Live: EN ISO/IEC 42001:2026 was approved by CEN on 13 March 2026. 34 countries must give it national-standard status by September 2026. What that means ›

ISO/IEC JTC 1/SC 42 · Artificial intelligence

ISO/IEC 42001

Information technology.
Artificial intelligence.
Management system.

The world's first certifiable AI management system standard. Thirty-eight controls, nine objectives, and a Statement of Applicability that decides which of them are actually yours. Published December 2023. A European Standard since March 2026.

Dec 2023Published by ISO and IEC
First edition, 51 pages
38Annex A controls
across nine objectives
0Of them automatically apply
to your organisation
Sep 2026Deadline for national adoption
across 34 countries

Annex A · Table A.1

Thirty-eight controls.
None of them automatically yours.

This is the single most misunderstood thing about ISO/IEC 42001. Annex A is not a checklist to be completed. It is a reference set. You run a risk assessment, choose the controls that treat those risks, and then justify — in writing, to an auditor — both what you put in and what you left out. Nine objectives. Select any to see what it is for.

All nine objectives are reference material, not requirements. Clauses 4 to 10 are the requirements.

A.2

Reference control objective

Policies related to AI

Clause 6.1.3

The document that decides everything.

The Statement of Applicability is where 42001 stops being a document you read and starts being a position you defend. It lists the controls you have judged necessary, and it justifies every inclusion and every exclusion against your own risk assessment.

Get it right and the audit is a conversation about evidence. Get it wrong — adopt all 38 because it felt safer, or exclude something you could not defend — and you have either bought yourself years of pointless control maintenance or a major nonconformity.

Clauses 4–10 are the requirements

Context, leadership, planning, support, operation, performance evaluation, improvement. These use “shall”. There is no opting out, and this is what an auditor certifies you against.

Annex A is the reference set

Normative, but selective. The standard says plainly that not all of the objectives and controls are required to be used, and that you may design your own where Annex A does not reach.

Annex B is the guidance

Implementation guidance for every Annex A control — also normative, but you do not have to justify following it or not. It is a starting point, not a specification.

Most organisations end up implementing the majority of Annex A, because AI risk is broad and the controls are pitched high. That is a conclusion you should arrive at, not an assumption you start with.

Adoption

Europe adopted it in March. Without changing a word.

ISO/IEC 42001 has just become a European Standard, and almost nobody has noticed. CEN-CENELEC/JTC 21 — the same committee developing the harmonised standards for the EU AI Act — took the text over unmodified. The clock on national adoption is already running.

August 2020

The project is approved

A new work item is registered in the programme of ISO/IEC JTC 1/SC 42, the joint ISO and IEC subcommittee for artificial intelligence, established in 2017. From here to publication took over three years, two committee draft consultations and an international ballot.

ISO/IEC JTC 1/SC 42
December 2023

Published as an International Standard

ISO/IEC 42001:2023, first edition, 51 pages. The world's first management system standard for artificial intelligence, and the first that an organisation can be certified against.

ISO & IEC · Geneva
2025

The certification scheme arrives

ISO/IEC 42006:2025 sets the requirements for the bodies that audit and certify AI management systems — competence, impartiality, and how audit time is calculated. Certification only means something once this exists, because it is what accreditation bodies assess certifiers against.

ISO/IEC 42006:2025
13 March 2026

Approved as a European Standard

Approved by CEN and taken over as EN ISO/IEC 42001:2026 by CEN-CENELEC/JTC 21, Artificial Intelligence, whose secretariat is held by Danish Standards. The endorsement notice records that it was approved without any modification.

CEN-CENELEC · Brussels
By September 2026

Mandatory national status across 34 countries

Under the CEN-CENELEC Internal Regulations, the national standards bodies of 34 countries are bound to give it the status of a national standard — and to withdraw any conflicting national standard. Austria to the United Kingdom, including Iceland, Norway, Serbia, Switzerland, Türkiye and North Macedonia alongside the EU member states.

