<img src="https://www.visionary-agile24.com/801599.png" style="display:none;">

What is ISO 42001 and does your organisation need it?

by Aaron Flack on Jul 1, 2026

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >What is ISO 42001 and does your organisation need it?</span>

What is ISO 42001 and does your organisation need it? | Conosco
15:46

ISO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), it is the first certifiable global standard for AI governance. The standard applies to any organisation that develops, deploys, or uses AI systems and covers AI-related risk management, transparency, human oversight, and data governance. Certification is voluntary. The standard follows the same Plan-Do-Check-Act methodology as ISO 27001, and organisations already certified to ISO 27001 have significant governance infrastructure already in place that carries directly across to ISO 42001 compliance.


ISO/IEC 42001 is the first international standard for AI management systems

Before December 2023, organisations implementing AI faced a fragmented picture: internal governance policies, voluntary frameworks from national regulators, and guidance from bodies such as the National Institute of Standards and Technology (NIST). None of these were internationally certifiable. ISO/IEC 42001 changed that.

Published jointly by ISO and IEC, the standard establishes a formal management system for AI governance. Unlike a checklist or a set of recommendations, a management system creates a continuous accountability structure: defined policies, assigned responsibilities, risk assessment processes, internal audit requirements, and management review cycles. Organisations can be independently audited against it, and certification is issued by an accredited certification body.

The problem ISO/IEC 42001 addresses is specific. AI systems introduce a category of risk that existing information security and data protection frameworks do not fully cover: the risk of opaque automated decision-making, insufficient human oversight, AI model failure in production, and the downstream effects on individuals and regulated processes. ISO 27001 addresses what happens to data. ISO 42001 addresses what happens when an AI system uses that data to reach a conclusion that affects people, processes, or regulated outcomes.

The standard does not mandate which AI tools an organisation can use, nor does it specify technical architecture. It establishes the governance layer: who is accountable, how AI systems are inventoried and assessed for risk, what controls exist, how transparency obligations are met, and what management review looks like in practice.


What ISO/IEC 42001 covers

The standard is structured across ten clauses, following the same high-level structure used by ISO 27001 and ISO 9001. Clauses one to three cover scope, normative references, and definitions. The substantive requirements begin at clause four and run through to clause ten, covering: the organisational context and stakeholder expectations that shape the AI management system; leadership commitment and policy; planning, including AI-related objectives and risk treatment; operational controls; performance evaluation through internal audit and management review; and continual improvement.

Annex A contains a set of controls drawn from the framework, covering areas including AI system impact assessment, data governance for AI, transparency and explainability, human oversight mechanisms, and supplier controls where third-party AI is used. Annex B provides additional implementation guidance.

The Plan-Do-Check-Act cycle runs throughout: policies and risk treatments are planned, implemented, monitored and reviewed on an ongoing basis. This is not a one-off compliance exercise. Like ISO 27001, certification requires demonstrated operational effectiveness, not only documented intent.


Who should consider ISO/IEC 42001

The standard applies to any organisation that develops, deploys, or uses AI systems. In practice, that covers a broader population than many leadership teams initially assume.

AI developers and those building proprietary AI tools sit in the most obvious category. But the scope extends to organisations that deploy AI in their operations without building it. An organisation using Microsoft Copilot for summarising client communications, applying AI-powered analytics to financial data, or running automated decision tools in onboarding or compliance workflows is, by the definitions ISO/IEC 42001 uses, within the scope of the governance principles the standard establishes.

Regulated sectors face additional considerations. Financial services firms using AI in credit assessment, fraud detection, or client-facing advice workflows are subject to existing obligations around model governance, explainability, and audit trails under Financial Conduct Authority (FCA) supervisory expectations. Legal practices using AI to review contracts, identify precedents, or assist with compliance research carry professional obligations around accuracy, oversight, and client data protection. For these organisations, ISO/IEC 42001 provides a structured, auditable framework that aligns with regulatory direction rather than running parallel to it.

Procurement pressure is also a practical driver. Enterprise clients, public sector bodies, and insurers are increasingly including AI governance questions in vendor security questionnaires and tender requirements. Organisations that hold ISO 42001 certification can respond with documented evidence rather than policy assertions.

Conosco's AI governance advisory work helps organisations assess their current AI use, identify governance gaps, and plan a path to certification that reflects how AI is actually being used in the business rather than how it might be used in theory.


ISO 42001 integrates directly with existing ISO 27001 and information security governance

Organisations already certified to ISO 27001 are in a significantly stronger position when approaching ISO/IEC 42001 than those starting from scratch.

The structural similarities are deliberate. Both standards use the same high-level structure, which means the management system architecture, the scope definition process, the risk assessment methodology, the internal audit process, and the management review cycle are already established. Much of the policy and procedure documentation that ISO 27001 requires carries directly across. The Statement of Applicability process is familiar. The documented evidence of management commitment, operational controls, and continual improvement already exists in a form that ISO 42001 auditors will recognise.

What ISO/IEC 42001 adds is the AI-specific layer: an AI system inventory, AI-specific risk assessments, controls addressing transparency, human oversight, and data governance in the context of AI use, and supplier assessments where AI capabilities are sourced from third parties. For an ISO 27001-certified organisation, these additions represent significantly less additional work than they would for an organisation building governance from the ground up.

