ISO 42001 certification

Overview

ISO/IEC 42001 is the international standard for AI management systems. It provides a framework for organizations to establish, implement, maintain, and continually improve an AI management system (AIMS). Published in December 2023, it is the first global standard specifically designed for AI governance.

Unlike regulations that mandate specific behaviors, ISO 42001 provides a management system approach. It helps organizations build the processes, controls, and culture needed to govern AI responsibly. Certification demonstrates to customers, partners, and regulators that your organization takes AI governance seriously.

Why pursue ISO 42001 certification?

• Credibility: Third-party certification provides independent verification of your AI governance practices
• Market differentiation: Early adopters gain competitive advantage as certification becomes expected
• Regulatory alignment: ISO 42001 aligns with EU AI Act requirements and other emerging regulations
• Risk reduction: Systematic governance reduces the likelihood and impact of AI failures
• Customer assurance: Certification addresses customer concerns about AI safety and ethics
• Continuous improvement: The standard requires ongoing improvement of AI governance practices

Key requirements

ISO 42001 is organized into clauses that define what your AI management system must address:

Annex A controls

In addition to the management system clauses, ISO 42001 includes Annex A, a catalog of reference controls specifically designed for AI systems. Unlike the clauses which are mandatory requirements, Annex A provides a set of controls that organizations select based on their risk assessment. Organizations must consider each control and either implement it or document why it is not applicable to their context.

Annex A controls cover key areas of AI governance:

• AI policies and governance structure
• Roles and responsibilities for AI
• AI system impact assessment
• AI system lifecycle management
• Data for AI systems
• AI system testing and validation
• AI system operation and monitoring
• Third-party and customer relationships

How VerifyWise supports ISO 42001

VerifyWise helps you build and demonstrate an ISO 42001-compliant AI management system:

• Model inventory: Maintain the AI system inventory required by the standard
• Risk management: Document and track AI-specific risks and treatments
• Control framework: Map your controls to ISO 42001 requirements
• Evidence hub: Collect and organize evidence for certification audits
• Policy management: Create and maintain required AI policies
• Incident tracking: Document and learn from AI-related incidents

Certification process

The path to ISO 42001 certification typically involves:

1. Gap analysis: Assess your current state against ISO 42001 requirements
2. Implementation: Build or enhance your AI management system to meet requirements
3. Internal audit: Verify your system meets requirements before the certification audit
4. Management review: Conduct formal management review of the AIMS
5. Stage 1 audit: Documentation review by the certification body
6. Stage 2 audit: Implementation audit by the certification body
7. Certification: Receive certificate upon successful audit completion
8. Surveillance: Undergo annual surveillance audits to maintain certification

Integration with other standards

ISO 42001 is designed to integrate with other management system standards:

• ISO 27001: Information security management for AI systems
• ISO 9001: Quality management for AI development and operations
• ISO 14001: Environmental management for AI sustainability considerations

ISO 42001 assessment structure

When you select ISO 42001 for a use case, VerifyWise creates an assessment with two distinct sections that mirror the structure of the standard:

Management system clauses

The management system clauses screen displays the seven core clauses required by ISO 42001. Each clause contains subclauses that define specific requirements:

• Clause 4: Context of the organization — Understanding your environment, stakeholders, and AIMS scope
• Clause 5: Leadership — Management commitment, AI policy, and organizational roles
• Clause 6: Planning — Risk assessment, objectives, and change planning
• Clause 7: Support — Resources, competence, awareness, and documentation
• Clause 8: Operation — AI lifecycle implementation and impact assessments
• Clause 9: Performance evaluation — Monitoring, internal audit, and management review
• Clause 10: Improvement — Nonconformity handling and continual improvement

Working with subclauses

Each clause contains subclauses that represent specific requirements. Click on a subclause to open its detail view where you can:

1. Review the summary: Understand what the subclause requires
2. Answer guiding questions: Use provided questions to assess your compliance
3. Document implementation: Describe how your organization addresses the requirement
4. Review evidence examples: See what evidence typically supports compliance
5. Link evidence: Attach documents from your Evidence Hub
6. Assign responsibility: Set owner, reviewer, and approver
7. Update status: Track progress from Not started through Implemented

