AIMS · Annex SL · 38 controls · Certifiable · UKAS / ENAC / AENOR / TÜV
ISO/IEC 42001 implementation
AI Management System (AIMS) certifiable against the first international standard for artificial intelligence. Governance, risk management, the 38 Annex A controls, internal audits and support through the external certification audit. Natural operating framework to sustain EU AI Act evidence.
At a glance
ISO/IEC 42001:2023 is the first international certifiable standard for AI management systems. It inherits the ISO high-level structure (Annex SL), like 27001, 9001 or 14001, which makes it integrable with existing management systems. Its 38 Annex A controls —grouped in 9 domains— cover AI governance, AI system impact assessment, lifecycle, data, stakeholder information, use and third parties. It is certifiable by accredited bodies (AENOR, TÜV, BSI, LRQA, Bureau Veritas) under UKAS, ENAC or any other IAF MLA accreditor.
For organisations with AI systems in production and already certified against ISO 27001, implementing 42001 is the natural move in 2026-2027: it builds on the existing ISMS, provides a permanent operating framework to govern AI, generates the evidence base for the EU AI Act and offers commercial differentiation when few European organisations are certified yet. Our GRC team implements, among others, 27001, NIS2, DORA, ENS, GDPR and 42001.
First certifiable AI standard
Published in December 2023. ISO/IEC 42001:2023 is certifiable by accredited bodies just like 27001, with international validity via IAF MLA.
Integrable with ISO 27001
Common Annex SL. Clauses 4-10 are equivalent. If you already hold 27001, effort is substantially reduced. If not, we implement them in parallel.
Operating framework for EU AI Act
Control A.6.2 maps to EU AI Act art. 9, A.6.1 to art. 11, A.8.1 to art. 12, clause 9.2 control to art. 15. Direct evidence base for regulators.
9 Annex A domains · 38 applicable controls
ISO/IEC 42001:2023 Annex A organises AI controls in 9 domains (A.2 to A.10). Each control can apply or be excluded with documented justification (statement of applicability), the same as in ISO 27001.
A.2
Policies related to AI
AI policy, acceptable use policy, alignment with business objectives, communication, review.
A.3
Internal organisational structure
AI roles and responsibilities, AI committee, owner assignment, segregation of duties.
A.4
Resources for AI systems
Compute, data, people and tooling resources; supplier management; documentation.
A.5
AI system impact assessment
Assessment process for impacts on individuals, society and environment; decisions documented.
A.6
AI system lifecycle
Design, development, deployment, operation, monitoring, decommissioning. Maps directly to EU AI Act arts. 9-15.
A.7
Data for AI systems
Data quality, governance, privacy, retention, integrity, bias, fairness. Maps to EU AI Act art. 10.
A.8
Information for stakeholders
Transparency to users and regulators, instructions for use, logs, communications.
A.9
Use of AI systems
Use procedures, behavioural monitoring, incident management, human oversight.
A.10
Third parties and customer relationships
AI supplier management, third-party agreements, responsibility allocation, integrators.
Implementation roadmap · 6 phases
The 6 phases follow the same order in any project. Actual duration depends heavily on the size of the organisation, number of AI systems in scope, prior certifications (ISO 27001 accelerates) and client-side availability. We close it in the initial diagnostic, with a firm proposal.
Diagnostic
Gap analysis against SL clauses + the 38 Annex A controls. Inventory of AI systems in scope. Identification of justified exclusions. Phased priority roadmap. Self-contained deliverable to decide the scope of the full programme.
Governance and scope
AI policy, AI committee, role assignment, statement of applicability (SoA) for the 38 controls, ISMS scope document, integration with the existing 27001 ISMS if any.
AI risk management
Risk assessment procedure compatible with EU AI Act art. 9, risk register per AI system, treatment plan, indicators. Coordinated with the 27001 ISMS (no duplicated procedures).
Control implementation
Effective deployment of the 38 applicable controls: policies (A.2), structure (A.3), resources (A.4), impact (A.5), lifecycle (A.6), data (A.7), stakeholders (A.8), use (A.9) and third parties (A.10). Operational documentation for the auditor.
Internal audit + management review
Internal audit of the 42001 ISMS by qualified auditors (internal or external), findings report, corrective action plan, documented management review, metrics and improvements identified.
Pre-audit + external audit
Simulation of the external audit with real certification body criteria. Final adjustments. Coordination with the accredited body chosen by the client (TÜV/AENOR/BSI/LRQA/Bureau Veritas). Support during stage 1 (documentary) and stage 2 (implementation) of the audit.
