How long does ISO 42001 implementation take?

Typical timelines range from 4-18 months depending on organization size and existing maturity. Small organizations: 4-6 months. Mid-market: 6-9 months. Enterprise: 9-18 months. Organizations with existing ISO 27001 certification typically complete significantly faster.

ISO/IEC 42001:2023 | AI Management System Standard

ISO 42001
Resource Center

Q: What is ISO 42001?

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a certifiable framework for responsible AI development, deployment, and governance. It follows the same Harmonized Structure as ISO 27001, making integration straightforward for organizations with existing management systems.

Q: How is ISO 42001 different from ISO 27001?

Both share the same management system structure (Clauses 4-10), but ISO 42001 adds AI-specific requirements: impact assessments for AI systems, data governance for training data, AI lifecycle controls, and transparency obligations. If you already hold ISO 27001, roughly 50-60% of the management system foundation transfers directly.

Q: What are the 38 controls in Annex A?

Annex A organizes 38 controls into 9 groups covering AI policy, governance structure, resource management, impact assessment, lifecycle management, data governance, stakeholder transparency, responsible use, and third-party relationships. Organizations select which controls apply based on their risk assessment and justify exclusions in a Statement of Applicability.

Q: How much does ISO 42001 certification cost?

Estimated costs vary significantly: Small/Startup: $15K-$40K. Mid-Market: $40K-$120K. Enterprise: $120K-$500K+. These are industry-reported ranges that include consulting, implementation, and audit fees. Certification is valid for 3 years with annual surveillance audits.

Q: Does ISO 42001 help with EU AI Act compliance?

Yes. ISO 42001's risk management, impact assessment, transparency, and data governance controls align directly with EU AI Act requirements for high-risk systems under Annex III. The European Commission can recognize harmonized standards as compliance pathways.

Master AI governance from framework to certification. Interactive readiness tools, implementation tracker, 38-control reference, and documentation templates. Everything you need to build and certify your AI management system.

Take Readiness Test → Explore 38 Controls Download Templates

Controls

Clauses

Annexes

Dec 2023

Published

50+

Templates

Why ISO 42001 Matters Now

AI regulation is accelerating globally. The EU AI Act, formally adopted in 2024, creates binding obligations with penalties up to 7% of global turnover for prohibited AI practices (3% for other violations). According to Arize AI's research, 281 Fortune 500 companies now classify AI as a significant business risk (a 473% increase since 2022). ISO 42001 gives you a certifiable structure where chaos currently exists.

Regulatory Pressure

The EU AI Act timeline shows enforcement already underway. US states are actively legislating AI, with California's SB 1001 (bot disclosure) among the earliest. Singapore's Model AI Governance Framework was among the earliest national AI governance frameworks. Organizations that can demonstrate governance readiness win contracts and avoid enforcement.

473% increase in Fortune 500 AI risk disclosures

The Trust Gap

A McKinsey Global AI Trust Maturity Survey found that companies implementing responsible AI practices report improved business efficiency (42%), increased consumer trust (34%), and fewer AI incidents (22%). Yet most organizations still lack formal AI system inventories, documented risk assessments, or impact analysis processes.

42% report improved efficiency with responsible AI

Competitive Advantage

Microsoft, AWS, and Google Cloud have all achieved ISO 42001 certification. K&L Gates became one of the first law firms globally. Most organizations surveyed plan to invest over $1 million in responsible AI in the coming year.

Most orgs plan $1M+ responsible AI investment (McKinsey)

The Three Problems ISO 42001 Solves

Traditional IT management fails with AI for three fundamental reasons. ISO/IEC 42001:2023 was built specifically to address these challenges through its 38 controls and management system structure. As EY notes, the standard "paves the way for ethical AI" by creating accountability where none previously existed.

The Black Box Problem

AI systems make decisions that humans can't always explain. ISO 42001 requires transparency documentation (A.8.2), impact assessments (A.5), and user information that makes AI outputs accountable, not just accurate.

Explainable AI Guide →

The Drift Problem

Models change behavior after deployment. Data distributions shift. Performance degrades. Control A.6.2.6 requires ongoing monitoring, and Clause 9 builds a measurement framework that catches drift before your customers do.

Explore A.6 Controls →

The Scale Problem

AI decisions happen at machine speed across millions of interactions. A biased model doesn't discriminate once. It discriminates at scale. ISO 42001's data governance controls (A.7) and impact assessments (A.5) are designed for systems that operate at volume.

Understanding AI Bias →

Practical Value for Organizations

Here's what actually changes when organizations implement ISO 42001. First, accountability becomes crystal clear: the product owner decides if an AI system gets deployed, the data team ensures quality standards, legal reviews impact assessments. No more finger-pointing when something breaks. Second, you get a paper trail that auditors and regulators actually understand. The standard requires documenting data sources, model limitations, and incident response plans. Third, it forces uncomfortable conversations early. Can we explain this decision to a customer? What if the training data contains hidden biases? Who's liable if our vendor's AI fails?

According to McKinsey's State of AI report, organizations are already reshaping workflows as they deploy gen AI, with 21% reporting they have fundamentally redesigned at least some workflows. ISO 42001 provides the governance structure to do this responsibly.

ISO 42001 Documentation Toolkit

Everything you need to document your AIMS: policy templates, procedures, records, statement of applicability, and audit evidence guides. Built by practitioners, aligned with every clause.

Download Templates Bundle → Read Documentation Guide →

Who's Already Certified?

The early adopters reveal ISO 42001's strategic value. Microsoft (M365 Copilot), Amazon Web Services, and Google Cloud achieved certification across their AI services. K&L Gates became one of the first law firms globally. AI Clearing achieved certification through SGS. These aren't just compliance exercises. They're competitive positioning moves. As the Cloud Security Alliance notes, lessons from early implementations are already shaping best practices for the broader market.