In progress now

A distinction worth holding onto, because it is routinely mangled: that obligation falls on the standards bodies, not on you. No company is required by this to do anything. What it changes is status — 42001 stops being an international standard your buyers might have heard of, and becomes the national standard in their country.

Certification

How organisations actually get certified.

42001 is certifiable, which makes it unusual among AI standards — most are frameworks or guidance with nothing to audit. Certification is a two-stage audit by an accredited certification body, and the path to it is well worn from ISO 27001.

Scope and role

Determine what your AI management system covers and what role you play — whether you develop, provide or use AI systems, and often several of these at once for different systems. Clause 4.1 makes this the first decision, and it is the one that shapes everything after it.

Risk, impact, and the SoA

Run an AI risk assessment and an AI system impact assessment — a separate obligation under Clause 6.1.4, and about consequences for people rather than risk to you. Select controls, write the Statement of Applicability, build the evidence.

Internal audit, then Stage 1 and 2

Gap analysis, internal audit and management review before an auditor arrives. Stage 1 tests readiness and documentation; Stage 2 tests whether the system actually operates. Then surveillance audits, and recertification.

What certification proves

That your organisation runs a management system for AI, that it is being followed, and that a third party has checked. That is a real and useful thing to be able to show a procurement team.

What it does not prove

That any particular model is safe, fair, accurate or lawful. 42001 certifies the system that governs your AI, not the AI. Anyone selling it as a safety certificate for a model has misread the standard, and an informed buyer will know.

EU AI Act

The honest version of the AI Act question.

You are being told that ISO/IEC 42001 gets you EU AI Act compliance. It does not, and the people who would know have said so in writing.

What is true

Article 17 of the AI Act requires providers of high-risk AI systems to operate a quality management system. Article 40 lets harmonised standards confer a presumption of conformity. 42001 is a genuine, rigorous management system standard, and the committee that adopted it as a European Standard — JTC 21 — is the same one writing the AI Act's harmonised standards under the Commission's request.

If you have implemented 42001 well, a large part of the organisational machinery an AI Act QMS needs already exists and is already audited.

What is not

ISO/IEC 42001 is not a harmonised standard cited in the Official Journal, and holding a 42001 certificate gives you no presumption of conformity with anything. The European position is explicit that 42001 does not cover the full set of the AI Act's quality management requirements — which is precisely why a separate European standard, prEN 18286, is being developed to do that job.

Treat 42001 as a very good head start on an AI Act QMS. Do not treat it as the finish line, and be careful of anyone who does.

The same discipline applies elsewhere. In the UK, where regulation is principles-based and delegated to existing sector regulators rather than a single AI act, an international standard carries more weight, not less — it is the shared reference a regulator can point at without legislating.

The family

42001 does not stand alone.

It is a management system standard, which means it tells you to have a process and leaves the method to other documents. Those documents exist, and knowing which one answers which clause is most of the implementation.

ISO/IEC 42006:2025 — certification bodies

What an auditor must be competent in, how impartiality is managed, and how audit time is calculated from your headcount, your systems and your regulatory exposure. Read it before you choose a certifier: it tells you what a credible audit looks like.

ISO/IEC 42005:2025 — AI system impact assessment

Clause 6.1.4 requires an impact assessment process. 42005 is how you do one, down to the documentation tables. The pairing is close to mandatory in practice.

ISO/IEC 23894 — AI risk management

Clause 6.1 requires AI risk management and the standard points at 23894 in a note. It is the method behind the requirement.

ISO/IEC 8183 — data life cycle framework

Annex A.7 is data for AI systems, and 42001 assumes a data life cycle exists and has owners. 8183 is the standard that defines what those stages are. See our ISO/IEC 8183 guide.

ISO/IEC 27001 and ISO 9001 — the skeleton

42001 uses the Harmonized Structure, so clauses 4 to 10 have the same shape as your existing management systems. If you are certified to 27001, you already own most of the scaffolding and can run a combined audit.

ISO/IEC 22989 — concepts and terminology

The vocabulary 42001 is written in. Disputes in an audit are surprisingly often disputes about what a word means.

