the trend is to certify both.

“AI Risk Assessment is the same as AI Impact Assessment.”

AI Risk Assessment focuses on risks to the organisation. AI Impact Assessment focuses on consequences for individuals, groups, and society. Both are required and must be documented separately.

“We need to implement every Annex A control.”

The organisation selects applicable controls via the Statement of Applicability, with documented justification for inclusion or exclusion. Not every control will be applicable to every organisation.

“Human oversight means having a human approve every AI decision.”

ISO 42001 requires meaningful human oversight proportional to risk. For low-risk decisions, oversight may be at the system level. For high-impact decisions, human-in-the-loop is expected.

“We can outsource our AIMS to our AI vendor.”

The organisation seeking certification holds the AIMS. Vendor management is part of the AIMS, but the organisation itself must operate the management system.

“Once certified, we are compliant with the EU AI Act.”

ISO 42001 is substantial evidence of conformity with many EU AI Act obligations, but the EU AI Act has specific obligations (CE marking, conformity assessment for high-risk AI) that go beyond ISO 42001.

“We can defer AI Impact Assessment until after certification.”

AI Impact Assessment is a Clause 6 and Clause 8 requirement. Without documented impact assessments for significant AI systems, the AIMS is not conformant.

“Annex B is mandatory.”

Annex B is informative implementation guidance. It is not certifiable. However, auditors use Annex B to interpret whether Annex A controls are reasonably implemented.

“ISO 42001 prescribes specific AI techniques.”

ISO 42001 is technology-agnostic. It does not require or prohibit any specific AI technique — it requires governance of whatever AI techniques the organisation chooses.

“Our AI Policy can be one page.”

An AI Policy can be concise, but it must include all elements required by Clause 5.2 — purpose, framework for AI objectives, commitment to satisfying applicable requirements, and commitment to continual improvement.

“Surveillance audits are minor.”

Surveillance audits cover continued conformity. Major non-conformities found at surveillance can lead to certificate suspension or withdrawal.

“We can certify only a subset of our AI systems.”

Scope can be limited to specific AI systems, business functions, or sites — but the scope must be clearly defined, communicated, and not misleading to interested parties.

“Annex A.10 only covers IT suppliers.”

Annex A.10 covers all third-party relationships relevant to AI — suppliers of AI products and services, partners, customers, distributors. Allocation of responsibilities must be clear across the full supply chain.

“Only high-risk AI needs documentation.”

ISO 42001 requires all in-scope AI systems to be governed. Documentation depth scales with risk, but no in-scope system is exempt from the AIMS.

Call Us

UK: +44 7877 901727

India: +91 98380 70227

+44 7877 901727

Instant chat

Email Us

admin@tnvglobal.com

Reply in 4 business hours

FAQ

50 frequently asked questions about ISO 42001 requirements

What is ISO/IEC 42001:2023?

ISO/IEC 42001:2023 is the world's first international management system standard for Artificial Intelligence (AIMS). Published in December 2023 jointly by ISO and IEC, it specifies certifiable requirements for establishing, implementing, maintaining, and continually improving an AI Management System in any organisation that develops, deploys, integrates, sells, or uses AI.

Is ISO 42001 mandatory?

ISO 42001 is voluntary. However, it is increasingly expected by regulators, enterprise customers, investors, and insurers as evidence of responsible AI governance. The EU AI Act, NIST AI RMF, and other regulatory frameworks reference ISO 42001 or align closely with its requirements.

Who needs ISO 42001?

Any organisation that develops, deploys, integrates, sells, or uses Artificial Intelligence — including AI software developers, SaaS providers using third-party LLMs, healthcare, banking, fintech, government, manufacturing, education, retail, telecom, and professional services.

What is the difference between ISO 42001 and ISO 23894?

ISO 42001 is a certifiable management system standard. ISO 23894 is an informative guidance standard on AI risk management techniques. Organisations implement ISO 42001 as their AIMS and may use ISO 23894 as a companion implementation guide.

What is an Artificial Intelligence Management System (AIMS)?

An AIMS is a structured framework of policies, procedures, roles, controls, and records that an organisation uses to govern its AI activities responsibly. ISO 42001 specifies the requirements an AIMS must meet to be certifiable.

What does Clause 4 of ISO 42001 require?

Clause 4 requires the organisation to understand its internal and external context relevant to AI, identify interested parties and their needs and expectations, define the scope of the AIMS, and establish the AIMS itself.

What does Clause 5 of ISO 42001 require?

Clause 5 requires top management leadership and commitment, including establishing an AI Policy (Clause 5.2) and assigning AIMS roles, responsibilities, and authorities (Clause 5.3).

What does Clause 6 of ISO 42001 require?

Clause 6 covers planning — addressing risks and opportunities (6.1.1), AI risk assessment (6.1.2), AI risk treatment (6.1.3), AI System Impact Assessment (6.1.4), AI objectives (6.2), and planning of changes (6.3).

What does Clause 7 of ISO 42001 require?

Clause 7 covers support — providing resources, ensuring competence, building awareness, managing internal and external communications, and controlling documented information.

