logo
Sign UpSign InTry for free
ISO/IEC 42001

ISO/IEC 42001: the certifiable AI management system standard

ISO/IEC 42001:2023 is the first internationally certifiable AI management system (AIMS) standard, published December 2023. This page covers the structure, the Annex A control library, the typical implementation cycle, and how the standard relates to the EU AI Act and the NIST AI RMF.

Jack Finnegan, Founder & CEO, BA Copilot

By Jack Finnegan · Updated 21 May 2026

Map your AIMSAI governance hub
What it is

What ISO/IEC 42001 actually is

ISO/IEC 42001:2023, published December 2023, is the first internationally certifiable management system standard for artificial intelligence. It follows the same harmonized structure as ISO 9001 (quality), ISO 27001 (information security), and ISO 14001 (environment): a Plan-Do-Check-Act management system with a defined scope, leadership commitments, risk-based planning, operational controls, performance evaluation, and continual improvement. Annex A provides a reference control set of 38 AI controls across 9 control objectives (the AI controls library) covering dimensions like data quality, model lifecycle, transparency, human oversight, and impact assessment.
Because ISO 42001 is certifiable, mature programmes pursue third-party audit and certification to demonstrate AI-governance maturity to procurement teams, regulators, and customers. Certification is increasingly cited as a procurement requirement by major enterprises buying AI products from vendors, particularly in the EU and UK.
The problem today

Most "ISO 42001 readiness" programmes are slide decks pretending to be management systems

The familiar pattern: a firm announces an ISO 42001 readiness initiative, hires a consultancy to produce a gap-assessment PowerPoint, and publishes an AI policy on the intranet. Twelve months later the certification audit reveals that the AIMS exists on paper but not in the working week - controls have no owners, the risk assessment was a one-off, the internal audit programme was never set up, and the management review has happened once and was filed as a board paper.
The fix is the structural difference between a document and a management system: the AIMS must run as a real process, with assigned roles, scheduled cycles, evidence captured at each step, and a closed loop of corrective action. A BPMN process map of the AIMS lifecycle is the cheapest way to make that process visible and auditable.
Four pillars

Four pieces of an ISO 42001 AIMS

Scope and policy

Define what the AIMS covers (which AI systems, which business units, which jurisdictions), what leadership commits to, and the AI policy that anchors the management system.

AI risk and impact assessment

Clause 6 sets out the risk-assessment (6.1.2) and impact-assessment (6.1.4) expectations, with Annex C providing the informative reference list of AI objectives and risk sources. Risk is to objectives, performance, and stakeholders; impact is to individuals, groups, and society.

Annex A controls

The control library. Pick controls proportionate to your risks - the standard does not require every control, only those that respond to the risks the assessment identified.

Audit, review, improve

Internal audit verifies the AIMS is operating; management review evaluates it against objectives; corrective action closes nonconformities; continual improvement drives the next cycle.

Process Map

The ISO 42001 AIMS lifecycle as a process map

The PDCA-aligned lifecycle - scope, risk assessment, controls, audit, review, corrective action - with the loop that makes the management system actually operate.

Open in editor

ISO/IEC 42001 AI management system as a process map

The ISO/IEC 42001:2023 AI management system rendered as a BPMN 2.0 process. Define AIMS scope, run risk assessment per Clause 6, implement Annex A controls, internal audit, management review, corrective action, and continual improvement.

  1. Define the AI management system (AIMS) scope, leadership commitment, and policy.
  2. Run AI risk and impact assessment per ISO/IEC 42001 Clause 6 (using Annex C as the informative reference for AI objectives and risk sources).
  3. Implement Annex A controls proportionate to the identified risks.
  4. Internal audit verifies controls are designed and operating effectively.
  5. Management review evaluates the AIMS against objectives and changing context.
  6. If nonconformities are identified, route to corrective action and re-audit. Otherwise the cycle moves into continual improvement.
  7. Optionally pursue third-party certification once the AIMS is mature.
What this diagram shows: The lifecycle starts at AIMS implementation kickoff. Scope definition and policy come first. AI risk and impact assessment (Clause 6, with Annex C as the informative reference for AI objectives and risk sources) feeds control implementation against Annex A (with Annex B as the implementation-guidance companion to Annex A). Internal audit and management review form the Check phase. The nonconformity gateway routes findings to corrective action and back through re-audit; clean reviews flow into continual improvement and ongoing operation. Optional third-party certification sits outside this diagram.
FAQ

Frequently asked questions

What is ISO/IEC 42001?

ISO/IEC 42001:2023 is the first internationally certifiable management system standard for artificial intelligence, published December 2023. It provides the management-system structure (scope, leadership, planning, support, operation, performance evaluation, improvement) plus a reference control library (Annex A) for AI risk and impact.

Is ISO 42001 certifiable?

Yes. ISO 42001 follows the same harmonised management-system structure as ISO 9001 (quality) and ISO 27001 (information security) and can be third-party audited by accredited certification bodies. The first certifications were issued in 2024; the market is still maturing, with major audit firms (BSI, TÜV, DNV, LRQA) building 42001 audit capability.

How does ISO 42001 relate to the EU AI Act?

The two are complementary. The EU AI Act is binding law with prohibitions and conformity-assessment requirements; ISO 42001 is a certifiable management system standard that helps demonstrate compliance with many of the Act's obligations. Article 40 of the EU AI Act references harmonised standards as a presumption of conformity, and ISO 42001 is being assessed for harmonisation. Mature programmes treat ISO 42001 as the management-system backbone and map onto EU AI Act obligations where in scope.

How does ISO 42001 relate to NIST AI RMF?

ISO 42001 is the certifiable management-system shape (Plan-Do-Check-Act with Annex A controls). NIST AI RMF is the operational risk-process methodology (govern, map, measure, manage). Many programmes build the management system around ISO 42001 and use NIST AI RMF as the risk-process methodology inside it.

How do you implement ISO 42001?

The canonical implementation sequence is: define scope and AI policy; run AI risk and impact assessment per Clause 6 (using Annex C as the informative reference for AI objectives and risk sources); implement Annex A controls proportionate to the identified risks (with Annex B as the implementation-guidance companion); set up internal audit and management review cycles; pursue corrective action where nonconformities surface; pursue third-party certification once the AIMS is operating consistently. Typical implementation takes 9-18 months for a firm with no prior AI governance programme.

Does BA Copilot help with ISO 42001 certification?

BA Copilot is the modelling layer - it produces the BPMN process maps for each AIMS workflow (AI onboarding, risk assessment, incident response, model release, third-party AI procurement). Auditors expect to see the AIMS documented as working processes, not just policies; BPMN diagrams are the artefact that demonstrates the process is real. BA Copilot does not perform the audit or maintain the certification evidence repository.

Jack Finnegan, Founder & CEO, BA Copilot
From the founder

14 Years in BPMN

I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.

BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.

Jack Finnegan on LinkedIn
Sources

Sources and verification

Last verified 21 May 2026 by Jack Finnegan.

Verified against: ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system (official)

References cited on this page:

  • ISO/IEC 42001:2023
Cosmic background pattern
Decorative rectangle pattern

Build the AIMS as a working process

Open the ISO 42001 AIMS lifecycle template, model each clause as an actual workflow, and produce the BPMN evidence the certification audit will ask for.