What is ISO 42001?
ISO/IEC 42001:2023 is the world’s first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a framework for organisations to responsibly develop, deploy and use AI systems. Similar in structure to ISO 27001 (information security) and ISO 9001 (quality management), ISO 42001 enables organisations to demonstrate that their AI systems are managed ethically, transparently and with appropriate risk controls.
As AI regulation accelerates globally — with the EU AI Act, US AI Executive Order and emerging national frameworks — ISO 42001 provides a practical, certifiable path to demonstrating responsible AI governance.
| Standard Body | ISO/IEC — International Organization for Standardization |
| Current Version | ISO/IEC 42001:2023 (December 2023) |
| Mandatory or Voluntary | Voluntary — but aligned with EU AI Act requirements |
| Certifiable | Yes — third-party certification available |
| Geography | Global |
| Official Resource | iso.org/standard/81230 |
Key Requirements of ISO 42001
| Requirement | Description |
|---|---|
| AI policy | Establish and maintain a policy for responsible AI development and use — covering ethical principles, human oversight and risk appetite |
| AI risk assessment | Identify and assess risks associated with AI systems — including bias, transparency, safety, security and privacy risks |
| AI system impact assessment | Assess the intended and unintended impacts of AI systems on individuals, society and the environment |
| Data governance for AI | Establish controls for data quality, data provenance, training data management and bias mitigation |
| Human oversight | Define the degree of human oversight required for different AI applications based on risk level |
| Transparency and explainability | Document and communicate how AI systems make decisions — to the degree possible given the technology |
| Incident management for AI | Establish processes for identifying, reporting and responding to AI-related incidents — including model failures and unexpected outputs |
| Continual improvement | Monitor AI system performance over time and improve the AIMS through regular review and audit |
ISO 42001 and the EU AI Act
The EU AI Act, which entered into force in August 2024, establishes risk-based requirements for AI systems deployed in the EU. ISO 42001 is closely aligned with the Act’s requirements for high-risk AI systems — organisations certified to ISO 42001 will be well-positioned to demonstrate compliance with EU AI Act obligations. The European AI Office has indicated that ISO 42001 may serve as a recognised standard for demonstrating conformity with certain EU AI Act requirements.
Securitora Assessment
ISO 42001 is the most important new framework of the 2020s. As AI adoption accelerates and regulation follows, organisations that establish a structured AI management system now will have a significant advantage — both in managing real risks and in demonstrating responsible AI governance to customers, regulators and investors. For any organisation developing, deploying or using AI systems in regulated contexts, ISO 42001 certification will become table stakes within the next three to five years.
| Recommended for | Any organisation developing, deploying or using AI systems — especially in regulated industries |
| Difficulty to implement | Medium — familiar structure for ISO 27001 practitioners but requires AI-specific expertise |
| Best used with | ISO 27001 · EU AI Act · NIST AI RMF |
| Official resource | iso.org → |