Explore the Standard

Choose a topic to begin your exploration. Each area builds on the others. Start wherever matches your current need.

The Standard

10 clauses and 4 annexes that define the AI management system structure.

Controls Reference

38 controls across 9 groups, searchable, filterable, with implementation guidance.

Implementation Guide

An estimated 28-week path from gap analysis to certified AI management system (TJS estimate based on industry benchmarks).

Framework Connections

How ISO 42001 maps to EU AI Act, NIST AI RMF, ISO 27001, and SOC 2.

Certification

Who certifies, what it costs, how long it takes, and what to expect.

Resources

Templates, research papers, training courses, and links to related TJS hubs.

Start Here

Step 1

Take the Readiness Test

Answer 8 questions to see where your organization stands. Get a personalized score and recommended next steps.

Step 2

Follow the Journey Tracker

An estimated 28-week, phase-by-phase path with checkable deliverables. Track your progress from gap analysis to certified.

Step 3

Build Your Documents

Interactive checklist of every document ISO 42001 requires. Know exactly what to produce and when.

AI raises specific management considerations that go beyond classical IT systems: automatic decision-making that's sometimes non-transparent, systems that learn and change their behavior during use, and development driven by data analysis rather than human-coded logic. ISO 42001 was built to address these exact problems.

Paraphrased from ISO/IEC 42001:2023, Introduction

The Standard

ISO/IEC 42001 follows the Harmonized Structure shared by all ISO management system standards (the same clause numbering used in ISO 27001, ISO 9001, and ISO 27701). It contains 10 clauses and 4 annexes. Click any clause to explore what it covers.

If your organization already operates ISO 27001, you'll recognize the clause structure immediately. ISO 42001 adds AI-specific requirements on top of the familiar Plan-Do-Check-Act foundation.

Clauses

ISO 42001 Clauses Overview

ISO/IEC 42001:2023 follows the Harmonized Structure shared by all ISO management system standards. Clauses 4 through 10 define the AI management system requirements.

Clause 4: Context of the Organization

Figure out where your organization sits in the AI landscape. Map your external environment, identify who cares about your AI systems, and draw clear boundaries around what your management system covers.

Identify external and internal factors that affect your AI operations
Document who your interested parties are and what they expect
Define the scope of your AI management system
Map how AI systems fit within your broader organizational context

Clause 5: Leadership

This is where the executives stop delegating and start owning. Top management must visibly commit to AI governance, set the AI policy, and assign clear accountability.

Top management demonstrates active commitment to the AIMS
An AI policy gets created that aligns with organizational strategy
Specific roles and authorities for AI governance are assigned and communicated
Resources are allocated (not just promised)

Clause 6: Planning

The risk engine of the standard. Define how you identify, assess, and treat AI risks. Set measurable objectives. Plan for impact assessments. This clause drives most of the actual work in Annex A.

Build a repeatable AI risk assessment process
Create a risk treatment plan that maps to Annex A controls
Set AI objectives that are measurable and tracked
Define a process for AI system impact assessments (per 6.1.4)

Clause 7: Support

People, communication, and paperwork. Make sure the humans running your AI governance actually know what they're doing, that information flows to the right places, and that your documentation is controlled.

Provide the resources your AIMS actually needs to function
Ensure people working on AI are competent through training or experience
Set up communication channels for AI governance (internal and external)
Control your documented information so it stays current and accessible

Clause 8: Operation

Where planning meets reality. Implement the controls you selected, run your risk assessments on schedule, conduct impact assessments when AI systems change, and keep outsourced AI processes under control.

Implement the Annex A controls your risk treatment plan identified
Run AI risk assessments at planned intervals and when significant changes happen
Conduct AI system impact assessments for deployment and foreseeable misuse
Control externally provided AI processes, products, and services

Clause 9: Performance Evaluation

Measure whether your AI management system actually works. Internal audits, management reviews, and performance monitoring all live here. This is what tells you if Clauses 4 through 8 are doing their job.

Monitor and measure AI system performance against your objectives
Run internal audits of the AIMS at planned intervals
Management reviews happen on schedule with defined inputs and outputs
Evaluate whether the AIMS is effective or just documented

Clause 10: Improvement

When things break (and they will), fix them. When audits find nonconformities, address the root cause. The standard expects your AIMS to get better over time, not just exist.

React to nonconformities with root-cause analysis and corrective action
Drive continual improvement (not just reactive fixes)
Update risk assessments when incidents or changes warrant it
Document what went wrong and what you did about it

Annexes

Controls Reference

Annex A defines 38 controls across 9 groups. Search or browse by group to find implementation guidance for each control.

ISO 42001 Annex A Controls Reference

The 38 controls in Annex A are organized into 9 groups. Each control is described below in TJS's own interpretation. Control IDs reference ISO/IEC 42001:2023 Table A.1.

A.2 |AI Policies

A.2.2: AI Policy

Create and maintain a documented AI policy that gives your organization a framework for setting and measuring AI objectives.

Your AI policy needs to reflect your actual business strategy, risk appetite, and the regulatory landscape you operate in. It's the top-level document that everything else in the AIMS traces back to. Clause 5.2 sets the leadership requirements for this policy.

A.2.3: Policy Alignment Across the Organization

Check where your existing organizational policies intersect with or apply to your AI objectives. Don't build AI governance in a silo.

If you already have an information security policy (ISO 27001), a quality policy (ISO 9001), or a privacy policy (ISO 27701), this control asks you to identify the touchpoints. AI governance doesn't replace those policies. It connects to them.

A.2.4: AI Policy Review Cycle

Review your AI policy on a defined schedule and whenever significant changes happen. Policies that aren't reviewed become artifacts, not governance.