Who wrote it

The work of expert committees, not a single author.

ISO/IEC 42001 was written by experts nominated through their national standards bodies, working in the subcommittee that produces the whole AI standards series. A management system standard that any organisation in any sector can be certified against has to survive scrutiny from every national body that will have to live with it — and it did, over more than three years.

ISO/IEC JTC 1/SC 42

The joint ISO and IEC subcommittee for artificial intelligence, established in 2017 and the source of the whole AI standards series — 42001, 42005, 42006, 23894, 8183, 5259, 22989. Its working groups draft; its national members vote.

National mirror committees

Every participating country runs a mirror committee that develops its national position and casts its vote. In the UK that is BSI's ART/1, Artificial Intelligence. Experts are nominated through their national body and serve in a personal, expert capacity.

Three years of ballots

Registered as a project in August 2020. Two committee draft consultations, comments resolved, referred back to the working group once, then a Draft International Standard ballot before publication in December 2023. Consensus is slow on purpose.

Which is why nobody should claim to have written ISO/IEC 42001. What people can honestly claim is participation — and participation is what tells you how the text is meant to be read, where the committee argued, and which words were chosen carefully.

Matthew Blakemore, AI standards practitioner and member of the BSI and ISO artificial intelligence committees, speaking on stage at an AI summit

BSI and ISO AI committees

Matthew Blakemore

Matthew was part of the standards work behind ISO/IEC 42001, through BSI's ART/1 committee — the UK national mirror committee for ISO/IEC JTC 1/SC 42 — and as a member of the ISO committees producing the AI standards series it belongs to.

He was also sub-editor of ISO/IEC 8183, the data life cycle framework that Annex A.7 leans on. That combination is the useful part: he can tell you not just what 42001 requires, but why the committee wrote it that way, and which of the surrounding standards actually answers the clause in front of you.

  • CommitteesMember, BSI and ISO artificial intelligence committees, including BSI ART/1
  • StandardSub-editor, ISO/IEC 8183 — Data life cycle framework
  • AdvisoryInnovate UK BridgeAI programme
  • CompanyChief Executive, AI Caramba!
  • FrameworkOriginator of the Snakes and Ladders AI Framework™
  • BookSnakes and Ladders: A Leader's Playbook for AI Strategy, Governance and Risk (forthcoming)

Questions

ISO/IEC 42001, answered.

What is ISO 42001?

ISO/IEC 42001:2023 is the international standard for artificial intelligence management systems, titled Information technology — Artificial intelligence — Management system. It sets out what an organisation must have in place to develop, provide or use AI responsibly: leadership, policy, risk assessment, impact assessment, controls, evidence, audit and improvement.

It is the first AI standard an organisation can actually be certified against, and the first to treat AI governance as a management system rather than a set of principles.

When was ISO 42001 published?

December 2023, as a first edition of 51 pages, by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 42, Artificial intelligence. The project had been registered in August 2020. It was approved as a European Standard, EN ISO/IEC 42001:2026, by CEN on 13 March 2026.

How many controls does ISO 42001 have?

Annex A contains 38 controls organised into nine control objectives, numbered A.2 to A.10: policies related to AI, internal organization, resources for AI systems, assessing impacts of AI systems, AI system life cycle, data for AI systems, information for interested parties, use of AI systems, and third-party and customer relationships.

The number matters less than people think. Annex A is a reference set, not a checklist — the standard states that not all of its objectives and controls are required to be used.

Are all 38 Annex A controls mandatory?

No, and this is the most common misunderstanding about the standard. Under Clause 6.1.3 you select controls that treat the risks your own assessment identified, compare your selection against Annex A to check you have not missed anything necessary, and then produce a Statement of Applicability justifying both inclusion and exclusion. You may also design controls of your own where Annex A does not reach.

In practice most organisations implement the majority of Annex A, because AI risk is broad and the controls are pitched at a high level. That should be a conclusion you reach, not an assumption you start from.

What is a Statement of Applicability in ISO 42001?

