Back to Blog
June 14, 2024

ISO 42001 explained: requirements, certification and implementation

By Modulos11 min read
ISO 42001 explained: requirements, certification and implementation

What is ISO 42001? ISO/IEC 42001:2023 is the first certifiable international standard for AI management systems (AIMS). It was published by ISO in December 2023 and defines a management system that organizations can be independently audited and certified against. For the first time there is a recognized international standard for how you govern AI.

That is not a trivial fact. Your customers' procurement teams have been asking for proof of responsible AI for two years. Before ISO 42001 there was nothing serious to point to. Now there is.

This post is not a clause-by-clause summary. The Modulos docs already do that in more detail than any blog post would. This post covers what ISO 42001 is (and is not), the requirements and control structure, the certification process end to end, and how to implement it without producing theatre.

What ISO 42001 is

ISO 42001 defines an AI Management System (AIMS). It follows the same High-Level Structure (HLS) as ISO 27001 (information security), ISO 9001 (quality), ISO 14001 (environment) and the rest of the ISO management-system family. If you have implemented any of those, the shape of 42001 will be familiar: define your context, get leadership commitment, plan (including risk treatment), provide support, operate, evaluate performance, improve.

Clauses 4 through 10 are the management system itself. Annex A is normative and contains reference control objectives and controls. Annex B is normative and provides implementation guidance for those controls. Annex C is informative and lists potential AI-specific organizational objectives and risk sources. Annex D is informative and covers multi-domain use of the AIMS.

The point of ISO 42001 is not that it tells you how to build safe AI. No standard can do that. The point is that it gives you a structured, auditable way to demonstrate that you have a functioning system for identifying, managing and monitoring AI risk, and that the system is integrated with the rest of how your organization operates.

What ISO 42001 is not

Three things it is not, because the confusion is common.

It is not a product certification. ISO 42001 certifies your management system, not your AI systems. A certified company can still ship a bad model. What the certificate tells a customer is that the company has a governance system in place that makes catastrophic failure less likely and accountability clearer when something goes wrong.

It is not the same thing as EU AI Act compliance. The Act imposes legal obligations on high-risk systems: conformity assessment, CE marking, technical documentation, post-market monitoring. ISO 42001 is a voluntary management system. They overlap substantially but they are not the same. An ISO 42001 certificate does not satisfy the Act. Running a certified AIMS makes EU AI Act compliance dramatically easier because much of the required governance infrastructure is already there. See our framework comparison piece for how these stack.

It is not a checklist. This is the most important point and the one most often missed. If you treat ISO 42001 as a list of Annex A controls to tick off, you will produce documentation that no auditor should accept and that gives your customers no assurance. The standard is about building a system that actually works.

ISO 42001 requirements

The normative requirements live in clauses 4 to 10. These are the clauses an auditor will test against:

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning (including risk and impact assessment)
  • Clause 7: Support (resources, competence, awareness, communication, documentation)
  • Clause 8: Operation (operational planning, AI risk treatment, AI system impact assessment)
  • Clause 9: Performance evaluation (monitoring, internal audit, management review)
  • Clause 10: Improvement (nonconformity and corrective action)

This is the full AIMS. Everything else (Annex A controls, Annex B guidance) exists to support these clauses.

ISO 42001 controls

Annex A is the reference set of control objectives and controls. These are the Annex A controls most organizations pursuing certification will include in their Statement of Applicability (SoA). Annex B provides detailed implementation guidance for each Annex A control. Annex C lists potential AI-specific organizational objectives and risk sources. Annex D covers applying the AIMS across multiple domains.

The SoA is the living document that maps which Annex A controls you have implemented, which you have excluded, and why. Auditors will examine it closely.

Evidence, not checklist

The mental shift that matters. Every Annex A control requires you to answer a simple question: what does "executed" mean in our context, and what evidence exists that we did it?

"We have a policy" is not evidence. "This policy was published on date X, reviewed on date Y, applied to systems A, B and C, and here are the decisions that cited it" is evidence. "We do risk assessments" is not evidence. "Here is the risk register, here are the dates of the last three updates, here are the mitigations linked to specific risks, here are the test results showing the mitigations work" is evidence.

Three practical rules from how we implement this with customers.

Start with the minimum that produces reliable evidence, then iterate. A small number of controls implemented properly with live evidence beats a comprehensive spreadsheet with no audit trail. Auditors know the difference immediately.

Define what is global and what is local. Some controls operate at the organizational level (policy, leadership, minimum standards, audit cadence). Others operate at the AI system level (risk treatment for this specific model, testing results for this specific deployment). Conflating these is the single most common mistake in AIMS design. Keep them separate, reuse the global layer across systems, and make the local layer specific to each system with its own audit trail.

Reuse across frameworks rather than duplicating. Most of the HLS clauses (context, leadership, planning, support, operation, evaluation, improvement) are shared with ISO 27001. If you are running a 27001 ISMS, your context definitions, leadership commitment, internal audit programme and management review cadence can all extend to cover the AIMS. Our ISO 27001 and ISO 42001 integration piece covers the mechanics.

ISO 42001 certification process

The certification process for ISO 42001 mirrors other ISO management system standards. The steps are well-established, the surprises are minimal if you have prepared properly.

Stage 1 audit is a documentation review. The certification body assesses whether your AIMS is ready to be audited in depth: do you have the required policies, is your scope defined, is the Statement of Applicability complete, is the risk treatment plan coherent, are internal audit and management review in place. Typically 1 to 2 days depending on scope. This stage identifies gaps before the real audit.

