ISO 42001 in India: BIS Adoption, Certifications & Implementation

What Is ISO 42001 and Why Does It Matter in India?

ISO 42001 is the international standard for AI management systems, and India has adopted it as a national standard through BIS (IS/ISO/IEC 42001:2023). MeitY references ISO 42001 in Annexure 6 of its November 2025 AI governance guidelines. ^{MeitY 2025} KPMG India became one of the first major firms to certify, receiving ISO 42001 certification from SGS in December 2025 for its Gurugram and Noida offices. ^{PRNewswire 2025}

The standard was published by ISO in December 2023 as ISO/IEC 42001:2023. ^{ISO 2023} It provides a certifiable management system for organizations that develop, provide, or use AI. The structure follows the same PDCA (Plan-Do-Check-Act) cycle used in ISO 27001 for information security and ISO 9001 for quality management. If your organization has gone through either of those certifications, the methodology will be familiar.

What makes ISO 42001 distinct from other AI governance frameworks is that it is auditable. MeitY's guidelines tell you what principles to follow. The EU AI Act tells you what is prohibited and what requires assessment. ISO 42001 gives you a structured system to demonstrate compliance with all of them, verified by an accredited third-party auditor.

For India specifically, two things make ISO 42001 significant:

1. BIS adopted it as an Indian national standard. The designation IS/ISO/IEC 42001:2023 means BIS has formally endorsed it. MeitY's guidelines reference this adoption in Annexure 6, positioning ISO 42001 as the operational bridge between India's principles-based governance and certifiable practice. ^{MeitY 2025}
2. India's 1,800+ GCCs need a compliance credential that works across borders. A Global Capability Center in Bangalore building AI for a European client faces MeitY guidelines, DPDPA requirements, and EU AI Act obligations simultaneously. ISO 42001 certification demonstrates governance maturity to all three jurisdictions with a single audit. ^{Zinnov/NASSCOM 2025}

BIS Adoption: IS/ISO/IEC 42001:2023

The Bureau of Indian Standards adopted ISO/IEC 42001:2023 as IS/ISO/IEC 42001:2023, making it an Indian national standard. ^{BIS 2023} This is the same process BIS has used for hundreds of international standards, from IS/ISO 27001 for information security to IS/ISO 9001 for quality management.

MeitY's November 2025 AI governance guidelines explicitly reference this adoption. Annexure 6 of the guidelines lists ISO 42001 among the international standards that organizations should consider when building AI governance programs. ^{MeitY 2025} This is not a passing mention. MeitY positions ISO 42001 as the certifiable pathway for operationalizing its seven sutras.

What the BIS adoption means in practice:

• Indian certification bodies can audit against the standard. Organizations do not need to engage international auditors, though many still choose global firms like SGS, BSI, or TUV for cross-border recognition.
• Government procurement may reference it. When public sector entities begin formalizing AI governance requirements, IS/ISO/IEC 42001:2023 gives them an existing national standard to point to.
• It signals regulatory direction. India's AI governance approach is voluntary today. BIS adoption of ISO 42001 creates a ready-made enforcement mechanism if the government ever decides to make AI governance certification mandatory for specific sectors or use cases.

Who Has Certified in India?

As of early 2026, two major organizations have publicly announced ISO 42001 certification in India.

KPMG is a Big Four firm with deep GCC and enterprise client relationships across India. Their certification sends a signal to the market: if KPMG considers ISO 42001 worth pursuing, the enterprises they advise will follow. The choice of SGS as certifier also matters because SGS has global recognition, which means KPMG's certification carries weight with international clients and regulators, not just Indian ones. ^{PRNewswire 2025}

For Mphasis, the certification demonstrates that the organization's internal AI management processes meet the international standard. ^{Analytics India 2025} This is particularly relevant for IT professionals pursuing governance credentials. As more IT services firms pursue ISO 42001, demand for professionals who understand both the standard and its implementation will grow.

The Certification Pipeline

These two certifications are the beginning. India's IT services industry, consulting sector, and GCC ecosystem are all evaluating ISO 42001 as clients and regulators begin asking about AI governance credentials. Organizations that certify early gain a first-mover advantage in client conversations where governance is a deciding factor. Professionals pursuing the AIGP certification or ISO 42001 Lead Implementer credential are well positioned to lead these implementation projects.

How ISO 42001 Maps to MeitY's 7 Sutras

MeitY's guidelines and ISO 42001 were developed independently, but the alignment is strong. Each of MeitY's seven sutras has corresponding controls or clauses in ISO 42001 that provide the operational mechanism for implementation. ^{MeitY 2025 ISO 2023}

The practical value of this mapping: if you are building an AI governance program in India based on MeitY's sutras, ISO 42001 gives you the "how." The sutras tell you the principles. The standard tells you what documentation, processes, and controls to put in place. Organizations needing ready-made frameworks can start with free AI governance templates that align controls to both MeitY sutras and ISO 42001 clauses.