ISO/IEC 42001 vs ISO/IEC 27001 · overlap and differences
Both are ISO management systems with a common Annex SL. This substantially reduces effort if they are implemented in parallel or if 27001 already exists.
| Element | ISO/IEC 27001:2022 | ISO/IEC 42001:2023 |
|---|---|---|
| Focus | Information security (C-I-A) | Responsible AI management (accountability, transparency, fairness) |
| Clauses 4-10 structure | Common Annex SL | Common Annex SL (equivalent) |
| Annex A · number of controls | 93 controls | 38 controls |
| Annex A · domains | 4 (organisational, people, physical, technological) | 9 (A.2 to A.10, AI-specific) |
| Statement of applicability | Yes | Yes |
| Mandatory internal audit | Yes | Yes |
| Management review | Yes | Yes |
| Certifiable | Yes (accredited body) | Yes (accredited body) |
| Certificate validity | 3 years + annual surveillance | 3 years + annual surveillance |
| Standard maturity | Established since 2005, revised 2022 | New (published Dec 2023) |
| Integrable with the other | Yes, single common management system | Yes, single common management system |
Operational recommendation: implementing 42001 on top of an existing 27001 reduces effort by approximately 40-50% compared with starting from scratch.
ISO/IEC 42001 ↔ EU AI Act mapping
One of the strongest operational reasons to certify 42001 is that it is the natural framework to sustain EU AI Act evidence. Most regulation obligations are covered by Annex A controls already in place.
| EU AI Act obligation | ISO/IEC 42001 control | Evidence generated |
|---|---|---|
| Art. 9 · Risk management system | A.5.2 + A.6.2 | Documented procedure, system-level assessment records, mitigation plan, reviews |
| Art. 10 · Data governance | A.7.2 to A.7.6 | Data policy, quality processes, bias management, retention, integrity |
| Art. 11 + Annex IV · Technical documentation | A.6.1 + A.6.2 | Full AI system technical documentation: description, datasets, metrics, design decisions |
| Art. 12 · Logging system | A.8.1 | Event logging system across the AI system lifecycle with traceability |
| Art. 13 · Transparency to users | A.8.2 to A.8.4 | User information, instructions for use, communication of capabilities and limits |
| Art. 14 · Human oversight | A.9.3 + A.9.4 | Operational human oversight procedures, intervention mechanisms |
| Art. 15 · Accuracy, robustness and cybersecurity | A.6.2 + clause 9.2 control | AI system safety performance evaluation, adversarial testing, continuous metrics |
| Art. 17 · Quality management system | Entire AIMS 42001 | The AIMS itself covers the provider obligation |
| Art. 22 · Authorised representative | A.10.2 + A.10.3 | Contractual agreements with third parties, supplier management |
| Art. 72 · Post-market monitoring | Clause 9 (Performance evaluation) | Continuous AI system monitoring, metrics, management review |
| Art. 73 · Serious incident notification | A.9.4 + clause 10 (Improvement) | AI incident management procedure, nonconformities, corrective actions |
| Art. 4 · AI literacy | A.4.3 + A.4.4 | Staff training programme, competence plan, training materials |
Operational conclusion: implementing 42001 directly covers 70-80% of EU AI Act technical and organisational obligations. The rest (legal representation, signed declaration of conformity, CE marking) are legal obligations handled in coordination with client legal counsel.
Real benefits of certifying ISO/IEC 42001
Enterprise procurement
Enterprise buyers are starting to require 42001 in RFPs throughout 2026-2027, particularly SaaS providers with AI components or agents.
Permanent operating framework
Without an AIMS, EU AI Act is handled reactively with recurring cost. With 42001 you govern AI sustainably and continually improve each cycle.
Competitive differentiation
New standard. Few European organisations certified today. Being early generates real positioning advantage.
Simplified compliance
Covers 70-80% of EU AI Act, NIST AI RMF, OECD AI Principles. One operating framework, multiple compliances.
Trust with stakeholders
Internationally recognised mark. UKAS/ENAC accreditation gives weight in front of regulators, customers, investors and partners.
Mature change management
Structured continual improvement of the AI programme: each annual audit identifies opportunities, prevents drift.
Measurable ROI
Organisations with several AI systems or enterprise customers typically recover investment in 12-24 months via won RFPs and avoided costs.
ISO 27001 integration
If 27001 already exists, single common management system. Significant operational saving versus running separate frameworks.
Foundation for future norms
ISO is developing complementary standards (42005 AI impact assessment, 23894 AI risk management). 42001 positions you ready to integrate them.
Where it fits and where it doesn't
Strong fit
When it is worth it
- Organisation with AI systems in production or pre-production
- B2B SaaS provider with AI components selling to enterprise customers
- ISO 27001 already certified: natural integration
- Addressing EU AI Act and seeking a permanent operating framework
- Sector where customers already request AIMS evidence (banking, healthcare, public sector)
- GPAI with systemic risk or Annex III high-risk systems
- Competitive differentiation: aiming to be among the first certified in Europe
Weaker fit
When it is not the first step
- You don't have AI systems in scope yet: alignment without certifying is more efficient
- Only using third-party SaaS without developing AI: focus on AI literacy + supplier due diligence
- ISO 27001 not yet consolidated: different logical order, do 27001 first (or both in parallel)
- EU AI Act compliance timeline very tight: go directly to EU AI Act compliance and certify 42001 later
- Customer already requires a different AI-specific standard (rare, but some regulated sectors may)
Sector adaptation
B2B SaaS and software factory
Enterprise buyers increasingly demand the AIMS mark in procurement. Integration with existing ISO 27001. Focus on A.6 (lifecycle), A.7 (data) and A.10 (third parties). Real commercial differentiation in 2026-2027.
Financial services
DORA + EU AI Act + GDPR overlap. AIMS as the single integrating framework. Intensive focus on A.5 (impact), A.7 (sensitive data) and A.9 (human oversight). Audit coordinated with the supervisor (FCA, BdE, BaFin).
Healthcare
GDPR art. 9 (special categories) + EU AI Act high-risk if it decides or supports clinical decisions. Focus on A.5 (patient impact), A.7 (clinical data), A.8 (transparency to clinicians) and A.9 (clinical oversight).
Public sector
ENS + EU AI Act (high probability of high-risk under Annex III). AIMS as algorithmic governance framework. Focus on A.2 (public policy), A.5 (citizen impact) and A.8 (transparency and accountability).
Industry and OT
AI systems in industrial operation or quality control. Focus on A.5 (safety impact), A.6 (lifecycle with controlled change) and A.9 (human oversight on emergency stop).
Education and research
Student assistants, assessment systems, RAG agents on repositories. Focus on A.5 (impact on minors and educational rights), A.7 (academic data) and A.8 (clear information to families).
Objections we hear and how we answer them
«The standard is very new, isn't it too early to certify?»
Quite the opposite: it is the optimal moment. Early certifications generate more differential value. Those certifying in 2026 capitalise it throughout 2027-2028 when the majority starts. Waiting means joining the peloton when it no longer generates advantage.
«Isn't ISO 27001 plus our EU AI Act programme enough?»
27001 covers information security, not specifically AI (accountability, transparency, fairness). EU AI Act is regulation, not certification of your programme. 42001 is the only internationally recognised mark that certifies your organisation governs AI responsibly. They are complementary pieces, not substitutes.
«It costs money and time. What is the return?»
Procurement: enterprise customers start requiring 42001 in 2026-2027 RFPs. Without the mark, you are filtered out. Avoided operational cost: the AIMS saves you handling EU AI Act reactively. Measurable ROI: organisations with several AI systems recover investment in 12-24 months. Not sunk cost.
«Our CISO doesn't want yet another framework»
Fair point. The good news: 42001 inherits from Annex SL, just like 27001. It is not 'yet another framework', it is the natural ISMS extension to cover AI. Same committee, same internal audits, same management review model. It reduces effort rather than adding to it.
«No one in our sector asks for 42001 yet»
True today. Also true in 2018 with GDPR before May. When the first RFP that requires it appears, it is already too late to certify before the deadline. Optimal timing is 12-18 months before your sector requests it. In 2026 many sectors don't ask yet; in 2027 it starts to appear.
«What if the norm changes? ISO keeps working on AI standards»
ISO/IEC 42001 is published and stable. Complementary norms (42005 impact assessment, 23894 AI risk management, 5338 lifecycle) are additive, not replacements. Implementing 42001 positions you to integrate what comes, without re-certifying.
AIMS programme KPIs
Six indicators we report in management review and AI committee.
% Annex A controls implemented
Master progress indicator. Implementation target: 100% of applicable controls before pre-audit.
% AI systems with impact assessment (A.5)
Coverage of the impact assessment process. Target: 100% of systems in the ISMS scope.
Internal audit findings vs external
Pre and post external audit comparison. Quality indicator of the implementation. Target: <5 minor nonconformities at certification.
Average nonconformity closure time
Days from detection to verified closure. Target: <30 days major, <60 days minor.
% staff with AI literacy completed
EU AI Act art. 4 + 42001 control A.4.3. Target: 100% of affected staff.
ISMS maturity (self-assessment)
Five-level model (initial→optimised). Target: level 3 (defined) after certification, level 4 (managed) in the second year.
AIMS and certification glossary
AIMS
Artificial Intelligence Management System. AI management system conformant with ISO/IEC 42001.
Annex SL
High-level structure common to all modern ISO management systems (clauses 4-10). Enables integration.
SoA
Statement of Applicability. Document listing the 38 Annex A controls with applies/does not apply + justification.
UKAS / ENAC
United Kingdom Accreditation Service / Entidad Nacional de Acreditación. Accredit certification bodies to issue internationally valid certificates via IAF MLA.
IAF MLA
International Accreditation Forum Multilateral Recognition Arrangement. Mutual international recognition of accreditations.
Stage 1 audit
First phase of certification audit: documentary ISMS review. Identifies readiness for stage 2.
Stage 2 audit
Second phase: effective implementation review. The auditor walks the organisation validating control operation.
Surveillance audit
Annual, throughout the 3-year certificate validity. Verifies maintenance and continual ISMS improvement.
Re-certification
Every 3 years. Full audit to renew the certificate. Similar to the initial one but more efficient if the system is mature.
Major nonconformity
Finding that prevents certification until closed. Typically: absence of a mandatory requirement or systemic failure.
Minor nonconformity
Finding that is documented and handled in an action plan, without preventing certification if the plan is acceptable.
ISO/IEC 23894
Complementary standard on AI risk management. Compatible with 42001 clause 6 and A.5.
Related services at Hard2bit
ISO/IEC 27001 implementation
Classic ISMS. Common Annex SL with 42001; running them in parallel or on top of existing 27001 reduces total effort.
Certify ISO 27001 →
EU AI Act compliance
42001 covers 70-80% of EU AI Act technical and organisational obligations. Coordinated programmes generate unified evidence.
Comply with EU AI Act →
AI Security (consulting)
If you are not yet ready to certify: AI governance, agent threat modelling, acceptable use policy.
See AI Security →
AI agents and MCP audit
Technical red teaming providing direct evidence for AIMS clause 9.2 control (AI system safety performance evaluation).
Audit AI agent →
NormexAI · compliance platform
SaaS document management platform. Supports AI system inventory, assessment registry and auditor evidence.
See NormexAI →
Comprehensive audit
If you want to validate your ISMS before the external audit or assess maturity prior to implementation.
See comprehensive audit →
Cybersecurity consulting
Continuous strategic support. Useful after certification to sustain the continual improvement cycle.
Engage consulting →
GDPR implementation
Partial overlap with A.7 (data) of 42001. Common coordination: the DPO validates the AIMS privacy block.
Implement GDPR →
NIS2 compliance
If you are critical infrastructure, coordinating NIS2 + 42001 + EU AI Act prevents documentary duplication.
Comply with NIS2 →
Frequently asked questions
What is ISO/IEC 42001 and what is it for?
ISO/IEC 42001:2023 is the first international certifiable standard for AI management systems (AIMS). It follows the ISO high-level structure (Annex SL), the same as ISO 27001, ISO 9001 or ISO 14001, which makes it integrable with existing management systems. Its Annex A contains 38 AI-specific controls grouped in 9 domains: governance, policies, organisational structure, resources, AI system impact assessment, AI system lifecycle, data, stakeholder information and use. It is certifiable by accredited bodies (UKAS in the UK, ENAC in Spain).
Do I need ISO 27001 already in place to certify 42001?
Not mandatory, but it helps significantly. Both follow Annex SL (the common ISO management-system structure), so clauses 4 to 10 are practically equivalent. If you already hold a 27001 certificate, the 42001 effort is substantially reduced: you reuse governance, committee, risk management, nonconformities, continual improvement and internal audits. If you don't have 27001, we implement them in parallel (same SL clauses) and address the specific controls: 27001 Annex A has 93 controls, 42001 has its own 38 AI controls. We decide in the initial diagnostic.
How much does ISO/IEC 42001 implementation cost and how long does it take?
It depends on scope (number of AI systems covered, organisational complexity, prior certifications). Pre-certification implementation with 1-3 AI systems and ISO 27001 already certified is faster and cheaper. Combined 27001+42001 implementation from scratch is the longest path. If only alignment without certification is sought, it is shorter. External certification (audit by accredited body) is invoiced separately by the certification body. Before quoting we always run an initial diagnostic.
What does your implementation actually deliver?
Six blocks. Diagnostic (gap analysis against clauses 4-10 + 38 Annex A controls, identification of AI systems in scope, roadmap definition). Governance (AI policy, AI committee, role assignment, management indicators). AI risk management (procedure compatible with EU AI Act art. 9, register, system-by-system assessments). Annex A controls (effective implementation of the 38 applicable controls, justified exclusions documented). Operation (internal audits, management review, nonconformities, corrective actions, continual improvement). Pre-audit (simulation of external audit, final adjustments before the certification audit).
How is ISO/IEC 42001 different from ISO/IEC 27001?
27001 is the classic ISMS for information security (confidentiality, integrity, availability). 42001 is the AI-specific MS (accountability, transparency, fairness, human oversight, reliability, AI safety, AI privacy). Clauses 4 to 10 are equivalent (Annex SL). Annexes are entirely different: 27001 covers 93 information-security controls (organisational, people, physical, technological); 42001 covers 38 AI-specific controls across 9 domains. An organisation can hold both, integrated as a single management system — the recommended practice when AI systems are in production.
How does ISO/IEC 42001 relate to the EU AI Act?
ISO/IEC 42001 is the natural operating framework to sustain EU AI Act compliance. Annex A control A.6.2 (AI system impact assessment) covers the spirit of EU AI Act art. 9 (risk management system). A.6.1 (AI system objectives and processes) maps to art. 11 (technical documentation). A.8.1 (AI system use logging) to art. 12 (logs). Clause 9.2 control (AI system performance evaluation) directly covers what art. 15 EU AI Act requires on testing. Implementing 42001 does not certify EU AI Act compliance (different things), but it generates the evidence base the regulator will want to see.
Which bodies certify ISO/IEC 42001 in Europe?
Certification is granted by accredited certification bodies. The most relevant in Europe are AENOR, TÜV Rheinland, TÜV SÜD, Bureau Veritas, LRQA, SGS and BSI. For the certificate to be internationally recognised, the body must be accredited by ENAC (Spain), UKAS (UK) or another IAF MLA member. Hard2bit is independent: we are not a certification body and do not represent any. We prepare the organisation to pass the external audit, but the audit itself is performed by the body the client chooses. We coordinate with you and with the certification body so the audit runs cleanly.
Is 42001 worth certifying if we already have ISO 27001 and our EU AI Act programme under way?
Yes, for three reasons. Procurement: enterprise customers are starting to require 42001 in RFPs throughout 2026-2027, particularly SaaS providers with AI components. Competitive differentiation: the standard is new and few European organisations are certified; being early generates genuine commercial advantage. Operational: the AIMS framework gives you a structure to govern AI sustainably, not just to comply with the regulation reactively; without an operating framework, EU AI Act becomes a recurring reactive cost. ROI is typically recovered in 12-24 months for organisations with multiple AI systems or enterprise customers.
How long after implementation do we obtain the certificate?
After implementation, the certification process with the accredited body typically runs in three to four months: documentary audit (stage 1) + implementation audit (stage 2) + time to handle findings + certification decision. If implementation has been done properly (with pre-audit included), the first-time success rate is high (over 80%). The certificate is valid for three years with annual surveillance audits. Realistic planning: a few months of implementation plus three to four months of certification, if ISO 27001 is already in place.
How do we start a project with Hard2bit?
A 30-minute call to understand your starting point (AI systems in scope, existing certifications, ISO 27001 yes/no, current EU AI Act position, objective: certification or alignment only). If it makes sense, an initial diagnostic of a few weeks with gap analysis against the SL clauses plus the 38 Annex A controls. With that, we issue a firm proposal: scope, timeline, assigned team, deliverables and closed price. No commitments until signature. If we see that the client does not yet have enough AI systems in scope, we recommend aligning without certifying (cheaper, foundation prepared to certify when the time is right).
Ready to certify ISO/IEC 42001?
A 30-minute call to understand your starting point. Initial diagnostic with a firm proposal after gap analysis. Hard2bit is independent of certification bodies; we get you to the certificate, the certification is granted by UKAS/ENAC/AENOR/TÜV/BSI depending on your choice.