ISO/IEC 42001:2023 is the first international management-system standard for artificial intelligence, published in December 2023 jointly by ISO and IEC. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within an organisation. The standard follows the harmonised high-level structure used by ISO 27001 and ISO 9001, making integration with existing management systems straightforward. ISO 42001 is voluntary but is the most credible signal a vendor or operator can provide that AI risk is governed at the management-system level. Certification is granted by accredited third-party certification bodies (the ISO/IEC body itself does not issue certificates) and follows a typical 3-year cycle with annual surveillance audits.
What does ISO/IEC 42001 actually require?
Key obligations include: Define the scope of the AI management system, including the AI systems, organisational units, and lifecycle stages it covers.; Establish an AI policy, objectives, and roles & responsibilities approved by top management.; Conduct AI risk assessments and AI impact assessments addressing fairness, transparency, safety, security, privacy, accountability, and societal impact.; Implement Annex A controls (organisational, lifecycle, data, system, third-party, customer/end-user, and use-case controls) selected via a Statement of Applicability.; Maintain documented information for AI system lifecycle (data, design, verification, deployment, operation, retirement) sufficient for an external auditor.; Operate continual-improvement processes: internal audits, management review, corrective actions, and incident handling for AI-related events..
Who is in scope of ISO/IEC 42001?
ISO/IEC 42001 is voluntary in Global. Scope attaches based on jurisdiction and the role a company plays in the AI supply chain. See /frameworks/iso-iec-42001 for the full scope note and source links.
When does ISO/IEC 42001 take effect?
The primary enforcement date is 2023-12-18. Some provisions may phase in earlier or later — see the framework brief for the full timeline.
What are the penalties?
Maximum penalties: Certification standard; no statutory penalties. Enforcement is carried out by the designated authorities in the jurisdiction.
Which vendors help with ISO/IEC 42001 compliance?
In our directory, the following vendors reference ISO/IEC 42001 in their compliance coverage: Credo AI, Holistic AI, Trustible, FairNow, Fairly AI, Saidot, LatticeFlow AI, HiddenLayer, Prompt Security, Enzai, OneTrust AI Governance, Collibra AI Governance. Each profile links to the public source for the claim.