AI Governance ISO 42001 AIMS Compliance Responsible AI
Responsible AI Governance

ISO 42001 Requirements Explained: A Complete Guide to the Standard

ISO/IEC 42001 was developed to help organisations manage AI risks through a structured Artificial Intelligence Management System. This guide explains the requirements of ISO 42001, how the standard is structured, and what organisations need to implement to establish, maintain, and continually improve an AIMS.


Definition: What Is ISO 42001?

ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System. An AIMS helps organisations govern how AI systems are developed, provided, used, monitored, assessed, and improved throughout their lifecycle.

The standard is relevant to organisations that develop AI systems, provide AI-enabled products or services, use AI tools internally, integrate AI components into wider systems, or support AI-related activities such as evaluation, auditing, or data provision. ISO 42001 was published in 2023 by the International Organization for Standardization and the International Electrotechnical Commission.

ISO 42001 at a Glance

Topic Summary
Standard ISO/IEC 42001
Published 2023
Focus Governance and risk management for AI systems
Management system Artificial Intelligence Management System (AIMS)
Certification Yes, available through accredited certification bodies
Applicable to Organisations that develop, provide, use, or otherwise interact with AI systems
Key feature Risk-based and role-based AI governance
Supporting standards Part of a broader family including ISO/IEC 22989, ISO/IEC 23894, and ISO/IEC 38507

While ISO/IEC 42001 contains the requirements for establishing and operating an AIMS, it does not exist in isolation. It is supported by a wider family of AI standards that provide terminology, guidance, implementation support, and subject-specific recommendations. For example, ISO/IEC 22989 provides concepts and terminology including AI stakeholder roles, while ISO/IEC 23894 provides guidance on AI risk management.

Structure of the ISO 42001 Standard

Like many ISO management system standards, ISO 42001 follows the common structure used by standards such as ISO 27001 and ISO 9001. Clauses 4 to 10 contain the core requirements for implementing an AI Management System.

ISO 42001 is not only about listing AI tools or writing an AI policy. It requires organisations to understand their AI systems, determine their role in relation to those systems, assess risks and impacts, implement appropriate controls, and continually improve the management system.

The Core Clauses Explained

C4
Clause 4 — Context of the Organisation

Requires the organisation to understand internal and external issues affecting the AIMS, determine its role in relation to AI systems (AI provider, producer, customer, user, partner, or AI subject), understand the needs of interested parties, and define the scope of the AIMS. Role determination is foundational — it affects responsibilities, interested parties, risk exposure, and control selection.

C5
Clause 5 — Leadership

Requires top management to demonstrate leadership and commitment to the AIMS. Senior leadership must establish an AI policy, ensure resources are available, assign roles and responsibilities, communicate the importance of AI management, support continual improvement, and promote a responsible approach to AI development, provision, and use.

C6
Clause 6 — Planning

Requires organisations to plan how they will address AI risks and opportunities. This includes establishing AI risk assessment and treatment processes, setting AI objectives, performing AI system impact assessments, and ensuring changes to the AIMS are carried out in a planned manner.

C7
Clause 7 — Support

Focuses on the resources, competence, awareness, communication, and documented information needed to operate the AIMS effectively. Relevant personnel must be competent, aware of the AI policy, and understand the implications of not conforming with AIMS requirements. Documented information includes policies, procedures, AI inventories, risk assessments, and monitoring records.

C8
Clause 8 — Operation

Requires the organisation to plan, implement, and control operational processes needed to meet AIMS requirements. This includes implementing risk treatment controls, controlling planned and unintended changes, ensuring third-party AI platforms and services are appropriately controlled, and performing risk and impact assessments at planned intervals or when significant changes occur.

C9
Clause 9 — Performance Evaluation

Requires organisations to monitor and measure AIMS performance, conduct internal audits at planned intervals, and hold management reviews. Management reviews should consider previous actions, changes in context, nonconformities, monitoring results, audit findings, and opportunities for continual improvement.

C10
Clause 10 — Improvement

Requires the organisation to continually improve the suitability, adequacy, and effectiveness of the AIMS. When nonconformities occur, the organisation must respond, determine the cause, take corrective action, and retain documented evidence. Improvement may arise from audit findings, incidents, monitoring results, stakeholder concerns, or changes in regulation or AI performance.

AI Risk Assessment and Treatment

Organisations must establish and maintain processes for assessing and treating risks associated with AI systems. This includes defining AI risk criteria, identifying AI-related risks, analysing and evaluating those risks, and determining appropriate treatment measures.

Unlike traditional information security risk assessments, AI risk assessments often need to consider issues such as:

  • bias and discrimination
  • lack of transparency or explainability
  • inaccurate or misleading outputs
  • model drift and performance degradation
  • automation bias and overreliance
  • misuse of AI systems
  • privacy and security concerns
  • unintended consequences arising from AI behaviour

The results of these assessments are used to determine appropriate risk treatment measures and select relevant controls. Organisations implementing ISO 42001 typically use Annex A as a reference when determining which controls are necessary and document these decisions within a Statement of Applicability.

AI System Impact Assessment

One of the most distinctive aspects of ISO 42001 is the requirement to assess the potential impacts of AI systems on individuals, groups of individuals, and society. Impact assessments should consider factors such as:

  • the intended purpose of the AI system
  • the context in which it is used
  • affected stakeholders
  • foreseeable misuse
  • potential adverse outcomes
  • applicable legal, regulatory, and societal expectations

The results help organisations understand the broader implications of AI use and support informed governance decisions throughout the AI lifecycle.

