ISO/IEC 42001, AI management system standard
ISO/IEC 42001 is the first international standard for AI management systems. Know what an accredited certification actually attests to before you rely on it.
ISO/IEC 42001:2023, published on 18 December 2023, is the first international standard defining requirements for an artificial intelligence management system (AIMS). It is a certifiable standard: an accredited certification body can audit an organisation against the requirements and issue a certificate valid for a defined period, typically three years with annual surveillance. For AI procurement, ISO/IEC 42001 is emerging as the closest equivalent to what ISO/IEC 27001 became for information security, a structured, auditable baseline that a provider either has or does not. The certificate itself, however, attests to how the organisation manages its AI work, not to properties of any specific AI system it ships.
What ISO/IEC 42001 is and how it is structured
ISO/IEC 42001 follows the harmonised structure that ISO uses for all modern management system standards (Annex SL). That means it shares its top-level architecture with ISO/IEC 27001 (information security), ISO 9001 (quality), and ISO 14001 (environmental management): context, leadership, planning, support, operation, performance evaluation, and improvement. An organisation already certified against one of those standards can extend its management system to cover AI without rebuilding the underlying framework.
The core requirements ask an organisation to define the context in which it uses or develops AI, identify interested parties, assess AI-specific risks and impacts, establish an AI policy with leadership commitment, define objectives and controls, allocate resources and competence, operate the system under documented procedures, monitor performance, and continually improve. Annex A of the standard lists 38 reference controls covering topics such as policies for AI development, AI risk assessment, data quality, human oversight, transparency to users, third-party relationships, and lifecycle management. The controls are not mandatory in the ISO 27001 sense; the organisation selects controls appropriate to its risk assessment and documents the rationale in a Statement of Applicability equivalent.
The standard is complemented by ISO/IEC 23894:2023 (AI risk management guidance) and ISO/IEC 22989:2022 (AI concepts and terminology). Together they form a coherent reference set: 42001 is the auditable management system, 23894 is the risk methodology it draws on, 22989 is the shared vocabulary.
Certification against ISO/IEC 42001 requires an audit by a body accredited under an ISO/IEC 17021-1 scheme. As of 2026, accreditation for 42001 is being rolled out by national accreditation bodies gradually, some certificates in the market have been issued by bodies that are not yet accredited for 42001 specifically. That distinction matters: an unaccredited certificate is a document a certification body issued, but its equivalence to the market baseline is undefined.
What it means for buyers commissioning AI builds
An ISO/IEC 42001 certificate on a provider signals that the organisation has an AI management system: an AI policy, a documented risk-assessment process, defined controls, evidence that the system operates and is periodically reviewed. It says nothing directly about the properties of any specific AI system the provider ships. A provider certified against 42001 may still ship a model that is inaccurate, biased, or non-compliant with EU AI Act obligations, the certificate covers management practice, not system outcomes.
That said, 42001 is a useful procurement filter for a different reason: the requirements it imposes on the provider (documented risk assessments, defined competence, records of decisions) produce artefacts that a buyer can request during due diligence. A provider running an AI project under a 42001-compliant AIMS can be asked to show the AI risk assessment for the project, the control selections, and the operating records. A provider without any management system typically cannot.
For procurement in regulated sectors, treat 42001 as a management-system baseline that complements, not replaces, sector-specific verification: EU AI Act risk-tier classification for European systems, HIPAA Business Associate coverage for US healthcare, SOC 2 for operational security, GDPR data-processing agreements for personal data. A 42001 certificate does not substitute for any of these.
Questions that separate certified from theatre-certified
The value of an ISO/IEC 42001 certificate depends heavily on the accreditation status of the issuing body, the scope of the certification, and how integrated the AIMS is with the organisation's actual delivery work. A certificate covering an isolated internal AI use case is not the same as one covering the provider's commercial AI-implementation practice. A certificate issued by an unaccredited body is not equivalent to one issued by an accredited body. The questions below surface the difference.