Set a review cadence (annually is common) and trigger ad-hoc reviews when your AI landscape shifts. New AI system types, regulatory changes, or incidents should all prompt a review.

A.3 |Governance Structure

A.3.2: AI Governance Roles & Accountability

Define who owns what in your AI governance structure. Every accountability gap is a risk the auditor will find.

This goes beyond org charts. You need documented ownership for risk management, impact assessments, development oversight, data quality, security, and human oversight of AI systems. The NIST AI RMF GOVERN function maps directly here (per the official crosswalk document, Govern 2.1).

A.3.3: Concern Reporting Channels

Give people a way to raise concerns about your AI systems throughout their lifecycle. Not a suggestion box. A defined, documented process.

This is the whistleblower mechanism for AI governance. Someone notices the model is producing biased outputs, or the training data looks problematic. There needs to be a clear path to report it, and it needs to go somewhere that matters.

A.4 |Resources for AI Systems

A.4.2: AI Resource Inventory & Documentation

Identify and document what resources your AI systems need at each lifecycle stage. Data, tools, compute, people.

This isn't a budget exercise. It's an inventory of dependencies. What data feeds this model? What tools built it? What infrastructure runs it? When you need to audit or change the system, this documentation is what makes it possible.

A.4.3: Data Resources

Document specific information about the data your AI systems use. Sources, characteristics, limitations.

Where does the data come from? How was it collected? What does it represent, and what doesn't it represent? This control pairs with A.7 (Data for AI Systems) but focuses on the resource inventory angle.

A.4.4: Tooling Resources

Document the tools and frameworks used to build, train, test, and deploy your AI systems.

Version numbers matter here. The tooling choices you made during development become audit evidence later.

A.4.5: System and Computing Resources

Document the infrastructure and computing environment your AI systems run on.

Cloud provider, hardware specs, scaling characteristics. Changes to computing resources can affect model behavior, so this needs to be tracked.

A.4.6: Human Resources

Document the people involved in your AI systems and their competencies. Development, deployment, operations, oversight.

Maps directly to Clause 7.2 (Competence). The NIST AI RMF crosswalk connects this to MAP 1.2, which calls for interdisciplinary teams with diverse expertise.

A.5 |AI Impact Assessment

A.5.2: Impact Assessment Process for AI

Build a formal process for evaluating how your AI systems might affect people and communities. This isn't optional. Clause 6.1.4 requires it.

The assessment covers both intended use and foreseeable misuse. It accounts for the specific technical and societal context where the AI system operates. Results feed back into your risk assessment process (Clause 6.1.2). The NIST crosswalk maps this to MAP 1.1.

A.5.3: Impact Assessment Records & Disclosure

Keep records of your impact assessments, their findings, and make relevant results available to interested parties when appropriate.

Not every result is public. The organization decides which parties see which results. But the documentation itself must exist and be retained for a defined period.

A.5.4: Individual & Group Impact Evaluation

Specifically evaluate how your AI systems affect individual people or identifiable groups throughout the system's lifecycle.

This is where bias, discrimination, and fairness concerns get formally addressed. It's not enough to say "we tested for bias." You need a documented assessment of impacts on actual population groups.

A.5.5: Broader Societal Impact Evaluation

Look beyond individual impacts. How do your AI systems affect society, communities, or public interests at a broader level?

Environmental impact, labor displacement, social equity, democratic processes. The scope here is deliberately broad because AI systems operate at scales that amplify societal effects.

A.6 |AI Lifecycle Management

A.6.1.2: Responsible Development Objectives

Define and document what "responsible" looks like for your specific AI development process. Then actually build those objectives into how you develop systems.

This isn't an aspirational statement. These objectives need to be measurable and integrated into development workflows. The NIST crosswalk maps this to GOVERN 1.2 and GOVERN 4.1.

A.6.1.3: Responsible Design & Development Processes

Document the specific processes your organization follows for responsible AI design and development.

Testing protocols, review gates, approval workflows, documentation requirements at each stage. This is the engineering governance layer.

A.6.2.2: Requirements & Specification

Specify and document requirements for new AI systems or material enhancements to existing ones. This covers functional, performance, safety, and governance requirements.

Requirements documentation is the baseline that verification and validation (A.6.2.4) tests against. If you haven't documented what the system should do, you can't prove it does it. This feeds into deployment decisions (A.6.2.5) and ongoing monitoring (A.6.2.6).

A.6.2.3: Design & Development Records

Document how your AI systems are designed and developed. This includes architecture decisions, design rationale, development methodology, and the approaches used for responsible AI outcomes.

This is the engineering record that connects your responsible AI objectives (A.6.1.2) to actual implementation. Fairness metrics, bias testing protocols, explainability methods \u2014 all documented here as part of the design record.

A.6.2.4: Verification & Validation

Define how you verify that AI systems meet their requirements and validate that they work as intended before deployment.

Verification: did we build it right? Validation: did we build the right thing? Both need documented measures. The NIST crosswalk connects this to GOVERN 4.3 (testing and identification of incidents).

A.6.2.5: Deployment Planning & Approval

Document a deployment plan and ensure AI system requirements are met prior to deployment. This covers deployment criteria, approval gates, and rollback procedures.

Deployment isn't just shipping code. This control requires you to verify the system meets its requirements (A.6.2.2) and has passed verification and validation (A.6.2.4) before it goes live. Document the criteria for go/no-go decisions.

A.6.2.6: Ongoing Operations & Monitoring

Document what ongoing operation looks like. At minimum: system monitoring, performance tracking, updates, and support processes.

Models drift. Data distributions shift. Deployment environments change. This control ensures you're watching for those changes and have processes to respond.

A.6.2.7: Technical Documentation for Stakeholders

Determine what technical documentation is needed for interested parties throughout the AI system lifecycle. This includes documentation for users, operators, and oversight bodies.