The document required by Clause 6.1.3 that lists the controls you have determined necessary and justifies why each is included or excluded. Exclusions can be justified where your risk assessment does not deem a control necessary, or where external requirements do not require it or provide an exception.

It is the spine of the audit. A certification body will confirm there is at least one Statement of Applicability per certification scope, and will test whether your risk assessment genuinely supports what it says.

Does ISO 42001 make you EU AI Act compliant?

No. ISO/IEC 42001 is not a harmonised standard cited in the Official Journal of the European Union, so it confers no presumption of conformity. The European position is explicit that 42001 does not cover the full set of the AI Act's quality management requirements, and a separate European standard — prEN 18286 — is being developed to fulfil them.

What is true is that Article 17 requires providers of high-risk AI systems to run a quality management system, and that a well-implemented AIMS gives you a great deal of the organisational machinery an AI Act QMS needs, already audited. Treat it as a head start, not a finish line.

How do you get ISO 42001 certified?

Through a two-stage audit by an accredited certification body. Determine your scope and your role under Clause 4.1; run an AI risk assessment and an AI system impact assessment; select controls and write the Statement of Applicability; implement clauses 4 to 10 and the controls you selected; run an internal audit and a management review; then Stage 1, which tests readiness and documentation, and Stage 2, which tests whether the system actually operates. Surveillance audits follow, then recertification.

ISO/IEC 42006:2025 governs the certification bodies themselves. It is worth reading before you choose one.

How long does ISO 42001 certification take?

It depends on what already exists. An organisation certified to ISO/IEC 27001 has the harmonised-structure scaffolding — scope, leadership, internal audit, management review — and is mostly adding the AI-specific parts. An organisation starting from nothing is building a management system as well as an AI one.

Audit duration is not a matter of opinion: ISO/IEC 42006 sets out how a certification body calculates audit time from the number of people involved in the AI life cycle, then adjusts it for the number of AI systems, how many are high-risk or sensitive, how many regulatory frameworks you sit under, how many third-party agreements are in scope, and how many controls you carry beyond Annex A.

ISO 42001 vs ISO 27001 — what is the difference?

ISO/IEC 27001 manages information security; ISO/IEC 42001 manages artificial intelligence. They share the Harmonized Structure, so clauses 4 to 10 have the same shape and audits can be combined, and both use a risk assessment feeding a Statement of Applicability against an Annex A of reference controls.

The substance differs where it matters. 42001 requires you to determine your role with respect to AI systems, and requires an AI system impact assessment — an assessment of consequences for individuals, groups and societies, not risk to your organisation. Information security has no direct equivalent of that obligation.

Does ISO 42001 certification prove my AI is safe?

No. It certifies the management system that governs your AI, not the AI itself. A certificate says a third party checked that you run a system for managing AI risk and that you follow it. It says nothing about whether a particular model is accurate, fair or safe.

That distinction is worth defending, because a certificate presented as a safety guarantee is exactly the sort of claim a regulator or a well-briefed procurement team will take apart.

Who wrote ISO 42001?

ISO/IEC JTC 1/SC 42, the joint ISO and IEC subcommittee for artificial intelligence established in 2017. Unlike smaller standards drafted by a handful of editors, a management system standard passes through working groups, two committee draft consultations, comment resolution and an international ballot, with every participating national body voting through its own mirror committee — BSI's ART/1 in the United Kingdom.

Experts participate in a personal and expert capacity, nominated through their national standards body.

Where can I buy ISO 42001?

From ISO, from the IEC, or from your national standards body — in the UK, BSI, as BS EN ISO/IEC 42001:2026. It is a copyrighted document and this site does not reproduce it. The list price from ISO at the time of writing is CHF 406.

Next

The standard is 51 pages. The judgement is the job.

Fifty-one pages will tell you a Statement of Applicability is required. They will not tell you which controls your risk assessment actually supports, what evidence an auditor accepts, how to scope an AIMS you can defend, or which of the surrounding standards answers the clause in front of you.