For organizations already working toward EU AI Act compliance, this mapping matters even more. ISO 42001 is being considered as a harmonized standard under the EU AI Act, which means a single ISO 42001 certification could simultaneously demonstrate alignment with MeitY's sutras, EU AI Act requirements, and international best practice. ^{EU Parliament 2024}

Implementation Timeline

A typical ISO 42001 implementation for a mid-size organization in India takes three to six months, depending on the maturity of existing management systems. ^{ISO 2023}

Organizations with mature ISO 27001 implementations can sometimes compress this to three months because the management system infrastructure (document control, internal audit, management review, corrective action processes) already exists.

Why GCCs Pursue ISO 42001 Certification

Global client requirements are shifting. When a European pharmaceutical company asks its Hyderabad GCC whether the AI models built there comply with the EU AI Act, the GCC needs a verifiable answer. ISO 42001 certification provides that answer in a format that European compliance teams recognize. The same certification simultaneously demonstrates alignment with MeitY's guidelines for Indian regulatory purposes.

Multi-jurisdiction bridge. A GCC building AI for clients in the US, EU, and India faces three distinct governance frameworks: NIST AI RMF (US), EU AI Act (Europe), and MeitY guidelines (India). ISO 42001 is recognized across all three. Implementing one management system is significantly less expensive than building separate compliance programs for each jurisdiction.

Competitive differentiation. In the IT services market, governance credentials are becoming selection criteria. When two vendors offer similar technical capabilities, the one with ISO 42001 certification demonstrates lower governance risk for the client. KPMG's early certification and Mphasis's move as the first IT services firm to certify are strategic positioning plays, not just compliance exercises. The AI governance careers landscape reflects this shift, with certified professionals commanding salary premiums.

Internal discipline. The certification process forces organizations to document their AI systems, assign clear ownership, conduct impact assessments, and establish monitoring. Many organizations discover during implementation that they have AI systems no one is formally responsible for, or that their risk assessment processes have gaps. The standard creates the structure to fix these issues, including formal AI management system documentation that auditors expect.

ISO 42001 as a Multi-Framework Bridge

One of the most practical reasons to pursue ISO 42001 in India is that it satisfies requirements across multiple frameworks simultaneously. Here is how the standard maps to the three major governance frameworks Indian organizations encounter. ^{ISO 2023 MeitY 2025 EU Parliament 2024 NIST 2023}

This is not theoretical alignment. The overlapping requirements mean that an organization that implements ISO 42001 properly has already done 60-80% of the work needed for EU AI Act conformity assessment, MeitY guideline alignment, and NIST AI RMF mapping. The remaining gaps are jurisdiction-specific details (DPDPA data localization rules, EU AI Act prohibited practices, NIST-specific reporting formats) that sit on top of the ISO 42001 foundation.

For GCC compliance teams, this is the core argument: one implementation, multiple frameworks covered.

Is ISO 42001 Mandatory in India?

No. ISO 42001 certification is voluntary in India. MeitY's AI governance guidelines are themselves non-binding, ^{PIB 2025} and the reference to ISO 42001 in Annexure 6 is a recommendation, not a mandate.

That said, "voluntary" does not mean "irrelevant." Here is why the mandatory/voluntary distinction matters less than it appears:

Sector regulators may require it. The RBI's FREE-AI Committee Report (2025) already calls for board-approved AI policies and incident reporting. As sector regulators develop more specific AI governance requirements, ISO 42001 certification gives organizations a pre-built compliance framework. If the RBI or SEBI ever mandates a certifiable AI governance standard, IS/ISO/IEC 42001:2023 is the obvious candidate because it is already an Indian national standard.

Client contracts are making it de facto mandatory. For IT services companies and GCCs, client requirements increasingly include AI governance credentials. A "voluntary" standard becomes functionally mandatory when your largest clients will not award contracts without it.

Insurance and liability. As AI-related litigation increases, organizations with ISO 42001 certification can demonstrate due diligence. In legal proceedings involving AI system failures, having a certified management system is a stronger defense than having no formal governance framework.

Government procurement direction. India's public sector is one of the largest AI buyers. As government entities begin formalizing AI procurement criteria, IS/ISO/IEC 42001:2023 provides a ready-made evaluation benchmark. Organizations that certify early will be positioned when these requirements formalize.

The practical recommendation: treat ISO 42001 as a strategic investment rather than a compliance checkbox. The certification itself costs less than the governance gaps it reveals and fixes during implementation.

Getting Started

For organizations considering ISO 42001 in India, the starting point depends on current maturity.

Certification bodies active in India for ISO 42001 include SGS (which certified KPMG India), BSI, TUV, and Bureau Veritas. Engage a certification body early for a pre-assessment to understand the audit scope and timeline.

Further Reading