ISO 42001 certification

Overview

ISO/IEC 42001 is the international standard for AI management systems. It provides a framework for establishing, implementing, maintaining and continually improving an AI management system (AIMS). Published in December 2023, it's the first global standard designed specifically for AI governance.

Unlike regulations that mandate specific behaviors, ISO 42001 takes a management system approach. It helps you build the processes, controls and culture needed to govern AI responsibly. Getting certified shows customers, partners and regulators that your organization takes AI governance seriously.

Why pursue ISO 42001 certification?

• Credibility: Third-party certification gives independent verification of your AI governance practices
• Market differentiation: Early adopters gain an edge as certification becomes expected
• Regulatory alignment: ISO 42001 aligns with EU AI Act requirements and other emerging regulations
• Risk reduction: Systematic governance reduces the likelihood and impact of AI failures
• Customer assurance: Certification helps address customer concerns about AI safety and ethics
• Continuous improvement: The standard requires ongoing improvement of your AI governance practices

Key requirements

ISO 42001 is organized into clauses that define what your AI management system must address:

Annex A controls

On top of the management system clauses, ISO 42001 includes Annex A, a catalog of reference controls designed for AI systems. The clauses are mandatory, but Annex A is different. You select controls based on your risk assessment and either implement them or document why they don't apply to your context.

Annex A controls cover key areas of AI governance:

• AI policies and governance structure
• Roles and responsibilities for AI
• AI system impact assessment
• AI system lifecycle management
• Data for AI systems
• AI system testing and validation
• AI system operation and monitoring
• Third-party and customer relationships

How VerifyWise supports ISO 42001

VerifyWise helps you build and demonstrate an ISO 42001-compliant AI management system:

• Model inventory: Maintain the AI system inventory required by the standard
• Risk management: Document and track AI-specific risks and treatments
• Control framework: Map your controls to ISO 42001 requirements
• Evidence hub: Collect and organize evidence for certification audits
• Policy management: Create and maintain required AI policies
• Incident tracking: Document and learn from AI-related incidents

Certification process

The path to ISO 42001 certification typically involves:

1. Gap analysis: Assess your current state against ISO 42001 requirements
2. Implementation: Build or enhance your AI management system to meet requirements
3. Internal audit: Verify your system meets requirements before the certification audit
4. Management review: Conduct formal management review of the AIMS
5. Stage 1 audit: Documentation review by the certification body
6. Stage 2 audit: Implementation audit by the certification body
7. Certification: Receive certificate upon successful audit completion
8. Surveillance: Undergo annual surveillance audits to maintain certification

Integration with other standards

ISO 42001 is designed to integrate with other management system standards:

• ISO 27001: Information security management for AI systems
• ISO 9001: Quality management for AI development and operations
• ISO 14001: Environmental management for AI sustainability considerations

ISO 42001 assessment structure

When you select ISO 42001 for a use case, VerifyWise creates an assessment with two distinct sections that mirror the structure of the standard:

Management system clauses

The management system clauses screen displays the seven core clauses required by ISO 42001. Each clause contains subclauses that define specific requirements:

• Clause 4: Context of the organization, covering your environment, stakeholders and AIMS scope
• Clause 5: Leadership, covering management commitment, AI policy and organizational roles
• Clause 6: Planning, covering risk assessment, objectives and change planning
• Clause 7: Support, covering resources, competence, awareness and documentation
• Clause 8: Operation, covering AI lifecycle implementation and impact assessments
• Clause 9: Performance evaluation, covering monitoring, internal audit and management review
• Clause 10: Improvement, covering nonconformity handling and continual improvement

Working with subclauses

Each clause contains subclauses that represent specific requirements. Click on a subclause to open its detail view where you can:

1. Review the summary: Understand what the subclause requires
2. Answer guiding questions: Use provided questions to assess your compliance
3. Document implementation: Describe how your organization addresses the requirement
4. Review evidence examples: See what evidence typically supports compliance
5. Link evidence: Attach documents from your Evidence Hub
6. Assign responsibility: Set owner, reviewer and approver
7. Update status: Track progress from Not started through Implemented

