New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Responsible AI

ISO/IEC 42001 Artificial Intelligence Management System

The world's first certifiable management system standard for artificial intelligence – establishing, implementing, and continually improving responsible, trustworthy AI across its life cycle.

ISO/IEC 42001:2023 is the world's first certifiable management system standard for artificial intelligence. Published in December 2023, it gives organisations a structured, auditable way to develop, deploy, and use AI responsibly – managing the distinctive risks of AI (bias, opacity, drift, autonomy, and societal impact) alongside the benefits. AI is our specialty, and ISO 42001 is fast becoming the credential customers, boards, and regulators look for to know your AI is governed.

What ISO 42001 actually isLink to this section

ISO 42001 defines an AI Management System (AIMS) – the organisational scaffolding around your AI, not the models themselves. Like ISO 27001, it follows the Annex SL high-level structure (Clauses 4 to 10), so it integrates cleanly with an existing information security or quality management system. Certification is achieved through an accredited certification body via a two-stage audit, then maintained through surveillance audits.

Crucially, ISO 42001 is technology- and sector-neutral. It applies whether you build foundation models, fine-tune them, or simply consume third-party AI through an API – the standard scales the obligations to your role in the AI value chain.

The management system (Clauses 4–10)Link to this section

The certifiable rigour lives in the management clauses, and an auditor will expect to see all of them operating:

  • Clause 4 – Context of the organisation. Determine internal and external issues, the needs of interested parties, your role(s) in the AI value chain (developer, provider, user), and the scope of the AIMS.
  • Clause 5 – Leadership. Demonstrate top-management commitment, establish the AI policy, and assign roles and responsibilities for AI governance.
  • Clause 6 – Planning. Run an AI risk assessment and AI risk treatment, conduct AI system impact assessments, set objectives, and produce a Statement of Applicability justifying which Annex A controls apply.
  • Clause 7 – Support. Provide the resources, competence, awareness, communication, and documented information the AIMS needs.
  • Clause 8 – Operation. Operate the AI risk treatment and impact-assessment processes across the AI life cycle, and keep evidence.
  • Clause 9 – Performance evaluation. Monitor, measure, audit internally, and hold management reviews.
  • Clause 10 – Improvement. Manage nonconformities and corrective actions, and continually improve.

What makes ISO 42001 different – the AI-specific obligationsLink to this section

Two things set ISO 42001 apart from a general security standard, and they are where most organisations need expert help:

  • AI system impact assessments (Annex A.5). Beyond a risk assessment, ISO 42001 requires you to assess the impact of each AI system on individuals, groups, and society – fairness, safety, privacy, autonomy, and rights. This is the heart of responsible AI and a recurring audit focus.
  • The AI life cycle (Annex A.6). The standard expects responsible-AI controls woven through design, development, verification and validation, deployment, operation, and monitoring – including model documentation, evaluation and red-teaming, drift and bias monitoring, and event logging.

How it relates to other frameworksLink to this section

ISO 42001 is designed to complement, not replace, your other commitments. It harmonises with ISO 27001 (shared structure and an integrated management system), supports demonstrable alignment with the NIST AI Risk Management Framework, and provides a strong foundation for emerging regulation such as the EU AI Act and Australia's evolving AI guardrails. Certifying to ISO 42001 is one of the most credible ways to show a regulator and your customers that your AI is governed.

How our AI specialists helpLink to this section

We pair deep AI engineering experience with compliance rigour, so your AIMS is both genuinely responsible and certifiable. We help you:

  • Scope and govern. Define your role in the value chain, draft the AI policy, and stand up the governance function and RACI.
  • Assess risk and impact. Build a proportionate AI risk and impact-assessment process, and run the assessments for your real systems.
  • Engineer responsibly. Embed responsible-AI checkpoints into your SDLC and MLOps – model cards, evaluation suites, red-teaming, drift and bias monitoring, and event logging.
  • Govern data and suppliers. Implement data provenance, quality, and acquisition controls, and run AI-specific due diligence on your model and data providers.
  • Get audit-ready. Produce the Statement of Applicability and documentation set, run a mock audit, and stand beside you through Stage 1 and Stage 2 certification.

The table below maps every Annex A control in ISO/IEC 42001:2023 to how we help you implement it.

Annex A controls (ISO/IEC 42001:2023)

RefControlHow we help
A.2.2AI policyWe draft a board-endorsed AI policy that sets your organisation's stance on responsible AI – acceptable uses, risk appetite, human oversight, and accountability – written to be auditable, not aspirational.
A.2.3Alignment with other organisational policiesWe reconcile your AI policy with existing privacy, security, data governance, and HR policies so there are no contradictions for an auditor to find.
A.2.4Review of the AI policyWe establish a scheduled review cycle so the policy keeps pace with new models, regulations, and use cases, with version history and sign-off captured.

A.3 Internal organisation

RefControlHow we help
A.3.2AI roles and responsibilitiesWe define a clear RACI for AI governance – owners for each AI system, an oversight function, and escalation paths – and embed it in position descriptions.
A.3.3Reporting of concernsWe stand up a low-friction, no-blame channel for staff and users to raise AI concerns (bias, unexpected behaviour, misuse), with triage and feedback loops.