Annex A — Controls Supporting AI Governance

Annex A provides reference control objectives and controls for AI governance. Organisations must determine which controls are necessary based on their context, AI roles, AI systems, risk assessment, impact assessment, and risk treatment decisions. Annex A supports areas such as:

AI policies and governance
Roles and responsibilities
Resources for AI systems
Assessing impacts of AI systems
AI system lifecycle management
Data governance
Information for interested parties
Use of AI systems
Third-party and customer relationships

The organisation must produce a Statement of Applicability that identifies the necessary controls and provides justification for inclusion and exclusion. This makes Annex A central to ISO 42001 implementation, but its application must be risk-based and context-specific.

How ISO 42001 Relates to the EU AI Act

ISO 42001 is not the same as EU AI Act compliance and does not automatically make an organisation compliant with the regulation. However, ISO 42001 can support regulatory readiness by helping organisations establish the governance processes needed to understand and manage AI systems. For example, ISO 42001 supports:

  • identifying AI systems
  • determining organisational roles
  • understanding interested parties
  • assessing AI risks and system impacts
  • documenting governance decisions
  • implementing controls
  • monitoring performance
  • managing incidents and nonconformities
  • improving governance processes over time

For organisations operating in Europe, ISO 42001 can therefore provide a useful management system framework for organising AI governance activities and preparing for regulatory expectations.

How Organisations Implement ISO 42001

Implementing ISO 42001 typically involves several stages.

1
Understand your context

Identify the AI systems that are developed, provided, or used within the business and the internal and external issues that affect governance.

2
Determine your AI role

Establish whether your organisation acts as an AI provider, producer, customer, user, partner, or in multiple roles. This is essential as it affects responsibilities, interested parties, risks, and control applicability.

3
Define the scope of the AIMS

Set out which AI systems, business activities, teams, products, services, and locations are included within the management system.

4
Establish policy and governance

Establish an AI policy, assign responsibilities, and define governance arrangements across relevant teams.

5
Perform risk and impact assessments

Conduct AI risk assessments and AI system impact assessments to identify, analyse, and evaluate risks and potential consequences for individuals and society.

6
Implement controls

Determine and implement appropriate risk treatment options and Annex A controls based on context, roles, risks, and impacts.

7
Monitor, audit and review

Maintain documented information, monitor performance, conduct internal audits, and hold management reviews at planned intervals.

8
Continually improve

Address nonconformities, implement corrective actions, and continually improve the suitability, adequacy, and effectiveness of the AIMS.

Key Takeaways

ISO/IEC 42001 provides a structured framework for governing artificial intelligence systems. The standard requires organisations to establish an AI Management System that addresses governance, leadership, planning, support, operation, performance evaluation, and improvement.

A core requirement is understanding the organisation's role in relation to AI systems. This role determination affects the scope of the AIMS, the needs of interested parties, the risk and impact assessment process, and the applicability of Annex A controls.

ISO 42001 also requires organisations to assess both AI risks and AI system impacts — considering not only organisational risks, but also potential consequences for individuals, groups of individuals, and society. Annex A provides reference controls, but organisations must determine which controls are necessary based on their context, risks, impacts, and AI roles.

Frequently Asked Questions

What are the main requirements of ISO 42001?

ISO 42001 requires organisations to establish, implement, maintain, and continually improve an AI Management System. This includes understanding organisational context, determining AI roles, defining scope, establishing leadership and policy, assessing AI risks and impacts, implementing controls, monitoring performance, conducting audits, and continually improving the system.

Is ISO 42001 similar to ISO 27001?

Yes. ISO 42001 follows a management system structure similar to ISO 27001 and ISO 9001. However, ISO 27001 focuses on information security, while ISO 42001 focuses on governance and risk management for AI systems.

Does ISO 42001 apply to organisations that only use AI tools?

Yes. ISO 42001 can apply to organisations that use AI tools, including third-party AI services. These organisations may still need governance processes to manage risks, define acceptable use, oversee suppliers, assess impacts, and ensure AI systems are used responsibly.

Why is determining the organisation's AI role important?

Determining the organisation's role is essential because it affects the applicability and extent of applicability of ISO 42001 requirements and controls. An organisation may act as an AI provider, producer, customer, user, partner, or in multiple roles at once.

What is the difference between AI risk assessment and AI system impact assessment?

AI risk assessment focuses on identifying, analysing, and evaluating risks that may affect AI objectives and create consequences for the organisation, individuals, or society. AI system impact assessment focuses specifically on the potential consequences of the development, provision, or use of AI systems for individuals, groups of individuals, and society.

Does ISO 42001 help with EU AI Act compliance?

ISO 42001 is not a legal requirement under the EU AI Act and does not automatically ensure compliance. However, it can support EU AI Act readiness by helping organisations identify AI systems, determine roles, assess risks and impacts, document governance decisions, implement controls, and monitor AI systems over time.

What is Annex A in ISO 42001?

Annex A contains reference control objectives and controls that support AI governance. Organisations use Annex A when determining appropriate controls for AI risk treatment. They must justify which controls are included or excluded through a Statement of Applicability.

Is ISO 42001 certification available?

Yes. Organisations can seek certification to ISO 42001 where they have implemented an AI Management System that meets the requirements of the standard and is assessed by an accredited certification body.

Ready to implement ISO 42001?

Adoptech helps organisations establish and certify their AI Management System efficiently — combining intelligent automation with UK-based compliance specialists who guide you through every clause.

Talk to our team
Artificial intelligence (AI)

Further articles