Subclause detail fields

For each subclause, VerifyWise tracks:

• Status: Not started, In progress, or Implemented
• Implementation description: Your documentation of how the requirement is addressed
• Evidence links: Supporting documents and artifacts
• Owner: Person responsible for implementation
• Reviewer: Person who reviews the implementation
• Approver: Person who gives final sign-off
• Due date: Target completion date
• Auditor feedback: Notes from internal or external auditors
• Linked risks: Use case risks associated with this subclause

Reference controls (Annex A)

The reference controls screen displays ISO 42001 Annex A, which contains specific AI controls organized into seven categories:

• A.5: Organizational policies and governance
• A.6: Internal organization
• A.7: Resources for AI systems
• A.8: AI system lifecycle
• A.9: Data for AI systems
• A.10: Information and communication technology (ICT)
• A.11: Third-party relationships

Control applicability

Unlike the mandatory clauses, Annex A controls can be marked as applicable or not applicable based on your risk assessment. For each control:

• Applicable: The control is relevant to your AI systems and must be implemented
• Not applicable: The control does not apply to your scope. Provide justification for exclusion

Working with annex controls

Each annex control includes guidance and description to help you understand what is required. Click on a control to view and update:

• Applicability: Whether this control applies to your organization
• Justification for exclusion: Required explanation if marking as not applicable
• Implementation description: How your organization implements this control
• Evidence links: Supporting documentation
• Status: Not started, In progress, or Implemented
• Assignments: Owner, reviewer and approver
• Due date: Target completion date
• Auditor feedback: Notes from auditors

Status workflow

Both subclauses and annex controls follow the same status workflow:

Tracking your progress

VerifyWise provides metrics to monitor your ISO 42001 compliance progress:

• Subclause completion: Progress across all management system subclauses
• Annex control completion: Progress across applicable reference controls
• Assignment coverage: How many items have owners assigned
• Status breakdown: Distribution of items by status
• Overdue items: Subclauses and controls past their due date

Linking evidence

For both subclauses and annex controls, you can link evidence to demonstrate compliance:

1. Open the subclause or annex control detail view
2. Navigate to the evidence section
3. Select existing evidence from your Evidence Hub or upload new documents
4. Add implementation notes explaining how the evidence supports compliance

Linking risks

ISO 42001 puts risk-based decision making front and center. You can link use case risks to both subclauses and annex controls to show how your control implementation addresses identified risks. This creates traceability between your risk assessment and what you've actually done about it.

Frequently asked questions

Who should use ISO 42001?

Any organization that provides or uses AI-powered products or services can benefit from ISO 42001, regardless of size or industry. Whether you're developing AI in-house or deploying third-party solutions, the standard helps you govern AI responsibly.

Are there prerequisites for certification?

There are no specific prerequisites. However, you'll need an established AI management system with documented policies, processes and risk management practices ready for audit. You can build these while preparing for certification.

How does ISO 42001 address AI risks?

The standard requires you to determine, assess and treat AI risks and opportunities. This includes considering the domain, application context and intended use of AI systems. Risk assessment isn't a one-time activity but an ongoing process throughout the AI lifecycle.

How does the standard ensure responsible AI use?

ISO 42001 requires you to define and document processes, roles, responsibilities and policies that support ethical AI development, deployment and operation. This includes impact assessments, risk management and governance structures that promote accountability.

How does ISO 42001 relate to other management system standards?

ISO 42001 uses a harmonized structure that aligns with quality management (ISO 9001), information security (ISO 27001) and privacy standards. This means you can address multiple standards through a single, unified management system.

How can organizations implement ISO 42001?

Start by understanding your AI system context, establishing an AI policy, assessing risks and impacts and getting leadership buy-in. Then plan, support, operate, monitor and continually improve your AI management system. VerifyWise has tools to support each phase.