How Trustgent's verification relates
Trustgent's provider profiles include an ISO/IEC 42001 readiness attribute. At L2 cross-reference level and above, the attribute is checked against evidence outside the provider's own marketing: the accredited certification body's public register, references to 42001 in client-side documentation, or third-party publications that describe the certification scope. We do not perform 42001 audits (that is the certification body's role) but we do distinguish, using our verification spectrum, between a provider who claims 42001 readiness and one whose claim is corroborated.
Procurement checklist
Before treating a provider's ISO/IEC 42001 certificate as procurement evidence, confirm:
Accreditation status of the certification body
Ask which certification body issued the certificate and confirm that body is accredited for ISO/IEC 42001 (not only for a related standard such as 27001) by a member of the International Accreditation Forum. An unaccredited certificate has undefined market equivalence.
Scope statement
Every ISO management system certificate names a scope. Read it. A scope limited to the provider's internal AI use is not equivalent to one covering the AI-implementation services they sell you. Ask for a certificate copy that includes the scope statement.
Statement of Applicability equivalent
The provider selects which of Annex A's controls apply, with justification. Ask to see the document that records those selections. A provider who has done real 42001 work can produce it; a provider who ticked a box during a paper audit typically cannot.
AI risk assessment for your project
A 42001 AIMS requires a documented AI risk assessment per AI system. Ask the provider to walk you through the risk assessment they would produce for the project you are commissioning. The specificity of the answer maps directly to whether the management system is operating.
Surveillance audit history
42001 certificates are typically valid for three years with annual surveillance audits. Ask when the last surveillance audit was and whether there were any nonconformities raised. A recent surveillance audit with documented follow-up is stronger evidence than a fresh certificate alone.
How Trustgent's verification relates
Trustgent's earned-verification model treats ISO/IEC 42001 as a management-system signal, not as a substitute for AI system verification. At L2 and above, a claimed 42001 attribute is checked against evidence the provider does not control, an accredited body's public register, client-side references, third-party citations. We do not issue certifications; we distinguish evidenced attributes from unevidenced ones.
Buyer questions
- What is ISO/IEC 42001?
- ISO/IEC 42001:2023 is the international standard for artificial intelligence management systems, published in December 2023. It defines requirements for an organisation to establish, implement, maintain, and continually improve a management system for the development and use of AI. It is certifiable through accredited certification bodies.
- Is ISO/IEC 42001 a legal requirement?
- No. ISO/IEC 42001 is a voluntary international standard. However, it is increasingly cited in procurement specifications, referenced by national AI policy frameworks, and expected to feature in supervisory guidance for regulated sectors adopting AI.
- What is the difference between ISO/IEC 42001 and ISO/IEC 27001?
- ISO/IEC 27001 covers information security management. ISO/IEC 42001 covers AI management. They share the harmonised Annex SL structure, so an organisation certified against 27001 can extend its management system to add 42001 coverage, but the controls and risk considerations are AI-specific.
- Does a 42001 certificate mean an AI system is safe or unbiased?
- No. The certificate confirms that the organisation has a management system for AI: an AI policy, a documented risk-assessment process, defined controls, operating records. It does not attest to properties of any specific AI system, such as accuracy, fairness, or compliance with sector-specific regulation.
- How long does a 42001 certificate remain valid?
- Certificates issued under an accredited scheme are typically valid for three years, with annual surveillance audits during the cycle and a full recertification audit at the end of the cycle. Between audits, the certificate can be suspended or withdrawn if surveillance findings warrant it.
- Should I require ISO/IEC 42001 from every AI provider?
- Not universally. For engagements involving significant AI-related risks (regulated sectors, high-impact use cases, systems processing sensitive data at scale), 42001 is a proportionate procurement baseline. For narrower engagements, other verification signals may be sufficient. Match the requirement to the risk of the engagement.
Editorial guidance, not legal advice. Trustgent is a verified reference index, not a legal adviser. Consult a qualified practitioner for advice specific to your circumstances. Official source: ISO/IEC 42001:2023 (iso.org).