What ISO 42001 actually is

ISO/IEC 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it is the first globally recognised framework specifically designed to help organisations govern their AI use in a systematic, auditable, and improvable way.

The standard follows the same high-level structure as ISO 27001 and ISO 9001, familiar architecture for organisations with existing management system experience. For others, the structure is logical and well-documented. Critically, ISO 42001 is a management system standard, not a technical standard. It specifies organisational structures, processes, policies, and controls, not algorithms or model architectures.

What ISO 42001 requires

Context and scope: Define which AI systems and business processes are covered. Understand your regulatory environment, stakeholder expectations, and specific AI-related risks.

Leadership and governance: Top management must approve an AI policy, assign roles and responsibilities, and integrate AI governance into business decision-making, not delegate it entirely to a technical team.

Planning: A systematic process for identifying and assessing AI risks and impacts, technical risks, impacts on affected individuals, and broader societal implications. Objectives must be defined with plans to achieve them.

Operation: The actual controls for managing AI throughout its lifecycle, design, procurement, deployment, monitoring, and decommissioning. Annex A provides a detailed control set covering data governance, AI system impact assessment, transparency measures, and human oversight.

Performance evaluation and improvement: Internal audits, management review, and continuous improvement. The system must be monitored and improved, not implemented once and left static.

ISO 42001 vs EU AI Act

The EU AI Act is legislation, compliance is mandatory for in-scope organisations, with penalties for non-compliance. ISO 42001 is a voluntary management system standard. Certification is optional but provides evidence of systematic governance that supports EU AI Act conformity assessment, satisfies procurement requirements, and demonstrates good faith to regulators.

For organisations subject to the EU AI Act's high-risk requirements, ISO 42001 implementation provides much of the infrastructure required for conformity assessment. Implementing both together is more efficient than treating them as separate projects.

A practical implementation roadmap

Phase 1 (weeks 1-4): Define scope, conduct gap assessment, secure leadership commitment, appoint an AIMS owner.

Phase 2 (weeks 5-8): Draft and approve an AI policy. Establish a risk assessment process. Conduct an AI system inventory and apply risk assessment to each system.

Phase 3 (weeks 9-16): Implement Annex A controls relevant to your scope. Priority areas: AI impact assessment, data quality and governance, transparency measures, human oversight mechanisms, incident reporting.

Phase 4 (weeks 17-20): Internal audit against the standard. Implement corrective actions. Conduct management review.

Phase 5 (optional): Engage an accredited certification body for Stage 1 (documentation review) and Stage 2 (implementation evidence) audits. Certification is valid for three years with annual surveillance audits.

Common mistakes

The most common is over-engineering: building a documentation system that satisfies the letter of the standard but creates so much administrative burden it is not actually used. ISO 42001 requires evidence of systematic practice, not thousands of pages of documentation.

The second is treating ISO 42001 as an IT project. It requires active ownership by business leadership, not just the technology team.

The third is scope creep: attempting to bring all AI use into scope simultaneously. A well-defined, well-implemented AIMS covering a meaningful subset of systems is better than a superficial implementation claiming universal scope.