What does Clause 8 of ISO 42001 require?

Clause 8 covers operation — operational planning and control, ongoing AI risk assessment, AI risk treatment, and AI System Impact Assessment in the live environment.

What does Clause 9 of ISO 42001 require?

Clause 9 covers performance evaluation — monitoring, measurement, analysis, and evaluation (9.1), internal audit (9.2), and management review (9.3).

What does Clause 10 of ISO 42001 require?

Clause 10 covers improvement — continual improvement of the AIMS (10.1) and managing nonconformity and corrective action (10.2).

What is Annex A in ISO 42001?

Annex A is a reference set of 38 AI-specific controls organised under 9 control objectives (A.2 through A.10). Organisations select applicable controls through the Statement of Applicability.

How many controls are in Annex A?

Annex A contains 38 controls across 9 control categories: A.2 Policies, A.3 Internal Organisation, A.4 Resources, A.5 Impact Assessments, A.6 AI System Lifecycle, A.7 Data, A.8 Information for Interested Parties, A.9 Use of AI Systems, A.10 Third-Party Relationships.

Are all Annex A controls mandatory?

No. The organisation selects applicable controls via the Statement of Applicability (SoA), with documented justification for inclusion or exclusion. The SoA is mandatory; the controls themselves are selected based on the AI risk assessment.

What is the Statement of Applicability (SoA)?

The SoA is the documented output of Clause 6.1.3. For every Annex A control, the SoA records whether the control is applied, the justification, and the implementation reference. The SoA is one of the most heavily audited documents in Stage 1.

How many mandatory documents does ISO 42001 require?

ISO 42001 requires approximately 20 mandatory documents, including the AIMS Scope Statement, AI Policy, Roles and Responsibilities, AI Risk Assessment Methodology, AI Risk Register, AI Risk Treatment Plan, Statement of Applicability, and others. See the Mandatory Documentation section above for the full list.

What format must ISO 42001 documents be in?

ISO 42001 does not prescribe document formats. Documents may be standalone policies, integrated into an Integrated Management System manual, or held as wiki articles, provided the required content is present, version-controlled, and accessible.

Is an AIMS Manual mandatory?

An AIMS Manual is not explicitly mandatory but is common. The manual typically consolidates references to the AIMS scope, policy, roles, procedures, and records. Many organisations find a manual the easiest way to demonstrate AIMS coherence to auditors.

Must the AI Policy be a separate document?

Not necessarily. The AI Policy may stand alone or be integrated within a broader Responsible Technology Policy. What matters is that the Clause 5.2 elements are clearly present, approved by top management, and communicated.

How often must the AI Policy be reviewed?

ISO 42001 requires periodic review and review on significant change (A.2.4). Most organisations review the AI Policy annually as part of management review, and on triggering events such as new regulation, new AI use cases, or significant incidents.

How many mandatory records does ISO 42001 require?

ISO 42001 requires approximately 25 categories of records, including AI Risk Assessment records, AI Impact Assessment records, training records, AI System Design records, Verification and Validation records, Monitoring records, Data Provenance records, AI Incident records, Internal Audit records, and Management Review records.

What is the retention period for ISO 42001 records?

ISO 42001 does not prescribe specific retention periods. The organisation must define and document retention based on regulatory, contractual, and stakeholder requirements. Typical retention is 3 to 7 years, longer for AI systems with safety, medical, or financial implications.

Can records be held electronically?

Yes. Records may be electronic, provided they are protected from unauthorised change, accessible to those who need them, and retained for the defined period.

What is AI Risk Assessment under ISO 42001?

AI Risk Assessment (Clause 6.1.2 and 8.2) is a documented process to identify, analyse, evaluate, and treat AI-specific risks to the organisation. Risk acceptance criteria must be established. AI risk includes bias, drift, hallucination, prompt injection, model theft, and third-party model risk.

What is AI System Impact Assessment under ISO 42001?

AI System Impact Assessment (Clauses 6.1.4 and 8.4; controls A.5.2 to A.5.5) is a documented process to assess potential consequences of an AI system on individuals, groups, and societies. It is distinct from AI Risk Assessment, which focuses on risks to the organisation.

When must AI Impact Assessment be performed?

Before deploying a new AI system, before significant changes to an existing system, at planned intervals (typically annually for medium and high-risk AI), and on triggering events such as regulatory change, near-miss incidents, or complaints.

Is AI Impact Assessment the same as DPIA under GDPR?

They overlap but are not identical. DPIA focuses on personal data risks. AI Impact Assessment is broader, including societal, group, environmental, and rights impacts. Where both apply, a single integrated assessment is acceptable provided both ISO 42001 and GDPR requirements are met.

What does ISO 42001 require for human oversight?

ISO 42001 requires meaningful human oversight proportional to risk. For low-risk decisions, oversight may be at the system level (monitoring outputs, periodic review). For high-impact decisions affecting individuals, human-in-the-loop or human-on-the-loop is expected.

Does ISO 42001 require a human to approve every AI decision?