Stage 2 audit is the on-site assessment where the auditors test whether your AIMS actually works in practice. They sample controls, trace evidence, interview staff, look at operational records, review incidents and how you handled them. Typically 2 to 5 days depending on the size and complexity of your organization. This is the audit that either produces the certificate or produces a set of non-conformities you have to close before one is issued.

Certificate issuance. Assuming Stage 2 is passed (including closure of any minor non-conformities), the certification body issues the ISO 42001 certificate. Valid for three years.

Surveillance audits are annual, shorter (typically 1 to 2 days), and focus on a rotating sample of controls plus any incidents or changes since the last audit. They verify that the AIMS continues to operate as designed.

Recertification happens every three years. It is more involved than a surveillance audit but less than the original Stage 1 plus Stage 2, because the auditors already know the AIMS.

End-to-end timeline. From the decision to pursue certification to holding the certificate, three to six months is typical if you already have a functioning AIMS and just need to prepare it for audit. From scratch, six to twelve months is more realistic, with most of that time spent building the system rather than auditing it. The audit itself is the easy part if the system is real.

Who certifies. Accredited certification bodies. Not any consultancy can issue an ISO 42001 certificate. Look for bodies accredited by a national accreditation authority (UKAS in the UK, DAkkS in Germany, ANAB in the US, SAS in Switzerland). This matters: a certificate from a non-accredited body is worth less in procurement.

How Modulos implements ISO 42001

Track record before features. Modulos was the first AI governance platform to receive a product conformity assessment for ISO/IEC 42001, issued by Swiss auditor CertX. That assessment happened before most national accreditation bodies had even accredited certification bodies to audit the standard, which meant the platform had to be defensible against the standard on its own merits rather than against any established audit precedent.

In June 2025, Berlin-based Xayn (builders of Noxtua, Europe's first sovereign legal AI) became the first German company to receive ISO/IEC 42001 certification, audited by SGS. Modulos powered that certification journey. The full programme from decision to certificate ran in four weeks, against a typical end-to-end timeline of three to six months for organizations with a mature AIMS already in place. The case study covers how the platform compressed the preparation phase by reusing control evidence across frameworks and generating the Statement of Applicability and internal-audit records as a live output of the operating system rather than as separate deliverables.

On the platform itself: Clauses 4 to 10 are modeled as Requirements, Annex A controls are modeled as Controls with Annex B guidance attached, evidence is uploaded directly against each Control, and the Statement of Applicability is generated from the live state of the system rather than maintained as a separate document that drifts. Because the same Controls are mapped to ISO 27001, NIST AI RMF and EU AI Act Requirements, work done once counts across frameworks. If you are pursuing ISO 42001 certification and EU AI Act compliance at the same time, you are running one programme that produces multiple outputs, not three parallel programmes.

Modulos is also a member of the NIST AI Safety Institute Consortium (AISIC, now part of the Center for AI Standards and Innovation) and contributes to the development of AI governance guidance that feeds back into how we model ISO 42001 in the platform.

For the full implementation detail, the Modulos ISO 42001 documentation is the authoritative reference.

ISO 42001 and global standards for AI governance

ISO 42001 is the first auditable entry in a wider family of global standards for AI governance. The NIST AI Risk Management Framework supplies the voluntary risk-management vocabulary used widely in North America. The EU AI Act is the first mandatory horizontal AI regulation. ISO/IEC 23894 is ISO's companion risk-management guidance for AI. ISO/IEC 42001 is the management-system standard that ties these together into something certifiable.

For how these map and where the work overlaps, see AI governance frameworks compared.

Frequently asked questions about ISO 42001

What is ISO 42001? ISO/IEC 42001:2023 is the first certifiable international standard for AI management systems. Published by ISO in December 2023, it defines an AI Management System (AIMS) that organizations can be audited against.

When was ISO 42001 released? December 2023.

How do you get ISO 42001 certification? Build a functioning AI Management System against clauses 4 to 10 of the standard, select applicable Annex A controls and build evidence, engage an accredited certification body, pass a Stage 1 documentation audit, pass a Stage 2 operational audit. Typical timeline is three to six months if the AIMS is mature, six to twelve from scratch.

What is ISO 42001 certification worth? It is the most credible available answer to a procurement team asking you to prove responsible AI. A certificate from an accredited body signals that an independent third party has verified that your AI governance system is real and operating.

How is ISO 42001 different from the EU AI Act? The Act is a mandatory regulation. ISO 42001 is a voluntary management-system standard. Certification against ISO 42001 does not satisfy the Act, but it provides much of the infrastructure you will need to comply with Article 9 and related obligations.

Conclusion

ISO 42001 is the first serious, auditable standard for how organizations govern AI. It is not a silver bullet and it is not a product certification, but it is the most credible answer to the procurement question "prove to us you have responsible AI" that exists today. The organizations that get real value from it are the ones that implement it as evidence-producing operational reality rather than as documentation theatre.

If you are starting that journey, the right first question is not "what controls do we need?" It is "what would an auditor need to see, and how do we build the system that produces it naturally?"

If you want to see how that works in practice, book a demo or read the full documentation.

Related Articles

ISO 42001 certification: what it actually takes
April 18, 2026

ISO 42001 certification: what it actually takes

AI governance tools in 2026: one category is splitting in two
April 18, 2026

AI governance tools in 2026: one category is splitting in two

AI governance assessment: why most of them have already failed
April 18, 2026

AI governance assessment: why most of them have already failed