This is about making AI systems understandable to the people who need to understand them. What technical documentation do users need? What do auditors need? What do regulators need? Define it and produce it.

A.6.2.8: Event Log & Audit Trail Requirements

Decide which lifecycle phases need event logging enabled. At minimum, logging must be active when the AI system is in use.

Audit trails for AI decisions. When something goes wrong (or a regulator asks), you need to show what the system did, when, and with what inputs.

A.7 |AI Data Governance

A.7.2: Training & Development Data Management

Define and document how you manage data used to build and improve your AI systems. Training data, test data, validation data.

Data management in AI isn't just storage. It covers selection, preprocessing, labeling, splitting, versioning, and retirement. Every choice affects model behavior.

A.7.3: Data Acquisition & Selection

Document where your AI data comes from and how it was selected. Provenance starts at acquisition.

Did you scrape it? Buy it? Generate it? Collect it from users? Each source carries different legal, ethical, and quality implications.

A.7.4: Data Quality Standards & Verification

Set data quality requirements and verify that the data you use actually meets them. Garbage in, governance failure out.

Accuracy, completeness, timeliness, relevance, representativeness. Define what "good enough" means for each AI system, then prove your data meets that bar.

A.7.5: Data Provenance

Track where your data came from, what happened to it along the way, and maintain that lineage over the life of both the data and the AI system.

This is the chain of custody for AI data. When an auditor asks "where did this training set come from and how was it transformed?" you need an answer.

A.7.6: Data Preparation Methods

Document your criteria for selecting data preparation methods and the methods themselves.

Feature engineering, normalization, augmentation, cleaning. The choices you make here are design decisions that affect model fairness and performance.

A.8 |Transparency & Stakeholder Communication

A.8.2: User-Facing Documentation

Give users of your AI system the information they need to understand and use it appropriately.

What does the system do? What are its limitations? What inputs does it expect? What should users NOT use it for? The EU AI Act has parallel requirements here for high-risk systems.

A.8.3: External Feedback & Reporting Channels

Give interested parties a way to report problems with your AI system. Adverse impacts, unexpected behavior, concerns.

This is the external counterpart to A.3.3 (internal reporting of concerns). If your AI system affects people outside your organization, they need a feedback mechanism.

A.8.4: Incident Communication Planning

Have a plan for telling users when something goes wrong with the AI system. Not if. When.

Incident communication is different from incident response. This is about the communication plan: who gets told, how fast, through what channels, with what detail.

A.8.5: Stakeholder Information Obligations

Determine what information you owe to which interested parties about your AI systems, and document those obligations.

Regulators, customers, affected communities, partners. Each may have different information rights. This control asks you to map them explicitly.

A.9 |Responsible AI Usage

A.9.2: Responsible Use Governance

Define how your organization uses AI systems responsibly, consistent with your AI policy.

This is the operational governance layer for AI consumption. It applies whether you built the AI or bought it. Using a third-party API? You still need responsible use processes.

A.9.3: Responsible Use Objectives

Identify and document objectives that guide the responsible use of AI systems within your organization. These objectives should be consistent with your AI policy.

This is the objectives layer for responsible use \u2014 parallel to A.6.1.2 (objectives for responsible development). You need documented, measurable objectives that define what responsible use looks like in your specific context.

A.9.4: Enforcing Intended Use

Make sure AI systems are used the way they were designed to be used, per their documentation.

Scope creep in AI usage is a real risk. A model built for one purpose gets repurposed for another. This control says: document the intended use and enforce it.

A.10 |Third-Party & Customer Governance

A.10.2: Shared Responsibility Agreements

When third parties are involved in your AI system lifecycle, make sure everyone knows who is responsible for what.

Shared responsibility models fail when the sharing isn't documented. If your cloud provider hosts the model, your vendor supplied the training data, and your team built the pipeline, who owns the bias assessment?

A.10.3: Supplier Due Diligence

Build a process to verify that your AI suppliers align with your responsible AI approach.

Supplier due diligence for AI goes beyond procurement. Do their practices match your AI policy? Do they provide the transparency you need for your own compliance obligations?

A.10.4: Customer Expectations & Compliance

Factor your customers' expectations and needs into how you develop and deploy AI systems.

If your customers are subject to AI regulations (like the EU AI Act), their compliance requirements flow upstream to you. This control ensures you're accounting for that.

Implementation Guide

A realistic roadmap from zero to certified. Each phase builds on the last. Skip none.

Organizations with an existing ISO 27001 implementation typically complete ISO 42001 certification significantly faster due to shared management system foundations.

Framework Connections

ISO 42001 doesn't exist in isolation. See how it maps to other major AI and security frameworks, and where each has unique coverage.

Certification

Everything you need to know about getting certified, from choosing a certification body to passing your Stage 2 audit.

The Certification Journey

Cost Expectations

Certification costs vary significantly based on organization size, AI system complexity, and existing management system maturity. The following are estimated industry-reported ranges that include consulting, implementation, and audit fees.

Organization Size	Cost Range	Typical Timeline	Key Factor
Small / Startup	$15K – $40K	4 – 6 months	Limited AI systems scope
Mid-Market	$40K – $120K	6 – 9 months	Multiple AI applications
Enterprise	$120K – $500K+	9 – 18 months	Complex multi-system operations

Certification is valid for 3 years, but annual surveillance audits are required to maintain it. Budget for ongoing compliance, not just initial certification.

Certification Bodies

Major certification bodies offering ISO 42001 audits include BSI, LRQA, Bureau Veritas, SGS, and TÜV. Choose a body accredited by your national accreditation authority (e.g., UKAS in the UK, ANAB in the US) for international recognition. Microsoft, AWS, and Google Cloud have all achieved certification through these bodies.

