ISO/IEC 42001 explained: the first AI management standard
7 min read
The first international standard for managing AI responsibly: what it requires, how it is structured and where to start.
ISO/IEC 42001:2023 is the first international standard that defines an Artificial Intelligence Management System (AIMS). Published in late 2023, it sets the requirements for an organization to govern the development and use of AI in a responsible, traceable and continuously improvable way.
It follows the same high-level structure as other well-known ISO management standards (such as ISO 27001 for information security), which makes it easy to integrate with management systems the organization already has in place.
What an AI management system (AIMS) is
An AI management system is the set of policies, roles, processes and controls an organization uses to manage the risks and opportunities of artificial intelligence. It is not about the technology itself, but about how it is governed: who is accountable, how risks are assessed, how transparency is ensured and how it improves continuously.
ISO 42001 provides the framework to build that system and, eventually, certify it before an accredited body.
The structure: clauses 4 to 10
The heart of the standard is clauses 4 to 10, which describe the management system requirements:
- Clause 4 — Context of the organization: understanding the environment and interested parties.
- Clause 5 — Leadership: top management commitment and AI policy.
- Clause 6 — Planning: risk management and objectives.
- Clause 7 — Support: resources, competencies and communication.
- Clause 8 — Operation: controls over the AI life cycle.
- Clause 9 — Performance evaluation: audit and review.
- Clause 10 — Improvement: correction and continual improvement.
Annex A: AI governance controls
In addition to the clauses, ISO 42001 includes an Annex A with a catalog of controls and control objectives specific to AI: data management, transparency toward users, accountability for systems, impact assessment, among others.
While the clauses define the “what” of the management system, Annex A offers the “with what”: the concrete controls selected according to each organization's risk.
Who it applies to and why adopt it
ISO 42001 applies to any organization that develops, provides or uses AI systems, regardless of its size or industry. Adopting it helps demonstrate responsible governance to customers and regulators, structure risk management and get ahead of emerging regulatory frameworks such as the European Union AI Act.
How to start: a gap assessment
The first practical step toward ISO 42001 is a gap assessment: comparing your current situation against the standard's requirements to know what is missing and prioritize.
Elara offers this AI-agent-guided assessment with two approaches: by clauses 4-10 (the management system) or by the Annex A controls. In about 30 minutes you get a report with your maturity level, gaps and roadmap.
Frequently asked questions
Is ISO/IEC 42001 mandatory?
It is not mandatory: it is a voluntary, certifiable standard. Adopting it helps demonstrate responsible AI governance and prepare for regulations such as the EU AI Act.
What is the difference between the clauses and Annex A?
Clauses 4-10 define the management system requirements (the “what”). Annex A is a catalog of concrete AI governance controls (the “with what”), selected according to risk.
Can ISO 42001 be certified?
Yes. An organization can certify its AI management system through an accredited certification body, similarly to ISO 27001 or ISO 9001.
When was ISO 42001 published?
It was published in December 2023 and is the first international standard dedicated to artificial intelligence management systems.