This integration point is particularly relevant for organisations in financial services and professional services that hold ISO 27001 as a condition of client contracts or tender eligibility. Adding ISO 42001 to an existing certification programme is a more manageable step than the initial ISO 27001 journey, and the combined certification position is increasingly the standard that enterprise procurement teams expect from technology and professional services suppliers.


What the certification process involves

ISO/IEC 42001 certification follows a two-stage audit process conducted by an accredited certification body.

Stage 1 is a documentation review. The auditor assesses whether the organisation has established the required policies, procedures, AI system inventory, risk assessments, and management review records. The output is a gap report identifying areas that need to be addressed before Stage 2.

Stage 2 is an operational effectiveness audit. The auditor tests whether the management system is working in practice: whether controls are implemented as documented, whether the AI risk assessment reflects actual AI use in the business, whether internal audits have been conducted, and whether management review has taken place. Certification is awarded when the Stage 2 audit is satisfied.

Once certified, the three-year certificate cycle includes annual surveillance audits and a full recertification audit at year three. This mirrors the ISO 27001 cycle and means the governance infrastructure must remain operational rather than being maintained only at certification points.

The timeline from readiness assessment to certification depends on the organisation's starting position, the complexity of its AI use, and whether ISO 27001 certification is already in place. Organisations with an existing ISO 27001 management system typically complete the ISO 42001 process faster because the governance foundations are already built. A readiness assessment will give a more reliable projection than any general estimate, and it will also identify the specific gaps that need to close before a formal audit is viable.


Frequently asked questions

What is ISO/IEC 42001?

ISO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS), published jointly by ISO and IEC in December 2023. It is the first certifiable global standard for AI governance and applies to organisations that develop, deploy, or use AI systems. The standard establishes requirements for AI-related risk management, transparency, human oversight, and data governance, structured around the Plan-Do-Check-Act management system methodology. Certification is voluntary and issued by an accredited third-party certification body. Full details of Conosco's ISO standards support are available on the solutions page.

Is ISO 42001 mandatory?

Certification is voluntary. No current UK regulation requires ISO/IEC 42001 certification as a legal obligation. However, FCA-regulated firms, legal practices, and organisations supplying enterprise clients or public sector bodies are already encountering AI governance questions in vendor assessments and security questionnaires, and ISO 42001 certification provides documented evidence in response to those requests. As AI regulation develops in the UK and across the EU, the bar for evidencing responsible AI use is likely to rise. Organisations that build the governance framework now will be better positioned to respond to that shift than those that treat it as a future concern.

Which organisations need to consider ISO 42001?

Any organisation that uses, deploys, or builds AI systems handling sensitive data, operating in regulated sectors, or serving clients and partners who are themselves subject to AI governance requirements should assess their position. This includes organisations using AI tools in regulated workflows, organisations where AI-generated outputs influence commercial or compliance decisions, and organisations whose clients or insurers are beginning to include AI governance in procurement or underwriting criteria. The relevant question is not whether an organisation considers itself an "AI company" but whether AI is present in any process that carries risk, regulatory exposure, or client data.

Does ISO 42001 apply if we only use AI tools, not build them?

Yes. ISO/IEC 42001 covers AI users as well as AI developers. An organisation using Microsoft Copilot for summarising sensitive communications, applying AI-powered analytics in regulated financial workflows, or running automated decision tools in client-facing processes is in scope for the governance principles the standard establishes. The standard addresses the risk that arises from using AI, not only from building it. Human oversight obligations, transparency requirements, and data governance controls apply regardless of whether the AI capability was developed internally or sourced from a third-party provider.

How does ISO 42001 relate to ISO 27001?

ISO 27001 governs information security management. ISO/IEC 42001 governs AI management. The two standards are complementary and structurally similar: both use the same high-level framework, the same Plan-Do-Check-Act methodology, and overlapping requirements for risk assessment, internal audit, and management review. Organisations already certified to ISO 27001 can achieve ISO 42001 certification with significantly less additional work, because much of the policy, risk assessment, and management review infrastructure already exists. The AI-specific additions, including the AI system inventory, AI risk assessments, and transparency controls, build on rather than replace what ISO 27001 certification has already put in place.

What evidence does the certification audit require?

The audit requires an AI inventory listing the AI systems in use or under development, an AI risk assessment covering the risks associated with each system, documented policies addressing transparency, human oversight, and data governance in the context of AI use, evidence of management review, and records of internal audit. The two-stage process mirrors ISO 27001: Stage 1 reviews whether the documentation and framework exist, Stage 2 tests whether the management system is operating effectively in practice. Organisations that have been through an ISO 27001 audit will recognise the structure and evidence requirements.

How long does ISO 42001 certification take?

Timelines depend on the organisation's starting point, the complexity and volume of its AI use, and whether it already holds ISO 27001 certification. An organisation with an established ISO 27001 management system typically completes the ISO 42001 process faster because the governance infrastructure, documentation framework, and audit experience are already in place. An organisation starting without any formal management system in place will need longer to build the required foundation before a Stage 2 audit is viable. A readiness assessment is the most reliable way to get an accurate projection: it will identify exactly what exists, what needs to be built, and what the realistic path to certification looks like for that specific organisation.


Speak to Conosco about AI governance, ISO/IEC 42001 readiness and practical control planning.