Readiness Test

Answer 8 questions about your organization's current state. Get a personalized readiness score and recommended next steps for ISO 42001 certification.

Journey Tracker

Track your progress from gap analysis to certification. Check off deliverables as you complete them. Your progress is saved automatically.

0 of 0 deliverables completed

ISO 42001 Certification Journey: 28-Week Implementation Roadmap

A phase-by-phase path from gap analysis to ISO 42001 certification, with specific deliverables at each stage.

Phase 1: Gap Analysis & Scoping (Weeks 1�4)

Assess where your organization stands today against ISO 42001 requirements. This phase sets the foundation for everything that follows.

AI System Inventory: Catalog every AI system in scope � name, purpose, data sources, risk level, owner.

Common Pitfall: Don't underscope. If you exclude AI systems now and regulators ask about them later, your certification won't cover the gap.

Phase 2: AI Policy & Risk Framework (Weeks 5�8)

Establish the governance foundation. Your AI policy, risk methodology, and treatment plan are what leadership signs off on.

AI Policy: Documented policy that reflects your business strategy, risk appetite, and AI landscape. Needs executive approval.

Common Pitfall: Don't copy a generic policy template. Auditors look for evidence that the policy reflects your specific AI context, not boilerplate.

Phase 3: Control Implementation (Weeks 9�16)

The build phase. Implement the Annex A controls your risk treatment plan identified, develop procedures, and train your people.

AI Impact Assessment Process: Formal process for evaluating AI system impacts on individuals, groups, and society. Required by Clause 6.1.4.

Common Pitfall: Don't implement all 38 controls at the same intensity. Use your risk assessment to prioritize � higher-risk AI systems need deeper controls.

Phase 4: Internal Audit & Review (Weeks 17�20)

Audit your own system before the certifiers do. Find and fix issues while the stakes are low.

Internal Audit Plan: Scope, criteria, schedule, and auditor assignments. Auditors must be independent from what they audit.

Common Pitfall: Don't let the people who built the system audit it. Internal auditors need independence from the implementation team.

Phase 5: Stage 1 Audit (Weeks 21�22)

The certification body reviews your documentation. They're checking readiness, not certifying yet.

Certification Body Selected: Choose an accredited CB (BSI, LRQA, Bureau Veritas, SGS, T\u00dcV). Verify accreditation with your national body (UKAS, ANAB).

Common Pitfall: Stage 1 is not a formality. Significant documentation gaps here can delay your Stage 2 by months.

Phase 6: Stage 2 & Certification (Weeks 23�28)

The full audit. On-site evidence review, staff interviews, and process verification. If you pass, you're certified for 3 years.

Staff Interview Preparation: Brief key staff on the AI policy, their roles, and relevant procedures. They need to explain governance in their own words.

Common Pitfall: Staff interviews are where many organizations stumble. If your people can't explain the AI policy in their own words, auditors notice.

Your progress is saved in your browser. You can close this page and come back anytime. Your checkmarks will still be here.

Document Builder

Every document ISO 42001 requires or recommends, organized by clause. Track what you've produced and what's still needed.

Documents marked Required are explicitly demanded by the standard or needed for audit evidence. Recommended documents aren't strictly mandated but auditors expect them. Optional documents strengthen your AIMS but aren't audit-critical.

ISO 42001 Documentation Requirements Checklist

Every document ISO/IEC 42001 requires or recommends for certification, organized by clause.

Clause 4: Context

AIMS Scope Statement (Clause 4.3) - required
AIMS Process Documentation (Clause 4.4) - required
Internal/External Issues Register (Clause 4.1) - recommended
Interested Parties Register (Clause 4.2) - recommended
AI System Inventory (Clause A.4.2) - recommended
Organizational Context Document (Clause 4.1) - recommended

Clause 5: Leadership

AI Policy (Clause 5.2 / A.2.2) - required
Roles & Responsibilities Matrix (Clause 5.3 / A.3.2) - recommended
Leadership Commitment Evidence (Clause 5.1) - recommended
Policy Communication Records (Clause 5.2) - recommended

Clause 6: Planning

AI Risk Assessment Process Documentation (Clause 6.1.2) - required
AI Risk Assessment Results (Clause 6.1.2) - required
Risk Treatment Plan (Clause 6.1.3) - required
Statement of Applicability (SoA) (Clause 6.1.3) - required
AI Impact Assessment Process (Clause 6.1.4 / A.5.2) - required
Impact Assessment Results (Clause 6.1.4 / A.5.3) - required
AI Objectives & Plans (Clause 6.2) - required
Actions to Address Risks & Opportunities (Clause 6.1.1) - required

Clause 7: Support

Competence Evidence (Clause 7.2) - required
Training Plan (Clause 7.2) - recommended
Communication Plan (Clause 7.4) - recommended
Document Control Procedure (Clause 7.5) - recommended
Awareness Program Records (Clause 7.3) - recommended

Clause 8: Operation

Operational Planning & Control Evidence (Clause 8.1) - required
Periodic Risk Assessment Results (Clause 8.2) - required
Periodic Risk Treatment Results (Clause 8.3) - required
Periodic Impact Assessment Results (Clause 8.4) - required
AI System Life Cycle Procedures (Clause A.6.x) - required (per SoA)
Data Governance Procedures (Clause A.7.x) - required (per SoA)
Outsourced Process Controls (Clause 8.1) - recommended
Change Management Procedure (Clause 8.1) - recommended
Concern Reporting Procedure (Clause A.3.3 / A.8.3) - required (per SoA)
Incident Communication Plan (Clause A.8.4) - required (per SoA)
User Documentation per AI System (Clause A.8.2) - required (per SoA)
Supplier Assessment Records (Clause A.10.3) - recommended

Clause 9: Performance

Monitoring & Measurement Results (Clause 9.1) - required
Internal Audit Program (Clause 9.2) - required
Internal Audit Results (Clause 9.2) - required
Management Review Results (Clause 9.3) - required
Performance Metrics Dashboard (Clause 9.1) - recommended

Clause 10: Improvement

Nonconformity & Corrective Action Records (Clause 10.2) - required
Continual Improvement Register (Clause 10.1) - recommended

Resources

Templates, research, regulatory guides, training, and links to related Tech Jacks Solutions hubs.

