Framework · AI & technology

ISO 42001 — the certifiable AI management system standard.

Published December 2023. The first international, certifiable management-system standard for AI. Harmonised structure (Annex SL) — same clause numbering as ISO 27001 and ISO 9001 — so existing ISMS / QMS investments flow through. Annex A lists 39 controls grouped into 9 control objectives.

What ISO 42001 actually requires

The main body (clauses 4–10) follows the standard Annex SL pattern: context of the organisation, leadership, planning, support, operation, performance evaluation, improvement. The differentiator is Annex A, which defines AI-specific controls covering policies, internal organisation, AI lifecycle, data, information for interested parties, AI system use, third-party relationships.

Certification is performed by an accredited certification body against an audit scope defined in your Statement of Applicability. The scope can be narrow (one AI system) or broad (entire AI portfolio).

Annex A control objectives

1. Policies related to AI
2. Internal organisation
3. Resources for AI systems
4. Assessing impacts of AI systems
5. AI system lifecycle
6. Data for AI systems
7. Information for interested parties of AI systems
8. Use of AI systems
9. Third-party and customer relationships

Each objective expands into specific controls (39 in total). Most map cleanly to existing ISO 27001 controls; the AI-specific ones — impact assessment, AI lifecycle stages, data quality and bias — are where the ISMS team needs to add new evidence.

Certification, in practice

• Stage 1 audit — readiness review of documented system, Statement of Applicability, internal audit programme, management review.
• Stage 2 audit — implementation review at site(s) within scope.
• Surveillance audits — annually for three years; recertification at year three.

Pre-audit timeline from a green-field state: 9–14 months for a focused scope, 18+ months for portfolio-wide. Most of the time is spent generating evidence, not writing policies.

ISO 42001 vs NIST AI RMF vs EU AI Act

Three regimes; one practical reality. ISO 42001 gives you a certifiable management system that auditors and procurement teams understand. NIST AI RMF is the operational risk framework. The EU AI Act is the binding regulation. When to pick one and when to run both.

Where Sia RegAI fits

Sia RegAI ingests ISO 42001, the related ISO/IEC 23894 risk management guidance, and your existing ISO 27001 / 9001 documentation. It maps Annex A controls to your existing controls, flags the genuinely AI-specific gaps, and drafts the Statement of Applicability and supporting policies. Where you're also subject to the EU AI Act, the obligation tree is shared so the conformity-assessment evidence flows into the certification scope.

Related guides

• ISO 42001 vs NIST AI RMF — which AI governance framework should you adopt?
• NIST AI RMF for tech — from Govern to Measure in 30 days
• EU AI Act high-risk classification — a decision tree for AI builders

Industry pages

• Sia RegAI for tech
• Sia RegAI for banking