Home FrameworksISO 42001

AI GovernanceInternational (ISO/IEC)In force Published December 2023

ISO 42001

ISO/IEC 42001:2023 — AI Management System (AIMS)

The certifiable AI management system standard

Run ISO 42001 assessment ← All frameworks

Overview

ISO/IEC 42001 is the first international standard for an AI Management System — the AI equivalent of ISO 27001 for security. It sets out how an organization should govern AI responsibly: policy, risk and impact assessment, lifecycle controls (Annex A), and continual improvement. It is voluntary, but it can be independently certified, which is increasingly asked for in procurement and enterprise deals.

Authority

Accredited certification bodies

Jurisdiction

International (ISO/IEC)

Effective date

Published December 2023

Applicability

Who must comply with ISO 42001?

Voluntary for everyone, but valuable to any organization that builds or deploys AI and wants a recognized, auditable governance framework — especially those selling into enterprises or regulated sectors that ask for an AI management system.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if ISO 42001 applies? Run a free assessment →

Requirements

Key obligations under ISO 42001

AI policy & objectives

Establish a documented AI policy, governance roles, and measurable objectives aligned with your risk appetite.

AI risk assessment

Run a systematic AI risk assessment and treatment process across the AI lifecycle.

AI impact assessment

Assess impacts of AI systems on individuals and society, not just on the organization.

Annex A controls

Implement the Annex A controls relevant to your systems — data, transparency, accountability, human oversight.

Lifecycle management

Govern AI from design and data through deployment, monitoring, and decommissioning.

Audit & continual improvement

Run internal audits, management reviews, and corrective actions to keep the AIMS effective.

Enforcement

Penalties & enforcement

Maximum penalty

None — voluntary standard

Enforced by: Accredited certification bodies

Notable case

No fines, but non-conformities found in a surveillance audit can suspend or withdraw your certificate.

How Canuckt keeps you penalty-free:

Scaffolds your AI Management System — policy, roles, objectives, and the Annex A control set

Maps your AI systems registry and risk assessments to ISO 42001 clauses

Collects and organizes evidence so you walk into a certification audit prepared

Runs alongside your EU AI Act and ISO 27001 work — one governance backbone, not three

Frameworks that often overlap with ISO 42001

AI Governance

EU AI Act

The world's first comprehensive AI law

Standards

ISO 27001

The international gold standard for information security

AI Governance

NIST AI RMF

The voluntary US framework for trustworthy AI

Run a free ISO 42001 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with ISO 42001 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency