ISO/IEC 42001 — AI Management System Standard

ISO/IEC 42001:2023 is the world's first international standard specifying requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organisations. Published on 18 December 2023 by the International Organization for Standardization and the International Electrotechnical Commission, it provides a structured framework for managing AI-related risks and opportunities.

The standard follows the Harmonised Structure (HS) common to all ISO management system standards (like ISO 27001, ISO 9001), making it familiar to organisations already certified to other ISO standards and enabling straightforward integration into existing management systems.

ISO 42001 is designed to be applicable to any organisation that provides or uses AI-based products or services, regardless of size, type, or industry sector. It addresses the unique challenges of AI systems, including ethical considerations, transparency, accountability, and the dynamic nature of AI technology.

The standard requires organisations to consider the AI-specific context of their operations, including the societal impact of AI systems, regulatory requirements, and stakeholder expectations. It mandates a systematic approach to AI risk management that goes beyond traditional IT risk frameworks to encompass fairness, transparency, explainability, and human oversight.

Key structural elements include leadership commitment to responsible AI, an AI policy, AI risk assessment and treatment processes, objectives and planning for AI management, support requirements (resources, competence, awareness, communication), operational planning and control, performance evaluation, and continual improvement.

ISO 42001 is particularly valuable as a compliance tool because it provides a certifiable framework that can demonstrate due diligence across multiple regulatory regimes. Organisations seeking to comply with the EU AI Act, for instance, can use ISO 42001 certification as evidence of a robust AI governance framework, although certification alone does not guarantee regulatory compliance.

The standard also addresses the AI system lifecycle, from conception and design through development, testing, deployment, operation, and retirement. This lifecycle approach ensures that AI governance is not an afterthought but is embedded into every stage of AI system development and use.

Annexes to the standard provide detailed guidance on AI-specific controls, including controls for data management, AI system impact assessment, AI system development processes, third-party and customer relationships, and system operation monitoring. These controls can be selected and tailored based on the organisation's specific AI risk assessment.