ISO 42001 Requirements Explained: A Complete Guide to the Standard
ISO/IEC 42001 was developed to help organisations manage AI risks through a structured Artificial Intelligence Management System. This guide explains the requirements of ISO 42001, how the standard is structured, and what organisations need to implement to establish, maintain, and continually improve an AIMS.
Definition: What Is ISO 42001?
ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System. An AIMS helps organisations govern how AI systems are developed, provided, used, monitored, assessed, and improved throughout their lifecycle.
The standard is relevant to organisations that develop AI systems, provide AI-enabled products or services, use AI tools internally, integrate AI components into wider systems, or support AI-related activities such as evaluation, auditing, or data provision. ISO 42001 was published in 2023 by the International Organization for Standardization and the International Electrotechnical Commission.
ISO 42001 at a Glance
| Topic | Summary |
|---|---|
| Standard | ISO/IEC 42001 |
| Published | 2023 |
| Focus | Governance and risk management for AI systems |
| Management system | Artificial Intelligence Management System (AIMS) |
| Certification | Yes, available through accredited certification bodies |
| Applicable to | Organisations that develop, provide, use, or otherwise interact with AI systems |
| Key feature | Risk-based and role-based AI governance |
| Supporting standards | Part of a broader family including ISO/IEC 22989, ISO/IEC 23894, and ISO/IEC 38507 |
While ISO/IEC 42001 contains the requirements for establishing and operating an AIMS, it does not exist in isolation. It is supported by a wider family of AI standards that provide terminology, guidance, implementation support, and subject-specific recommendations. For example, ISO/IEC 22989 provides concepts and terminology including AI stakeholder roles, while ISO/IEC 23894 provides guidance on AI risk management.
Structure of the ISO 42001 Standard
Like many ISO management system standards, ISO 42001 follows the common structure used by standards such as ISO 27001 and ISO 9001. Clauses 4 to 10 contain the core requirements for implementing an AI Management System.
ISO 42001 is not only about listing AI tools or writing an AI policy. It requires organisations to understand their AI systems, determine their role in relation to those systems, assess risks and impacts, implement appropriate controls, and continually improve the management system.
The Core Clauses Explained
Requires the organisation to understand internal and external issues affecting the AIMS, determine its role in relation to AI systems (AI provider, producer, customer, user, partner, or AI subject), understand the needs of interested parties, and define the scope of the AIMS. Role determination is foundational — it affects responsibilities, interested parties, risk exposure, and control selection.
Requires top management to demonstrate leadership and commitment to the AIMS. Senior leadership must establish an AI policy, ensure resources are available, assign roles and responsibilities, communicate the importance of AI management, support continual improvement, and promote a responsible approach to AI development, provision, and use.
Requires organisations to plan how they will address AI risks and opportunities. This includes establishing AI risk assessment and treatment processes, setting AI objectives, performing AI system impact assessments, and ensuring changes to the AIMS are carried out in a planned manner.
Focuses on the resources, competence, awareness, communication, and documented information needed to operate the AIMS effectively. Relevant personnel must be competent, aware of the AI policy, and understand the implications of not conforming with AIMS requirements. Documented information includes policies, procedures, AI inventories, risk assessments, and monitoring records.
Requires the organisation to plan, implement, and control operational processes needed to meet AIMS requirements. This includes implementing risk treatment controls, controlling planned and unintended changes, ensuring third-party AI platforms and services are appropriately controlled, and performing risk and impact assessments at planned intervals or when significant changes occur.
Requires organisations to monitor and measure AIMS performance, conduct internal audits at planned intervals, and hold management reviews. Management reviews should consider previous actions, changes in context, nonconformities, monitoring results, audit findings, and opportunities for continual improvement.
Requires the organisation to continually improve the suitability, adequacy, and effectiveness of the AIMS. When nonconformities occur, the organisation must respond, determine the cause, take corrective action, and retain documented evidence. Improvement may arise from audit findings, incidents, monitoring results, stakeholder concerns, or changes in regulation or AI performance.
AI Risk Assessment and Treatment
Organisations must establish and maintain processes for assessing and treating risks associated with AI systems. This includes defining AI risk criteria, identifying AI-related risks, analysing and evaluating those risks, and determining appropriate treatment measures.
Unlike traditional information security risk assessments, AI risk assessments often need to consider issues such as:
- bias and discrimination
- lack of transparency or explainability
- inaccurate or misleading outputs
- model drift and performance degradation
- automation bias and overreliance
- misuse of AI systems
- privacy and security concerns
- unintended consequences arising from AI behaviour
The results of these assessments are used to determine appropriate risk treatment measures and select relevant controls. Organisations implementing ISO 42001 typically use Annex A as a reference when determining which controls are necessary and document these decisions within a Statement of Applicability.
