ISO 42001 is the international standard for AI Management Systems. It was published in December 2023 and is the first certifiable framework for organisations deploying AI. For organisations deploying AI in the EU, it also provides a practical foundation for demonstrating EU AI Act alignment.
Here is what building a compliant AI Management System actually involves.
Scope comes first
Unlike ISO 27001, where scope is usually defined by the information processed, ISO 42001 scope is defined by the AI systems themselves. Every AI system in use needs to be identified, classified, and assigned an owner. That means building an AI inventory as step one. Without this inventory, every subsequent clause of the standard becomes theoretical.
The AI inventory is the single most important artefact of an ISO 42001 programme. An AIMS without it cannot withstand a serious audit.
The core clauses
Context (Clause 4). External and internal issues affecting AI outcomes — regulatory environment, stakeholder expectations, data ecosystem. For DACH organisations this includes EU AI Act and DSGVO alignment.
Leadership (Clause 5). AI policy, roles, and accountability. The management body must own AI governance, not delegate it to a data science team.
Planning (Clause 6). AI risk assessment and AI impact assessment (AISIA). The AISIA is ISO 42001's flagship deliverable and the closest analogue to the EU AI Act's fundamental rights impact assessment.
Support (Clause 7). Competence, awareness, and documented information requirements across the AI lifecycle.
Operation (Clause 8). Operational planning and control, including AI system impact assessment, data management, and lifecycle controls drawn from Annex A and B.
Performance evaluation and improvement (Clauses 9-10). Monitoring, internal audit, management review, corrective action — mirroring ISO 27001's high-level structure.
Where organisations with an existing ISMS have an advantage
ISO 42001 shares its management system structure with ISO 27001. If you already have a functioning ISMS, the Context, Leadership, Planning, Performance Evaluation, and Improvement clauses largely reuse existing processes. The unique work is in the AI-specific controls: impact assessment methodology, data management controls for AI lifecycle, and AI-specific risk treatment.
Typical timeline
For an organisation with a mature ISMS and a defined AI inventory, a realistic ISO 42001 programme runs six to nine months from scoping to certification-ready. Without an existing management system, expect twelve months minimum.