ISO 42001 Resources, Templates & Tools

ISO 42001 Documentation Templates Bundle [template]

Full template set covering every ISO 42001 documentation requirement. Includes policy, procedures, records, statement of applicability, and audit evidence templates. Start here if you want one download that covers the most ground.

AI Data Governance Framework: 9 Critical Stages [hub]

Complete guide to AI data governance covering the entire data lifecycle from collection through retirement. Aligned with ISO 42001 controls A.7.2\u2013A.7.6, NIST AI RMF, and EU AI Act requirements. The go-to resource for building your data governance procedures.

AI Governance & Risk Management Consulting [hub]

TJS consulting services for ISO 42001 implementation: AI risk assessment, gap analysis, framework implementation, and team training. Aligned with ISO 42001, NIST AI RMF, and EU AI Act.

ISO 42001 AIMS Assessment Toolkit [template]

Assessment toolkit for evaluating your current state against ISO 42001 requirements. Start your gap analysis here.

ISO 42001 Documentation Tracker [template]

Track what documentation ISO 42001 requires, what you've produced, and what's still missing. Maps to every clause.

ISO 42001 Audit Preparation & Evidence Guide [template]

Prepare for your Stage 1 and Stage 2 audits. Covers what evidence auditors expect and how to organize it.

ISO 42001 Quick Start Guide [template]

A 90-day guidance roadmap with pre-built control checklists for establishing your AIMS foundation.

Responsible AI Objectives Policy Template [template]

Customizable AI policy template aligned with Clause 5 and control A.2.2 requirements.

ISO 42001 Documentation Requirements Guide [research]

Practical guide to what ISO 42001 actually requires you to document, clause by clause. Written by TJS.

3 Essential Truths About ISO 42001 Objectives [research]

How the entire standard revolves around objectives, and why getting them right shapes everything else in your AIMS.

How Three Frameworks Work Together [regulatory]

EU AI Act, NIST AI RMF, and ISO 42001 aren't competing standards. They're layers of the same compliance stack.

EU AI Act August 2026: Annex III Obligations [regulatory]

What compliance teams need to build before the Annex III high-risk AI obligations take effect, and how ISO 42001 maps to them.

K&L Gates Earns ISO 42001 Certification [regulatory]

Case coverage of K&L Gates achieving ISO/IEC 42001:2023 certification for AI governance in legal services.

AI Impact Assessment Policy Template [template]

Policy template for AI system impact assessments. Covers individual, group, and societal impacts per Clause 6.1.4 and control A.5.2.

AI Data Governance Quality Assessment [template]

Checklist template for evaluating data quality, provenance, and governance across your AI systems. Maps to controls A.7.2 through A.7.6.

AIMS Scope Statement Template [template]

Template for defining and documenting your AI management system scope. The first deliverable in your certification journey (Clause 4.3).

AI Procurement & Third-Party Risk Assessment [template]

Playbook template for supplier due diligence on AI systems. Maps to controls A.10.2 and A.10.3.

EU AI Act Risk Assessment Checklist [template]

Risk assessment checklist and template aligned with EU AI Act requirements. Pairs with the ISO 42001 framework connections.

AI Acceptable Use Policy Template [template]

Enterprise-grade acceptable use policy template. Covers EU AI Act, NIST, and ISO 42001 alignment with risk classification criteria.

Free AI Templates & Tools [template]

Landing page for all free community edition templates. AI governance charter, risk management, bias assessment, and more.

What Is AI Governance? The 5 W�s [research]

Foundational guide to AI governance through the 5 W�s framework. References ISO 42001 and NIST AI RMF as primary governance models.

AI Use Case Inventories: 8 Key Components [research]

How to build an AI use case inventory with 8 key components: cataloging, risk classification, governance review, and standardized documentation.

Why You Need an AI Use Case Tracker [research]

Guide to building a 32-field AI use case tracker. References ISO 42001 Sections 5 and 6 for accountability and documented objectives.

AI Acceptable Use Policy: Implementation Guide [research]

Enterprise blueprint for AI acceptable use policies with a 90-day rollout plan. Covers EU AI Act, NIST, and ISO 42001 compliance alignment.

ISO 42001 Gains Ground as EU AI Act Prep Layer [regulatory]

How ISO 42001 is positioning itself as foundational governance infrastructure for organizations preparing for EU AI Act compliance.

EU AI Act Resource Center [hub]

The EU's AI regulation explained: risk tiers, timelines, prohibited practices, and compliance pathways.

NIST AI RMF Hub [hub]

The NIST AI Risk Management Framework: Govern, Map, Measure, Manage. Interactive tools and analysis.

AI Governance Hub [hub]

Central hub for AI governance frameworks, committee structures, and organizational best practices.

AI Data Governance Framework: 9 Critical Stages [hub]

Complete guide to AI data governance covering the entire data lifecycle. Aligned with ISO 42001, NIST AI RMF, and EU AI Act requirements.

AI Governance Committee Hub [hub]

How to build a cross-functional governance committee with binding authority over AI projects. Covers committee structure, mandate, and lifecycle oversight.

AI Governance Careers & Salary Trends [hub]

Roles, skills, and salary data for AI governance careers. Who does this work and what does the market look like.

