SECURITYSQUAD
Back to the blog

ISO/IEC 42001: The Management System for Artificial Intelligence

2026-07-16 · by SECURITYSQUAD

ISO/IEC 42001: The Management System for Artificial Intelligence

Artificial intelligence is moving into more and more business processes – and with it the question of how organisations can demonstrate responsible use. ISO/IEC 42001 is the first internationally certifiable standard that provides a structured answer. For organisations that already run an ISMS, it is the logical next step.

What ISO/IEC 42001 is

ISO/IEC 42001 was published at the end of 2023 and defines the requirements for an AI management system (AIMS). It deliberately does not certify a single AI model or product, but the management system with which an organisation develops, procures, operates and monitors AI systems across their entire lifecycle.

The core idea: whoever uses AI must systematically govern the associated opportunities and risks – from bias in training data through a lack of traceability to the impact on affected individuals – rather than leaving them to chance. The standard addresses both providers and users of AI, regardless of sector and size.

Structure based on Annex SL – familiar to ISMS professionals

ISO 42001 follows the Harmonized Structure (formerly known as Annex SL) that underpins all modern ISO management system standards. Anyone familiar with ISO 27001 or ISO 9001 will feel at home immediately: the main clauses are structured identically.

  • Clause 4 – Context of the organisation: understanding the environment in which AI is used and which interested parties are affected.
  • Clause 5 – Leadership: top management responsibility, AI policy, roles and responsibilities.
  • Clause 6 – Planning: handling AI risks and opportunities, objectives.
  • Clause 7 – Support: resources, competence, documentation.
  • Clause 8 – Operation: implementing AI processes in daily work.
  • Clause 9 – Performance evaluation: monitoring, internal audit, management review.
  • Clause 10 – Improvement: corrective actions and continual development.

Behind this sits the PDCA principle (Plan–Do–Check–Act) familiar from ISO 27001: a continuous cycle rather than a one-off project. The structure is complemented by Annex A with 38 controls across nine areas, and by Annex B with implementation guidance. Further annexes name AI-specific objectives and risk sources.

The core requirements

Beyond the generic structure, several AI-specific requirements shape the standard:

  • AI governance: clear responsibilities, an AI policy and defined decision paths for the use of AI.
  • AI risk assessment: a systematic procedure that captures the particular risks of AI – such as bias, robustness, data quality and security.
  • Impact assessment: a structured evaluation of the effects of AI systems on individuals, groups and society.
  • Transparency and traceability: documented information on how AI systems work, decide and where their limits lie.
  • Lifecycle management: defined processes from requirements through development, testing and release to operation, monitoring and decommissioning – including the governance of suppliers and pre-trained models.

Why the standard matters now

The timing is no coincidence. With the EU AI Act, a binding legal framework is taking shape across Europe, whose obligations – such as transparency requirements and the gradually applicable rules for high-risk systems – enter into force in stages across 2026 and 2027. Organisations are looking for robust means of evidence, and ISO 42001 provides exactly the management structures the AI Act expects from providers: risk management, quality assurance, technical documentation and ongoing monitoring.

An honest assessment matters here: ISO 42001 is not a harmonised standard under the AI Act. A certificate therefore establishes no legal presumption of conformity and does not replace AI Act obligations. It is, however, a strong, internationally recognised means of evidence that already covers a large part of the required governance and considerably eases later alignment with harmonised standards.

Beyond regulation, the standard also pays off commercially. Customers, partners and supervisory authorities increasingly demand robust proof that AI is used under control. A certified AI management system builds that trust externally and creates clear responsibilities internally – especially once AI features are no longer confined to isolated pilots but used across the value chain.

Relationship to an existing ISO 27001 ISMS

For organisations with an ISMS, ISO 42001 is not a fresh start but an extension. Because both standards follow the same structure, many elements can be shared: context analysis, leadership processes, risk methodology, document control, internal audit and management review already exist. An existing ISMS also provides the foundation that secures the information security of AI systems – from access control to logging.

In practice this means: those who live ISO 27001 mainly add the AI-specific building blocks – governance, impact assessment, transparency and lifecycle – and integrate them into existing processes, rather than building a second, parallel system.

How certification works

The path to certification resembles that of ISO 27001 and can be captured in four stages:

  1. Positioning: a gap analysis shows which AI systems are in use and where the distance to the requirements lies.
  2. Build-up: define the scope, establish AI policy and governance, assess risks and impacts, create controls and documentation.
  3. Live it: the AI management system has to work in daily operations – only then does the later review hold up.
  4. Audit: an independent, accredited certification body reviews in two stages (documentation and on-site implementation); annual surveillance audits follow.

How SECURITYSQUAD supports you

An AI management system stands or falls with a solid management foundation – and that is precisely our core competence. SECURITYSQUAD is certified to ISO 27001 based on IT-Grundschutz (BSI) and to ISO 9001, and has supported organisations in building effective management systems since it was founded in 2022.

When building an AIMS, we bring this ISMS experience to bear: we run the gap analysis, develop AI governance and risk methodology, integrate the AI-specific controls into an existing ISMS and prepare you for certification in a structured way. The result is not a bureaucratic overlay but a system that works in operation while serving as evidence towards customers, partners and supervisory authorities.

Read more: EU AI Act: what applies now · ISO 27001 based on IT-Grundschutz · Our certifications · Expertise & Services