ISO 42001
February 2026
ISO 42001 in practice: A first guide to building an AI Management System
By Swapna De., Managing Director, AuditVantage® GmbH
ISO 42001 is the international standard for AI Management Systems. It was published in December 2023 and is the first certifiable framework for organisations deploying AI. For organisations deploying AI in the EU, it also provides a practical foundation for demonstrating EU AI Act alignment.
Here is what building a compliant AI Management System actually involves.
Scope comes first
Unlike ISO 27001, where scope is usually defined by the information processed, ISO 42001 scope is defined by the AI systems themselves. Every AI system in use needs to be identified, classified, and assigned an owner. That means building an AI inventory as step one. Without this inventory, every subsequent clause of the standard becomes theoretical.
The AI inventory is the single most important artefact of an ISO 42001 programme. An AIMS without it cannot withstand a serious audit.
The core clauses
Context (Clause 4). External and internal issues affecting AI outcomes, regulatory environment, stakeholder expectations, data ecosystem. For DACH organisations this includes EU AI Act and DSGVO alignment.
Leadership (Clause 5). AI policy, roles, and accountability. The management body must own AI governance, not delegate it to a data science team.
Planning (Clause 6). AI risk assessment and AI impact assessment (AISIA). The AISIA is ISO 42001's flagship deliverable and the closest analogue to the EU AI Act's fundamental rights impact assessment.
Support (Clause 7). Competence, awareness, and documented information requirements across the AI lifecycle.
Operation (Clause 8). Operational planning and control, including AI system impact assessment, data management, and lifecycle controls drawn from Annex A and B.
Performance evaluation and improvement (Clauses 9-10). Monitoring, internal audit, management review, corrective action, mirroring ISO 27001's high-level structure.
Where organisations with an existing ISMS have an advantage
ISO 42001 shares its management system structure with ISO 27001. If you already have a functioning ISMS, the Context, Leadership, Planning, Performance Evaluation, and Improvement clauses largely reuse existing processes. The unique work is in the AI-specific controls: impact assessment methodology, data management controls for AI lifecycle, and AI-specific risk treatment.
Typical timeline
For an organisation with a mature ISMS and a defined AI inventory, a realistic ISO 42001 programme runs six to nine months from scoping to certification-ready. Without an existing management system, expect twelve months minimum.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
How is ISO 42001 different from ISO 27001?+
ISO/IEC 42001:2023 is the AI Management System standard. ISO/IEC 27001:2022 is the Information Security Management System standard. They share the Harmonized Structure (Annex SL) at the clause level, but the Annex A controls differ entirely. ISO 42001 controls focus on the AI lifecycle: impact assessment, data governance for AI, transparency to users, monitoring of AI behaviour. ISO 27001 controls focus on protecting information assets generally.
Is ISO 42001 certification mandatory?+
No. ISO 42001 certification is voluntary. The EU AI Act sets the legal obligations for AI systems placed on the EU market or used within the EU. ISO 42001 provides a management system structure that supports compliance with the substantive obligations in the EU AI Act, but it is not itself a legal requirement. For enterprise procurement, however, ISO 42001 is rapidly becoming a de facto expectation.
Does ISO 42001 cover GPAI obligations?+
Partially. ISO 42001 provides governance structure for AI systems generally, including data quality, transparency, risk management, and post-deployment monitoring. These map to many GPAI provider obligations under EU AI Act Articles 53 through 56. ISO 42001 does not, however, replace the specific GPAI transparency documentation or systemic-risk obligations. Providers of GPAI models with systemic risk have additional obligations that ISO 42001 alone does not fulfil.
Can I run ISO 42001 alongside ISO 27001?+
Yes. The Harmonized Structure makes integration straightforward. Most organisations operating both standards run them as an integrated management system: shared governance, shared internal audit programme, shared management review, with AI-specific risk treatment and Annex A controls layered on top of the existing ISMS. Integration reduces the total effort substantially compared to operating two parallel management systems.
How much does ISO 42001 implementation cost?+
Cost depends on the size of your AI footprint, whether you are starting from an existing ISO 27001 baseline, and the complexity of your AI systems. For an organisation with mature ISO 27001 and a focused AI scope, ISO 42001 implementation is typically a fraction of the original ISO 27001 effort. For organisations starting both standards from scratch with substantial AI operations, the cost is higher and the timeline longer.
How long is the ISO 42001 implementation timeline?+
Organisations with a mature ISO/IEC 27001 ISMS typically reach ISO 42001 audit readiness in six to twelve months from the start of AI system inventory work. Organisations starting both standards from scratch typically take twelve to eighteen months. The variable is rarely the management system itself; it is the AI system inventory and impact assessment work that precedes it.