IAPP AIGP Certification [training]

The AI Governance Professional certification from IAPP. Career guide, salary data, and study resources for the primary AI governance credential.

ISACA AAIA Certification [training]

The Artificial Intelligence Audit certification from ISACA. For auditors evaluating AI systems � directly relevant to ISO 42001 internal audits.

AI Governance Charter Template [template]

Charter template for standing up an AI governance committee with binding authority. Maps to Clause 5 leadership requirements.

AI Roles, Responsibilities & Training Policy [template]

Policy template defining AI governance roles, competency requirements, and training obligations. Maps to Clause 7.2 and control A.4.6.

AI Incident Response Playbook [template]

Enhanced incident response framework for AI systems. Covers detection, containment, communication, and root-cause analysis. Maps to controls A.8.4 and Clause 10.

AI Model Card Assessment Template [template]

Checklist template for documenting AI model characteristics, limitations, intended use, and performance metrics. Supports control A.8.2 user documentation.

AI Use Case Risk Assessment Template [template]

Framework for assessing risk per AI use case: data sensitivity, potential harm, autonomy level, and reversibility. Supports Clause 6.1.2.

AI Compliance Assessment Checklist [template]

Full compliance assessment covering ISO 42001, NIST AI RMF, and EU AI Act alignment in a single checklist.

AI Conformity Assessment & Certification Policy [template]

Policy template for AI system conformity assessment procedures. Directly supports the certification path described in the Certification panel.

AI Governance Committee: 8 Implementation Stages [research]

How to stand up a governance committee from scratch in 8 stages: from discovery to operational enforcement. Covers the structure Clause 5 demands.

The 7-Stage AI Lifecycle Framework [research]

Your playbook for responsible and profitable AI across the full lifecycle. Maps to the AI system lifecycle controls in A.6.

AI Use Case Policy: 5 Essential Steps [research]

How to document, classify, and govern your organization's AI use cases with clear workflows and boundaries.

Understanding AI Bias: Causes & Management [research]

What causes bias in AI systems and how to manage it. Directly relevant to controls A.5.4 (individual/group impacts) and A.7.4 (data quality).

Building Explainable AI: A Practitioner�s Guide [research]

From compliance checkbox to competitive advantage. Covers transparency and explainability � core requirements in control A.8.2 and the EU AI Act.

C-Suite AI Governance Imperative [research]

Why leadership adoption of AI governance is a competitive advantage, not just a compliance obligation. Frames the executive case for Clause 5.

What Is NIST AI RMF Govern? [research]

Deep dive into the GOVERN function of the NIST AI RMF. Maps directly to ISO 42001 Clauses 5 and 6 per the official crosswalk.

EU AI Act High-Risk Deadline: 5 Months to August 2026 [regulatory]

Practical compliance guide for the August 2, 2026 Annex III high-risk deadline. What organizations must build and how ISO 42001 helps.

EU AI Act Amended: Deadlines Extended [regulatory]

The amended EU AI Act extends high-risk deadlines to December 2027 and August 2028. Updated timeline and what it means for compliance programs.

Frequently Asked Questions

Answers to the most common questions about ISO 42001, from getting started through certification and beyond.

Frequently Asked Questions About ISO 42001

Getting Started

What is ISO 42001?

ISO/IEC 42001:2023 is the world�s first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a certifiable framework for responsible AI development, deployment, and governance. It follows the same Harmonized Structure as ISO 27001 (/iso/42001/what-is-iso-42001-clause-4/), making integration straightforward for organizations with existing management systems.

Who needs ISO 42001 certification?

Any organization that develops, provides, or uses AI systems. This includes technology companies building AI products, enterprises deploying AI internally, and service providers offering AI-powered solutions. Organizations subject to the EU AI Act (/eu-ai-act/) will find ISO 42001 certification particularly valuable as a compliance pathway for high-risk AI systems.

How is ISO 42001 different from ISO 27001?

Both share the same management system structure (Clauses 4\u201310), but ISO 42001 adds AI-specific requirements: impact assessments for AI systems, data governance for training data, AI lifecycle controls, and transparency obligations. If you already hold ISO 27001, roughly 50\u201360% of the management system foundation transfers directly. See our Framework Connections (#) for a detailed mapping.

What are the 38 controls in Annex A?

Annex A organizes 38 controls into 9 groups covering: AI policy (A.2), governance structure (A.3), resource management (A.4), impact assessment (A.5), lifecycle management (A.6), data governance (A.7), stakeholder transparency (A.8), responsible use (A.9), and third-party relationships (A.10). Use our Controls Reference (#) to search and explore each one with TJS implementation guidance.

Where do I start if my organization has no AI governance?

Take our Readiness Test (#) to see where you stand, then follow the Journey Tracker (#) starting with Phase 1: Gap Analysis. Your first deliverable is an AI system inventory (/ai/governance/ai-use-case-inventories/) � you can�t govern what you can�t see. Our Quick Start Guide (/downloads/iso-42001-quick-start-guide/) provides a 90-day foundation roadmap.

Implementation

How long does implementation take?

Typical timelines range from 4\u201318 months depending on organization size and existing maturity. Small organizations with limited AI scope: 4\u20136 months. Mid-market with multiple AI applications: 6\u20139 months. Enterprise with complex multi-system operations: 9\u201318 months. Organizations with existing ISO 27001 certification (#) typically complete 30\u201340% faster.

What documents does ISO 42001 require?

The standard requires 20+ mandatory documents across Clauses 4\u201310, plus recommended documentation for each of the 38 Annex A controls. Key documents include: AIMS scope statement, AI policy, risk assessment methodology, risk register, statement of applicability, impact assessment records, training records, internal audit reports, and management review minutes. Our Document Builder (#) tracks every required, recommended, and optional document. See the Documentation Requirements Guide (/iso/42001/iso-42001-documentation-requirements-guide/) for a clause-by-clause breakdown.