AI System Impact Assessment
One of the most distinctive aspects of ISO 42001 is the requirement to assess the potential impacts of AI systems on individuals, groups of individuals, and society. Impact assessments should consider factors such as:
- the intended purpose of the AI system
- the context in which it is used
- affected stakeholders
- foreseeable misuse
- potential adverse outcomes
- applicable legal, regulatory, and societal expectations
The results help organisations understand the broader implications of AI use and support informed governance decisions throughout the AI lifecycle.
Annex A — Controls Supporting AI Governance
Annex A provides reference control objectives and controls for AI governance. Organisations must determine which controls are necessary based on their context, AI roles, AI systems, risk assessment, impact assessment, and risk treatment decisions. Annex A supports areas such as:
The organisation must produce a Statement of Applicability that identifies the necessary controls and provides justification for inclusion and exclusion. This makes Annex A central to ISO 42001 implementation, but its application must be risk-based and context-specific.
How ISO 42001 Relates to the EU AI Act
ISO 42001 is not the same as EU AI Act compliance and does not automatically make an organisation compliant with the regulation. However, ISO 42001 can support regulatory readiness by helping organisations establish the governance processes needed to understand and manage AI systems. For example, ISO 42001 supports:
- identifying AI systems
- determining organisational roles
- understanding interested parties
- assessing AI risks and system impacts
- documenting governance decisions
- implementing controls
- monitoring performance
- managing incidents and nonconformities
- improving governance processes over time
For organisations operating in Europe, ISO 42001 can therefore provide a useful management system framework for organising AI governance activities and preparing for regulatory expectations.
How Organisations Implement ISO 42001
Implementing ISO 42001 typically involves several stages.
Identify the AI systems that are developed, provided, or used within the business and the internal and external issues that affect governance.
Establish whether your organisation acts as an AI provider, producer, customer, user, partner, or in multiple roles. This is essential as it affects responsibilities, interested parties, risks, and control applicability.
Set out which AI systems, business activities, teams, products, services, and locations are included within the management system.
Establish an AI policy, assign responsibilities, and define governance arrangements across relevant teams.
Conduct AI risk assessments and AI system impact assessments to identify, analyse, and evaluate risks and potential consequences for individuals and society.
Determine and implement appropriate risk treatment options and Annex A controls based on context, roles, risks, and impacts.
Maintain documented information, monitor performance, conduct internal audits, and hold management reviews at planned intervals.
Address nonconformities, implement corrective actions, and continually improve the suitability, adequacy, and effectiveness of the AIMS.
Key Takeaways
ISO/IEC 42001 provides a structured framework for governing artificial intelligence systems. The standard requires organisations to establish an AI Management System that addresses governance, leadership, planning, support, operation, performance evaluation, and improvement.
A core requirement is understanding the organisation's role in relation to AI systems. This role determination affects the scope of the AIMS, the needs of interested parties, the risk and impact assessment process, and the applicability of Annex A controls.
ISO 42001 also requires organisations to assess both AI risks and AI system impacts — considering not only organisational risks, but also potential consequences for individuals, groups of individuals, and society. Annex A provides reference controls, but organisations must determine which controls are necessary based on their context, risks, impacts, and AI roles.
Frequently Asked Questions
ISO 42001 requires organisations to establish, implement, maintain, and continually improve an AI Management System. This includes understanding organisational context, determining AI roles, defining scope, establishing leadership and policy, assessing AI risks and impacts, implementing controls, monitoring performance, conducting audits, and continually improving the system.
Yes. ISO 42001 follows a management system structure similar to ISO 27001 and ISO 9001. However, ISO 27001 focuses on information security, while ISO 42001 focuses on governance and risk management for AI systems.
Yes. ISO 42001 can apply to organisations that use AI tools, including third-party AI services. These organisations may still need governance processes to manage risks, define acceptable use, oversee suppliers, assess impacts, and ensure AI systems are used responsibly.
Determining the organisation's role is essential because it affects the applicability and extent of applicability of ISO 42001 requirements and controls. An organisation may act as an AI provider, producer, customer, user, partner, or in multiple roles at once.
AI risk assessment focuses on identifying, analysing, and evaluating risks that may affect AI objectives and create consequences for the organisation, individuals, or society. AI system impact assessment focuses specifically on the potential consequences of the development, provision, or use of AI systems for individuals, groups of individuals, and society.
ISO 42001 is not a legal requirement under the EU AI Act and does not automatically ensure compliance. However, it can support EU AI Act readiness by helping organisations identify AI systems, determine roles, assess risks and impacts, document governance decisions, implement controls, and monitor AI systems over time.
Annex A contains reference control objectives and controls that support AI governance. Organisations use Annex A when determining appropriate controls for AI risk treatment. They must justify which controls are included or excluded through a Statement of Applicability.
Yes. Organisations can seek certification to ISO 42001 where they have implemented an AI Management System that meets the requirements of the standard and is assessed by an accredited certification body.
Ready to implement ISO 42001?
Adoptech helps organisations establish and certify their AI Management System efficiently — combining intelligent automation with UK-based compliance specialists who guide you through every clause.
Talk to our team






