AIRiskAware
Standard Reference ยท Updated 2026

What Is ISO 42001?

ISO/IEC 42001:2023 is the international standard for AI management systems, published by the International Organization for Standardization in December 2023. It provides a structured framework for organisations to establish, implement, maintain, and continuously improve responsible AI governance โ€” regardless of the type or scale of AI they use.

Key point: ISO 42001 is a management system standard, not a technical standard. It specifies what governance processes, policies, and accountability structures an organisation should have โ€” not how to build an AI model. The target audience is the organisation managing AI, not the data scientist building it.

What ISO 42001 covers

The standard follows the same ten-clause high-level structure as ISO 27001 and ISO 9001, covering:

Clauses 1-3

Scope, references, definitions

Defines what the standard covers and key AI governance terms.

Clause 4

Context of the organisation

Understanding internal and external context; identifying interested parties and their AI-related expectations.

Clause 5

Leadership

Top management commitment; AI governance policy; roles and responsibilities.

Clause 6

Planning

AI risk and opportunity assessment; AI objectives and planning to achieve them.

Clause 7

Support

Resources; competence; awareness; communication; documented information.

Clause 8

Operation

AI impact assessment; AI system lifecycle controls; data governance; supplier relationships.

Clause 9

Performance evaluation

Monitoring and measurement; internal audit; management review.

Clause 10

Improvement

Nonconformity and corrective action; continual improvement.

ISO 42001 vs EU AI Act

The two frameworks are complementary rather than equivalent. ISO 42001 provides the governance management system; the EU AI Act provides the legal compliance requirements. An organisation with ISO 42001 certification has strong AI governance, but still needs to assess and address EU AI Act obligations separately.

ISO 42001 provides

  • Management system framework
  • Internal governance structure
  • Voluntary certification
  • Applicable globally
  • Evidence of governance maturity

EU AI Act requires additionally

  • Conformity assessment for high-risk AI
  • EU AI database registration
  • Incident reporting to authorities
  • Fundamental rights impact assessment
  • CE marking for high-risk providers

Standard: ISO/IEC 42001:2023 ยท Last reviewed May 2026

Free self-assessment