What is a Statement of Applicability (SoA)?

The SoA lists all 38 Annex A controls, states which apply to your organization, which don�t, and justifies every exclusion. It�s one of the most audit-critical documents � auditors use it as their roadmap. You build it during Phase 2 (AI Policy & Risk Framework) after your risk treatment plan maps risks to controls.

Do I need to implement all 38 controls?

No. You implement controls based on your risk assessment results. The SoA documents which controls apply and which don�t. However, you must justify every exclusion � \u201cwe decided not to\u201d isn�t sufficient. Higher-risk AI systems need deeper control implementation. See Controls Reference (#) for difficulty ratings.

How does ISO 42001 handle AI data governance?

Controls A.7.2 through A.7.6 cover data acquisition, quality, provenance, and preparation. This goes beyond traditional data management � it addresses training data selection, labeling quality, dataset bias, and data lineage across the AI lifecycle. Our AI Data Governance Framework (/ai-data-governance-ai-data-lifecycle-hub/) covers all 9 critical stages.

What is an AI impact assessment?

Required by Clause 6.1.4, an AI impact assessment evaluates how your AI systems might affect individuals, identifiable groups, and society. It covers both intended use and foreseeable misuse. Results feed into your risk assessment process and must be documented. Controls A.5.2 through A.5.5 provide the framework. Download our Impact Assessment Policy Template (/downloads/ai-impact-assessment-policy/) to get started.

How do I build an AI system inventory?

Start by cataloging every AI system in scope: name, purpose, data sources, risk level, and owner. Our article on 8 Key Components for AI Inventories (/ai/governance/ai-use-case-inventories/) covers the methodology, and Why You Need an AI Use Case Tracker (/ai/governance/why-you-need-an-ai-use-case-tracker/) provides a 32-field template framework.

Certification

How much does ISO 42001 certification cost?

Costs vary significantly: Small/Startup: $15K\u2013$40K. Mid-Market: $40K\u2013$120K. Enterprise: $120K\u2013$500K+. This includes consulting, implementation, and audit fees. See the Certification panel (#) for detailed cost tables and the factors that drive pricing.

Which certification bodies offer ISO 42001 audits?

Major CBs include BSI, LRQA, Bureau Veritas, SGS, and T\u00dcV. Choose a body accredited by your national accreditation authority (UKAS in the UK, ANAB in the US) for international recognition. Microsoft, AWS, and Google Cloud have all achieved certification through these bodies.

What happens in a Stage 1 vs Stage 2 audit?

Stage 1 is a documentation review � the CB checks your AIMS documentation for completeness and readiness. Stage 2 is the full on-site audit: evidence review, staff interviews, and process verification. Stage 1 gaps can delay Stage 2 by months. Both are covered in Journey Tracker (#) Phases 5 and 6.

How long is ISO 42001 certification valid?

Certification is valid for 3 years, but annual surveillance audits are required to maintain it. Budget for ongoing compliance � not just initial certification. The surveillance cycle is part of the Certification panel (#) timeline.

Regulatory & Frameworks

Does ISO 42001 help with EU AI Act compliance?

Yes. ISO 42001�s risk management, impact assessment, transparency, and data governance controls align directly with EU AI Act requirements for high-risk systems under Annex III. The European Commission can recognize harmonized standards as compliance pathways. Read our analysis: EU AI Act August 2026: Annex III Obligations (/ai-brief/eu-ai-act-august-2026-annex-iii-high-risk-ai-obligations-iso/) and Three Frameworks Together (/ai-brief/one-governance-program-three-frameworks-the-compliance-stack/).

How does ISO 42001 map to the NIST AI RMF?

A crosswalk document maps every NIST AI RMF subcategory (Govern, Map, Measure, Manage) to specific ISO 42001 clauses and Annex B implementation guidance. The alignment is high � this is a documented, clause-level mapping that shows where the two frameworks overlap and complement each other. Explore the details in our NIST AI RMF Hub (/nist-ai-rmf-hub/) and Framework Connections (#).

Can I get ISO 42001 and ISO 27001 certified together?

Yes. Both standards use the identical Harmonized Structure (Clauses 4\u201310), so you can build an integrated management system. The net-new work for ISO 42001 is the AI-specific Annex A controls. Organizations with existing ISO 27001 typically complete ISO 42001 certification 30\u201340% faster. Our consulting team (/solutions/consulting-services/ai-governance-ai-risk-management/) specializes in integrated implementations.

What credentials exist for AI governance professionals?

Two key certifications: the IAPP AIGP (/it-certifications/iapp/aigp/) (AI Governance Professional) covers the governance and policy side, while the ISACA AAIA (/it-certifications/isaca/aaia/) (AI Audit) focuses on auditing AI systems. Both are valuable for teams building and maintaining an AIMS.

Gallery

Contacts

AI Governance ISO 42001 Resource Center

ISO 42001Resource Center

Why ISO 42001 Matters Now

Regulatory Pressure

The Trust Gap

Competitive Advantage

The Three Problems ISO 42001 Solves

The Black Box Problem

The Drift Problem

The Scale Problem

Practical Value for Organizations

Who's Already Certified?

Explore the Standard

The Standard

Controls Reference

Implementation Guide

Framework Connections

Certification

Resources

Start Here

Take the Readiness Test

Follow the Journey Tracker

Build Your Documents

The Standard

Clauses

Annexes

Controls Reference

Implementation Guide

Framework Connections

Certification

The Certification Journey

Cost Expectations

Certification Bodies

Readiness Test

Journey Tracker

Document Builder

Resources

Frequently Asked Questions

Ready to Start Your ISO 42001 Journey?

Services

Learn

Company

ISO 42001
Resource Center