ISO 42001:2023 is the first international standard for AI management systems. It follows the structure of ISO 27001 — a management system framework that can be certified by an accredited third-party auditor. If ISO 27001 certifies your information security management, ISO 42001 certifies your AI governance program.
Certification is not yet mandatory anywhere, but enterprise procurement teams are already including ISO 42001 certification as a vendor requirement in RFPs. Within two years, the question "are you ISO 42001 certified?" will appear in enterprise security questionnaires as commonly as "are you SOC 2 certified?" does today.
Key Requirements
AI policy
Organizations must establish an AI policy that defines the purpose and boundaries of AI use, assigns accountability for AI governance, and is reviewed periodically. This is the equivalent of the information security policy in ISO 27001.
Impact assessment
Before deploying an AI system, organizations must conduct an impact assessment that considers the intended use, potential harms to affected parties, and technical risks. This is more prescriptive than a generic risk assessment — it must address AI-specific risks including bias, explainability, and robustness.
Objectives and monitoring
AI objectives must be measurable and monitored. For API-exposed AI systems, this means tracking performance metrics, error rates, and security events over time — and demonstrating that the system performs within its defined objectives.
Overlap with Existing Frameworks
ISO 42001 is designed to integrate with ISO 27001, ISO 9001, and ISO 27701. Organizations already certified to these standards can extend their management system rather than building a separate one. The evidence collection, internal audit, and management review processes are shared.
G8KEPR is currently pursuing ISO 42001 certification. We plan to publish our implementation approach, including the templates we use for AI impact assessments and objective monitoring, in a follow-up post.