ISO 42001 Certification

What is ISO 42001?

ISO/IEC 42001:2023 is the first international standard for AI management systems. Published in December 2023 by ISO and IEC jointly, it sits alongside ISO 27001 (information security), ISO 22301 (business continuity), and ISO 9001 (quality) in the family of management system standards.

ISO 42001 is a management system standard, not a product standard. A product standard answers whether a specific AI model is acceptable. A management system standard answers whether the organisation has a credible system for ensuring its AI is managed properly over time. The EU AI Act does the first; ISO 42001 does the second.

ISO 42001 is voluntary. There is no law that requires it. But the trajectory is clear: enterprise customers, regulators, and procurement teams are pointing to ISO 42001 as the AI equivalent of what ISO 27001 became for information security in the 2010s.

Who developed it and who issues certificates

The standard was developed by ISO/IEC JTC 1/SC 42, the joint technical sub-committee on Artificial Intelligence between ISO and IEC. Around 50 countries participate. Germany participates through DIN; the US through ANSI; the UK through BSI.

Certification is issued by accredited certification bodies. Accreditation is granted by national accreditation bodies under the International Accreditation Forum. In Germany the national accreditation body is DAkkS. Accredited certification bodies for ISO 42001 include TÜV SÜD, TÜV Rheinland, DQS, DEKRA, BSI Group, Bureau Veritas, DNV, and SGS. A certificate from an accredited body is internationally recognised. A certificate from a non-accredited body is not.

The High-Level Structure (Clauses 4 to 10)

ISO 42001 follows the same High-Level Structure as other modern ISO management system standards. Implementers of ISO 27001 or ISO 9001 will recognise it immediately.

• Clause 4 Context of the organisation: internal and external issues, interested parties, scope of the management system
• Clause 5 Leadership: top management commitment, AI policy, roles and responsibilities
• Clause 6 Planning: AI risks and opportunities, objectives, planning of changes
• Clause 7 Support: resources, competence, awareness, communication, documented information
• Clause 8 Operation: operational planning and control, AI risk assessment, impact assessment, risk treatment
• Clause 9 Performance evaluation: monitoring, internal audit, management review
• Clause 10 Improvement: nonconformity, corrective action, continual improvement

The Annex A controls

The HLS sets the management system shape. The AI-specific content sits in Annex A:

• A.2 Policies related to AI: documented policies covering acceptable use, ethics, alignment with values, approved by top management
• A.3 Internal organisation: roles, responsibilities, authorities, reporting on AI to senior management
• A.4 Resources for AI systems: computational, data, system, and human resources
• A.5 Assessing impacts of AI systems: AI system impact assessment before deployment and across the lifecycle
• A.6 AI system lifecycle: requirements, design, development, deployment, operation, monitoring, decommissioning
• A.7 Data for AI systems: data quality, provenance, lineage, representativeness, bias
• A.8 Information for interested parties: documentation and disclosure to users, customers, regulators
• A.9 Use of AI systems: responsible use, human oversight where required
• A.10 Third-party and customer relationships: supplier and customer responsibilities and controls

The certification path

Certification follows the standard ISO management system pattern. Realistic timelines range from 9 to 24 months depending on starting position.

1. Gap analysis: internal or with a consultant. 4 to 8 weeks
2. Implementation: build the management system. Policies, procedures, impact assessments, monitoring, audit programme. 6 to 18 months
3. Internal audit: independent review by an internal team. 4 to 8 weeks
4. Management review: top management reviews and signs off. 2 to 4 weeks
5. Stage 1 certification audit: the certification body checks readiness and design. A few days on site
6. Stage 2 certification audit: implementation and effectiveness audit on site. A week or more
7. Certificate issued: valid for three years, with annual surveillance audits and full recertification at year three

Why ISO 42001 matters even though it is voluntary

Enterprise customers will demand it

Procurement teams in regulated industries use third-party certifications to outsource assurance. ISO 27001 went from optional to table stakes between 2010 and 2020. ISO 42001 is following the same curve, faster, because the AI hype cycle is sharper than the security one was. Expect ISO 42001 questions in enterprise RFPs throughout 2026 and 2027.

Supervisors are pointing to it

BaFin, BSI, ENISA, and the European Supervisory Authorities have all indicated they view ISO 42001 favourably as a reference for AI governance. Certification is not a substitute for satisfying specific legal obligations, but it is a credibility signal during examinations.

It accelerates EU AI Act conformity

The European Commission has signalled (through the AI Office workstream on harmonised standards) that ISO 42001 and the upcoming European harmonised standards for the EU AI Act will be highly aligned. ISO 42001 implementation is several steps closer to EU AI Act conformity assessment.

How ISO 42001 interacts with the other frameworks

• EU AI Act: complementary. Management system standard vs product regulation. Both apply to a high-risk AI in Europe
• MaRisk: no direct mapping, but ISO 42001 supports AT 4.3.5 compliance by providing a structured management system
• BAIT: A.6 (lifecycle) and A.7 (data) overlap with several BAIT chapters. Parallel implementation is efficient
• DORA: no direct overlap. Both apply where AI sits inside a financial firm's ICT environment
• NIS2: no direct overlap
• ISO 27001: highly complementary. ISO 27001-certified organisations can implement ISO 42001 as an incremental upgrade with shared management system infrastructure
• GDPR: indirect. The A.5 impact assessment aligns with the GDPR Data Protection Impact Assessment for high-risk processing

What to do next

• If you already hold ISO 27001: treat ISO 42001 as an incremental upgrade. Reuse policies, procedures, internal audit cycle, and management review meetings
• If you do not hold ISO 27001 yet: consider implementing both in parallel. The shared High-Level Structure makes joint implementation efficient
• Map your current AI controls to Annex A. The gaps you find drive your roadmap
• Start the AI system impact assessment under A.5 early. It is the most procurement-relevant artefact of the standard
• Engage an accredited certification body early to confirm scope and accreditation status before committing
• Use the classifier tool to see how ISO 42001 sits alongside the other six frameworks for your specific AI system