No. ISO 42001 does not require human approval of every AI decision. It requires meaningful, risk-proportionate oversight determined by the AI Risk Assessment and AI Impact Assessment for each system.

What does ISO 42001 require for data governance?

Annex A.7 requires defined processes for data acquisition (A.7.3), data quality (A.7.4), data provenance (A.7.5), and data preparation (A.7.6). Data resources used by AI must be identified and documented (A.4.3).

Does ISO 42001 cover personal data?

Indirectly. Where AI processes personal data, ISO 42001 controls intersect with privacy requirements. Most organisations using personal data in AI integrate ISO 42001 with ISO 27701 (Privacy Information Management) for comprehensive coverage.

How does ISO 42001 handle third-party AI such as OpenAI or Anthropic LLMs?

Annex A.10 requires clear allocation of responsibilities between the organisation, its suppliers, partners, and customers. Use of third-party AI services must be assessed, monitored, and controlled. Third-party LLMs are within the AIMS scope when used by the organisation.

Do we need supplier ISO 42001 certificates?

Not necessarily. The organisation's own AIMS is what is certified. However, due diligence on third-party AI providers — including their security, accuracy, fairness, and reliability — is required under A.10.3.

How long does ISO 42001 implementation take?

Typically 8 to 16 weeks for medium organisations with existing ISO 27001 or ISO 9001, up to 26 weeks for organisations starting without any prior management system.

Do we need a consultant to implement ISO 42001?

Not mandatory. Many organisations implement ISO 42001 in-house, particularly if existing ISO 27001 or ISO 9001 systems are in place. TNV Global, as the certification body, cannot consult on systems it certifies — this would breach ISO 17021-1 impartiality requirements.

Can small organisations certify to ISO 42001?

Yes. The standard is sector- and size-agnostic. Small organisations typically certify in 7 to 14 working days under TNV Global's Fast Track route if they have a clear AI scope and documented AIMS.

Does ISO 42001 satisfy the EU AI Act?

ISO 42001 is substantially aligned with EU AI Act requirements on risk management, transparency, human oversight, accuracy, robustness, data governance, and post-market monitoring. However, the EU AI Act includes specific obligations (CE marking, conformity assessment for high-risk AI) that go beyond ISO 42001.

Does ISO 42001 satisfy NIST AI RMF?

ISO 42001 is highly aligned with NIST AI RMF function categories (Govern, Map, Measure, Manage). Organisations implementing ISO 42001 satisfy almost all NIST RMF objectives, useful in US federal procurement.

Does ISO 42001 satisfy the UK AI Regulation Framework?

ISO 42001 directly addresses all five UK AI principles — safety, transparency, fairness, accountability, and contestability — making certification a strong evidence base for UK sectoral regulators.

Does ISO 42001 cover the India DPDP Act?

Where AI processes personal data, ISO 42001 + ISO 27701 integration covers DPDP obligations. India's emerging AI advisories also reference responsible AI governance, which ISO 42001 addresses.

Can ISO 42001 be integrated with ISO 27001?

Yes, and it is strongly recommended. Both use the Annex SL Harmonised Structure. Integrated audit typically reduces total audit time by 20 to 40 percent compared to separate audits.

Can ISO 42001 be integrated with ISO 9001?

Yes. ISO 9001 provides the foundational management system structure (leadership, internal audit, management review, continual improvement) shared by ISO 42001.

Can ISO 42001 be integrated with ISO 27701?

Yes. Where AI processes personal data, ISO 27701 controls for lawful basis, data subject rights, and privacy by design directly support ISO 42001 requirements.

Can we limit the scope of certification to specific AI systems?

Yes. The AIMS scope can be limited to specific AI systems, business functions, or sites — but the scope must be clearly defined, communicated, and not misleading to interested parties.

Do we need to certify generative AI use such as ChatGPT?

If your organisation's use of generative AI is in scope of your AIMS, then yes — the use case, governance, and controls for generative AI must be documented and audited.

What is the validity of the ISO 42001 Certificate?

Three years from the date of issue, subject to successful annual Surveillance Audits in Year 2 and Year 3. Recertification at the end of three years issues a new three-year certificate.

What happens if regulations change during the certification cycle?

Regulatory changes are addressed through the AIMS planning of changes (Clause 6.3) and continual improvement (Clause 10.1). Significant regulatory changes may trigger a Special Audit.

Where can I verify a TNV Global ISO 42001 Certificate?

All TNV Global ISO 42001 Certificates are verifiable at global-aci.org. The certificate carries the UAF accreditation mark and the certification body code.

How do I get started with ISO 42001 Certification?

Submit the form on this page, email admin@tnvglobal.com, or call +44 7877 901727 (UK) or +91 98380 70227 (India). Our AIMS expert will assess your readiness and provide a customised quotation within four business hours.

Explore further ISO 42001 resources

ISO 42001 Certification Process ISO 42001 Certification Timeline ISO 42001 Audit — What to Expect Benefits of ISO 42001 Certification About TNV Global Contact Us