ISO/IEC 42001
What is ISO/IEC 42001?
ISO/IEC 42001The first international management-system standard for AI, published in December 2023, specifying requirements to establish, implement, maintain, and continually improve an AI Management System (AIMS) for organizations that develop or use AI.
ISO/IEC 42001:2023, 'Information technology — Artificial intelligence — Management system,' is the AI counterpart of ISO/IEC 27001. It defines requirements for an AI Management System (AIMS) covering scope, leadership, planning, support, operation, performance evaluation, and improvement, plus Annex A controls organized into governance, AI policies, internal organization, resources, AI-system lifecycle, data for AI, information for interested parties, use of AI, and third-party relationships. Adoption is driven both by regulators (the EU AI Act references ISO management standards as evidence of conformity for some risk-management obligations) and by enterprise customers asking AI vendors for assurance. Independent certification bodies began offering ISO 42001 certification audits in 2024, and several major AI vendors (Anthropic, AWS AI services) achieved certification through 2024–2025. The standard pairs well with ISO 27001 (for the security of the AIMS), ISO 27701 (privacy), and the NIST AI RMF (a non-prescriptive but compatible companion framework).
● Examples
- 01
An LLM vendor maps its model-evaluation, red-teaming, and incident-response programs to Annex A controls in pursuit of ISO/IEC 42001 certification.
- 02
An enterprise procurement team adds 'ISO/IEC 42001 certification or equivalent attestation' as a contractual requirement for any AI-platform vendor.
● Frequently asked questions
What is ISO/IEC 42001?
The first international management-system standard for AI, published in December 2023, specifying requirements to establish, implement, maintain, and continually improve an AI Management System (AIMS) for organizations that develop or use AI. It belongs to the Compliance & Frameworks category of cybersecurity.
What does ISO/IEC 42001 mean?
The first international management-system standard for AI, published in December 2023, specifying requirements to establish, implement, maintain, and continually improve an AI Management System (AIMS) for organizations that develop or use AI.
How does ISO/IEC 42001 work?
ISO/IEC 42001:2023, 'Information technology — Artificial intelligence — Management system,' is the AI counterpart of ISO/IEC 27001. It defines requirements for an AI Management System (AIMS) covering scope, leadership, planning, support, operation, performance evaluation, and improvement, plus Annex A controls organized into governance, AI policies, internal organization, resources, AI-system lifecycle, data for AI, information for interested parties, use of AI, and third-party relationships. Adoption is driven both by regulators (the EU AI Act references ISO management standards as evidence of conformity for some risk-management obligations) and by enterprise customers asking AI vendors for assurance. Independent certification bodies began offering ISO 42001 certification audits in 2024, and several major AI vendors (Anthropic, AWS AI services) achieved certification through 2024–2025. The standard pairs well with ISO 27001 (for the security of the AIMS), ISO 27701 (privacy), and the NIST AI RMF (a non-prescriptive but compatible companion framework).
How do you defend against ISO/IEC 42001?
Defences for ISO/IEC 42001 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ISO/IEC 42001?
Common alternative names include: AIMS, AI Management System standard.
● Related terms
- compliance№ 620
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- ai-security№ 031
AI Governance
The policies, processes, roles, and controls organisations and regulators use to ensure AI systems are developed, deployed, and operated responsibly and lawfully.
- compliance№ 817
NIST AI Risk Management Framework (AI RMF)
NIST's voluntary framework for managing AI risks, published January 2023 (AI RMF 1.0) with a Generative AI Profile released in July 2024, organized around four Functions: Govern, Map, Measure, and Manage.
- compliance№ 433
EU AI Act
EU Regulation 2024/1689 establishing harmonised rules on artificial intelligence with a risk-based approach, phased in between 2025 and 2027.
- ai-security№ 038
AI Safety
The discipline that aims to prevent AI systems from causing unintended harm to users, operators, and society — covering technical, operational, and societal dimensions.
- ai-security№ 029
AI Bill of Materials (AIBOM)
A machine-readable inventory of every component that goes into an AI system — datasets, base models, fine-tuning data, libraries, prompts, and evaluation artifacts — used for security, compliance, and accountability.