ISO 42001 (AI Management System)

What is ISO/IEC 42001?

ISO/IEC 42001:2023 (Information technology — Artificial intelligence — Management system) is the world's first certifiable management system standard (MSS) for Artificial Intelligence. It was published in December 2023 jointly by ISO and IEC in Joint Technical Committee 1, Subcommittee 42 (ISO/IEC JTC 1/SC 42). The standard sets out the requirements for establishing, operating, maintaining and continually improving an AI management system — Artificial Intelligence Management System (AIMS).

The standard is deliberately industry- and role-neutral: it applies to any organization of any size that develops, provides or uses AI systems. In ISO terminology, these are primarily "Providers" (AI providers) and "Deployers" (organizations that operate AI in their own business). The crucial distinction is this: ISO 42001 is a management system standard, not a product standard. A certificate confirms that the organization's policies, processes, roles, risk and impact assessments as well as lifecycle controls meet the requirements — it does not certify an individual AI system, a model, or that a specific AI Agent is "safe", "fair" or "AI-Act-compliant". The correct phrasing is therefore: "The AIMS of organization X is certified to ISO/IEC 42001:2023 with scope Y (as per Statement of Applicability version Z)."

The ISO 42000 family at a glance

ISO 42001 sits at the center of a small, rapidly maturing standards family. It complements the following standards but replaces none of them:

Structurally, the 2023 edition is a compact document of roughly 40 to 60 numbered pages. It consists of the ten Annex SL clauses (clauses 1 to 10), the normative Annex A with the AI-specific reference controls, and three informative annexes: Annex B (implementation guidance for Annex A), Annex C (potential organizational AI objectives and risk sources) and Annex D (applying the AIMS across domains and in combination with other management systems).

Structure: clauses 4 to 10

The numbered clauses 4 to 10 form the normative, certifiable core. Their structure follows Annex SL exactly — the same high-level structure as ISO 9001, ISO 14001 or ISO/IEC 27001 — but is consistently qualified by AI-specific aspects such as continuous learning, opacity, data dependence, autonomy and emergent behavior.

• Clause 4 – Context of the organization: internal and external environment (EU AI Act, GDPR, sector-specific obligations), interested parties and, above all, the written scope of the AIMS, which auditors transfer verbatim onto the certificate.
• Clause 5 – Leadership: responsibility of top management, a documented AI policy (5.2) as well as roles and responsibilities (5.3). The standard does not mandate an "AI Officer" title, but in mid-sized DACH organizations this role is often combined with the CISO or the data protection officer.
• Clause 6 – Planning: the centerpiece, with 6.1.2 AI risk assessment, 6.1.3 AI risk treatment (output: Statement of Applicability) and 6.1.4 AI impact assessment as well as measurable AI objectives (6.2).
• Clause 7 – Support: resources, competence (7.2), awareness, communication and documented information. Clause 7.2 is often a weak point in agent deployments and is reinforced by the AI literacy obligation under Art. 4 EU AI Act.
• Clause 8 – Operation: operational implementation of the processes designed in clause 6 — usually the most demanding clause to evidence.
• Clause 9 – Performance evaluation: monitoring (9.1), internal audit (9.2) and management review (9.3) with mandatory inputs and outputs.
• Clause 10 – Improvement: nonconformity/corrective action (10.1) and continual improvement (10.2).

Observations from audit practice show the distribution of effort: clause 6 + clause 8 + Annex A account for around 60 percent of the effort, clauses 4 + 5 about 15 percent, clause 7 around 10 percent, and clauses 9 + 10 about 15 percent.

Annex A: 9 domains, 38 controls

Annex A is normative by reference — organizations select the controls via the Statement of Applicability — and comprises 38 controls across 9 control areas (A.2 to A.10). In practice, figures such as "39" or "42" controls or "10 domains" occasionally circulate; these arise from different counting conventions. The canonical figure cited by the SC 42 secretariat and by certification bodies is 9 domains / 38 controls. Annex B provides (informative) implementation guidance for each control — it is what auditors read first when they want to know what "good" looks like.

The nine areas in brief overview:

Three controls are particularly audit-intensive in agent deployments and at the same time often insufficiently evidenced: A.6.2.8 (event logging) — deployers often log tool calls but not model inputs, reasoning traces or human-override events; A.5.2 to A.5.5 (impact assessment) for all agents that affect individuals or groups; and A.7.5 (provenance), as soon as training, fine-tuning or retrieval data are processed.

The Statement of Applicability (SoA)

The Statement of Applicability is the most heavily scrutinized document of every ISO 42001 audit and is mandated by clause 6.1.3 as the output of risk treatment. Every Annex A control must be listed as "applicable" or "not applicable" — with a risk-based justification for both inclusions and exclusions, implementation status, evidence reference and owner. The SoA is even referenced by version and date on the certificate: the public ISO 42001 certificate of SAP SE, for example, references Statement of Applicability version 1.4 dated 28 July 2025.