A.4 Resources for AI systems

RefControlHow we help
A.4.2Resource documentationWe help you inventory and document the resources each AI system depends on – data, tooling, compute, and people – so dependencies and risks are visible.
A.4.3Data resourcesWe document the datasets behind each system – source, licensing, sensitivity, and intended use – and tie them to your data governance controls.
A.4.4Tooling resourcesWe catalogue the frameworks, libraries, MLOps platforms, and model providers in use, with their versions and security posture, so the toolchain is governed.
A.4.5System and computing resourcesWe document compute and infrastructure (including third-party model APIs and GPUs), capacity, and the environmental footprint where that matters to your stakeholders.
A.4.6Human resourcesWe define the competencies needed across the AI life cycle and build a training and assurance plan so the right people own the right decisions.

A.5 Assessing impacts of AI systems

RefControlHow we help
A.5.2AI system impact assessment processWe design a repeatable AI impact assessment process – proportionate to risk – that becomes the backbone of your responsible-AI programme and your evidence trail.
A.5.3Documentation of AI system impact assessmentsWe provide impact assessment templates and run the assessments with you, documenting risks, mitigations, and residual risk for each system.
A.5.4Assessing AI system impact on individuals or groupsWe assess impacts on individuals and groups – fairness, bias, safety, privacy, and rights – using structured testing and stakeholder analysis, not assumptions.
A.5.5Assessing societal impacts of AI systemsWe help you evaluate broader societal effects (environmental, economic, and community) where your AI's reach warrants it, and document the reasoning.

A.6 AI system life cycle

RefControlHow we help
A.6.1.2Objectives for responsible development of AI systemsWe translate your AI principles into concrete, measurable development objectives – fairness, robustness, explainability, security – so "responsible" is testable.
A.6.1.3Processes for responsible design and developmentWe embed responsible-AI checkpoints into your SDLC and MLOps pipeline, so governance happens by default at each stage rather than as a final gate.
A.6.2.2AI system requirements and specificationWe help you capture functional and non-functional requirements up front – including performance, fairness, safety, and human-oversight requirements.
A.6.2.3Documentation of AI system design and developmentWe produce model cards and design documentation that record architecture, training approach, assumptions, and known limitations for each system.
A.6.2.4AI system verification and validationWe design evaluation suites, benchmarks, and red-teaming to verify each system meets its requirements before release, with results retained as evidence.
A.6.2.5AI system deploymentWe define deployment criteria, sign-off gates, and rollback plans so systems go live only when they meet your responsible-AI bar.
A.6.2.6AI system operation and monitoringWe implement live monitoring for performance, drift, bias, and misuse, with alerting and a defined response so issues are caught in production.
A.6.2.7AI system technical documentationWe maintain technical documentation suitable for auditors, regulators, and customers – covering data, models, evaluations, and operational controls.
A.6.2.8AI system recording of event logsWe define what each AI system must log – inputs, outputs, decisions, and human interventions – to support traceability, investigation, and accountability.

A.7 Data for AI systems

RefControlHow we help
A.7.2Data for development and enhancement of AI systemsWe govern the data used to build and improve models, with documented selection criteria and a clear line back to its intended purpose.
A.7.3Acquisition of dataWe help you acquire data lawfully and ethically – checking licensing, consent, and privacy obligations – and record the basis for each source.
A.7.4Quality of data for AI systemsWe define and measure data quality (accuracy, completeness, representativeness) so model behaviour is built on a sound, documented foundation.
A.7.5Data provenanceWe implement provenance tracking so the origin and transformation history of training and operational data is verifiable end to end.
A.7.6Data preparationWe document preparation steps – cleaning, labelling, augmentation, and splitting – so the path from raw data to training set is transparent and reproducible.

A.8 Information for interested parties

RefControlHow we help
A.8.2System documentation and information for usersWe write clear user-facing documentation – capabilities, limitations, and safe-use guidance – so users understand what the AI can and cannot do.
A.8.3External reportingWe help you meet external reporting and transparency expectations, including regulator-facing disclosures, with content that is accurate and defensible.
A.8.4Communication of incidentsWe build AI incident communication procedures so affected parties and authorities are informed appropriately and on time when something goes wrong.
A.8.5Information for interested partiesWe map your interested parties (users, regulators, affected groups, partners) and define what information each needs to maintain trust.

A.9 Use of AI systems

RefControlHow we help
A.9.2Processes for responsible use of AI systemsWe define operational processes and human-oversight controls for using AI responsibly day to day, including when a human must stay in the loop.
A.9.3Objectives for responsible use of AI systemsWe set measurable objectives for responsible use and monitor against them, so responsible use is managed rather than assumed.
A.9.4Intended use of the AI systemWe document each system's intended use and explicit out-of-scope uses, and put guardrails in place to detect and prevent misuse.

A.10 Third-party and customer relationships

RefControlHow we help
A.10.2Allocating responsibilitiesWe map responsibilities across the AI value chain – who is accountable for what between you, your model providers, and your customers – and document it.
A.10.3SuppliersWe run AI-specific supplier due diligence on model and data providers, covering their controls, evaluations, and contractual commitments.
A.10.4CustomersWe help you set and communicate customer-facing terms, acceptable-use rules, and support arrangements for the AI capabilities you provide.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.