Subclause detail fields

For each subclause, VerifyWise tracks:

• Status: Not started, In progress, or Implemented
• Implementation description: Your documentation of how the requirement is addressed
• Evidence links: Supporting documents and artifacts
• Owner: Person responsible for implementation
• Reviewer: Person who reviews the implementation
• Approver: Person who gives final sign-off
• Due date: Target completion date
• Auditor feedback: Notes from internal or external auditors
• Linked risks: Use case risks associated with this subclause

Reference controls (Annex A)

The reference controls screen displays ISO 42001 Annex A, which contains specific AI controls organized into seven categories:

• A.5: Organizational policies and governance
• A.6: Internal organization
• A.7: Resources for AI systems
• A.8: AI system lifecycle
• A.9: Data for AI systems
• A.10: Information and communication technology (ICT)
• A.11: Third-party relationships

Control applicability

Unlike the mandatory clauses, Annex A controls can be marked as applicable or not applicable based on your risk assessment. For each control:

• Applicable: The control is relevant to your AI systems and must be implemented
• Not applicable: The control does not apply to your scope. Provide justification for exclusion

Working with annex controls

Each annex control includes guidance and description to help you understand what is required. Click on a control to view and update:

• Applicability: Whether this control applies to your organization
• Justification for exclusion: Required explanation if marking as not applicable
• Implementation description: How your organization implements this control
• Evidence links: Supporting documentation
• Status: Not started, In progress, or Implemented
• Assignments: Owner, reviewer, and approver
• Due date: Target completion date
• Auditor feedback: Notes from auditors

Status workflow

Both subclauses and annex controls follow the same status workflow:

Tracking your progress

VerifyWise provides metrics to monitor your ISO 42001 compliance progress:

• Subclause completion: Progress across all management system subclauses
• Annex control completion: Progress across applicable reference controls
• Assignment coverage: How many items have owners assigned
• Status breakdown: Distribution of items by status
• Overdue items: Subclauses and controls past their due date

Linking evidence

For both subclauses and annex controls, you can link evidence to demonstrate compliance:

1. Open the subclause or annex control detail view
2. Navigate to the evidence section
3. Select existing evidence from your Evidence Hub or upload new documents
4. Add implementation notes explaining how the evidence supports compliance

Linking risks

ISO 42001 emphasizes risk-based decision making. You can link use case risks to both subclauses and annex controls to demonstrate how your control implementation addresses identified risks. This creates traceability between your risk assessment and control implementation.

Frequently asked questions

Who should use ISO 42001?

ISO 42001 is intended for any organization, regardless of size, type, or nature, that provides or uses products or services utilizing AI systems. Whether you are developing AI in-house or deploying third-party AI solutions, the standard helps ensure responsible AI development and deployment.

Are there prerequisites for certification?

There are no specific prerequisites for pursuing ISO 42001 certification. However, organizations need an established AI management system with documented policies, processes, and risk management practices ready for audit. You can build these while preparing for certification.

How does ISO 42001 address AI risks?

The standard requires organizations to determine, assess, and treat AI risks and opportunities. This includes considering the domain, application context, and intended use of AI systems. Risk assessment is not a one-time activity but an ongoing process throughout the AI lifecycle.

How does the standard ensure responsible AI use?

ISO 42001 requires organizations to define and document processes, roles, responsibilities, and policies that support the ethical development, deployment, and operation of AI systems. This includes impact assessments, risk management, and governance structures that promote accountability.

How does ISO 42001 relate to other management system standards?

ISO 42001 applies a harmonized structure that aligns with quality management (ISO 9001), information security (ISO 27001), and privacy standards. This enables integrated implementation where organizations can address multiple standards through a unified management system.

How can organizations implement ISO 42001?

Start by understanding your AI system context, establishing an AI policy, assessing risks and impacts, and securing leadership commitment. Then plan, support, operate, monitor, and continually improve your AI management system. VerifyWise provides tools to support each phase of implementation.