The most common mistakes — and therefore the single most frequently cited nonconformity in audit practice from 2024 to 2026 — are exclusions without a risk-based justification, controls marked "applicable" without a backing artifact, an unmaintained ("static") SoA after model changes or new agents, as well as the confusion of the Provider and Deployer roles.

Certification: Stage 1, Stage 2, surveillance

Certification is performed by an accredited certification body (CB) under ISO/IEC 17021-1 and the AI-specific supplement ISO/IEC 42006:2025. The process resembles ISO 27001:

1. Stage 1 (document review/readiness): typically 1 to 3 days for mid-sized companies.
2. Stage 2 (main audit): on-site or hybrid audit with evidence sampling and interviews; typically 3 to 10 days, scaling with size and scope. Findings are classified as major/minor nonconformity or opportunity for improvement.
3. Certification decision: by a separate reviewer. Validity three years.
4. Surveillance audits: annually, plus a re-certification audit at the end of the cycle.

Before the external Stage 2 audit, at least one complete internal audit cycle is expected, as well as typically 3 to 6 months of operational evidence. The most common Stage 1 finding is "documentation without operation" — the AIMS has been genuinely lived for too short a time.

Cost range (DACH, informational): for a mid-sized deployer (500 to 2,000 employees), the total cost of consulting, audit and internal time is around EUR 50,000 to 150,000 and 9 to 12 months; for a corporate group with a mature ISMS, around EUR 200,000 to 500,000 and 12 to 18 months. Pure Stage 1/Stage 2 audit fees for mid-sized companies usually fall in the range of EUR 20,000 to 60,000.

Combination with ISO/IEC 27001

Because ISO 42001 and ISO/IEC 27001:2022 share the same Annex SL structure, the two can be integrated efficiently. Clauses 4 to 10 are structurally identical; documented information, internal audit, management review and supplier management are in practice managed jointly.

Organizations with a mature ISO 27001 typically extend the ISMS scope to include AI and add the AI-specific Annex A controls. Combined external audits are offered by all major certification bodies and save, according to practice, around 25 to 30 percent of Stage 2 audit days compared with parallel separate audits. In the governance hierarchy, ISO/IEC 38507:2022 sits above (the board's decision on the use of AI), while ISO 31000:2018 and ISO/IEC 23894:2023 provide the risk methodology.

DACH relevance and legal classification

In the DACH region, a first cohort of public certificates already exists: Unique AG (Switzerland) was certified to ISO/IEC 42001 as the first European company (audit by TÜV SÜD, announced April 2025), Xayn (Germany) as the first German organization (audit by SGS), and SAP SE has published a public certificate. Active bodies include TÜV SÜD, TÜV Rheinland, TÜV Austria with its TRUSTIFAI division, TÜV Nord, DEKRA, DQS, BSI Group and SGS. Accreditation is granted via DAkkS (Germany), Akkreditierung Austria (Austria) and SAS (Switzerland), with IAF MLA cross-recognition. Buyers should check a CB's exact accreditation scope, including its ISO/IEC 42006:2025 alignment, since the market is still inconsistent as of May 2026.

Important legal note (informational, not legal advice): ISO 42001 is NOT a harmonized standard of the EU AI Act and, as of May 2026, was not cited in the Official Journal of the EU. On its own, it creates no presumption of conformity. What is being harmonized are the prEN 182xx standards by CEN-CENELEC JTC 21 — in particular prEN 18286 (QMS under Art. 17), which was in public enquiry between 30 October and 27 December 2025 (target availability expected Q4 2026, provisional). The pragmatic 2026 architecture is therefore layered: ISO 42001 as the organizational AIMS, prEN 18286 as the system-specific QMS for regulated high-risk systems. ISO 42001 also overlaps with the GDPR DPIA (Art. 35) and the AI Act FRIA (Art. 27); a unified impact assessment template is technically feasible but requires legal sign-off, as each instrument has its own list of required contents.

Outlook and practical note

ISO 42001 has been certifiable for around 2.5 years; the number of completed Stage 2 audits worldwide is still in the low thousands, and in the DACH region in the dozens. The practitioner community estimates that fewer than 0.1 percent of AI-using organizations worldwide publicly hold the certificate — so the market is still in its first wave. Certified organizations report accelerated enterprise sales cycles, because the certificate replaces parts of vendor questionnaires, as well as a stronger position in AI Act arguments and insurance contexts.

For DACH decision-makers, a lean, narrow-scope first certification approach is advisable (initially "operation of AI Agents for [a specific functional area]", with scope expansion later) that consistently builds on existing ISMS/QMS infrastructure. Since the standards landscape is still consolidating — SC 42 is working on further standards, prEN 18286 will change the provider strategy in 2026 — organizations should actively monitor the outputs of ISO/IEC SC 42 and CEN-CENELEC JTC 21.