ISO/IEC 42001 Compliance,
End to End

ISO/IEC 42001 was published in December 2023 by ISO/IEC JTC 1/SC 42, the joint ISO and IEC committee responsible for AI standards. It is the first edition of the standard.

Certification means an accredited third-party certification body has audited an organisation’s AI Management System (AIMS) and confirmed it meets the requirements of ISO/IEC 42001. There is also a separate concept of product conformity certification, where the platform or tool itself is certified against the standard. Modulos holds CertX product conformity certificate 213-001/24, the first issued under the CertX-AI V1.0 scheme.

The standard covers clauses 4 through 10 of the harmonised ISO management-system structure: context, leadership, planning, support, operation, performance evaluation, and improvement. Annexes A and B (normative) provide reference controls and implementation guidance. Annexes C and D (informative) cover risk sources, organisational objectives, and sector adaptation.

Annex A of ISO/IEC 42001:2023 contains a reference set of AI-specific controls grouped under control objectives covering policies, internal organisation, resources, impact assessment, lifecycle, data, third-party use, and customer expectations. Verify the exact count against the published standard at iso.org, as readers should not rely on a marketing-page number for compliance scoping.

ISO 42001 mandates top management commitment (clause 5.1), an AI policy (5.2), and defined responsibilities and authorities for roles relevant to the AIMS (5.3). It also requires competence and awareness for personnel whose work affects the AIMS (clauses 7.2 and 7.3). The standard does not enumerate specific role names. Organisations typically stand up an AI policy or AIMS owner, AI risk owners, and AI system owners as practical implementations.

ISO/IEC 27001 covers information security; ISO/IEC 42001 covers AI management. They share the same harmonised ISO management-system structure, so organisations operating 27001 can re-use document control, internal audit, management review, and corrective action processes. AI-specific governance such as AI risk assessment and lifecycle controls sits on top.

SOC 2 is a US attestation against the AICPA Trust Services Criteria for service organisations. ISO/IEC 42001 is an international management system standard for AI specifically. They serve different audiences (US enterprise customers vs international markets) and different scopes (general security and availability vs AI). Many organisations carry both.

ISO/IEC 42001 and the EU AI Act sit at different levels. ISO 42001 is an organisation-level AI Management System. The EU AI Act regulates specific AI systems, with obligations on providers and deployers of high-risk systems. ISO 42001 is not being adopted as a harmonised standard under the Act, so 42001 certification does not give a presumption of conformity. It is valuable as governance scaffolding around your AI portfolio, but does not substitute for the Act’s system-level requirements.

For AI in safety-critical machinery, ISO/IEC 42001 helps structure the governance and documentation that the Machinery Regulation conformity assessment requires. The Canton of Zurich Innovation Sandbox for AI report (2025) shows how a single integrated AIMS can address both regimes simultaneously rather than running parallel processes.

NIST AI RMF is a voluntary US framework focused on AI risk practices. ISO/IEC 42001 is a certifiable international management system. Many organisations use NIST AI RMF as a risk-practice library and ISO/IEC 42001 as the certifiable management system that wraps around it. They are complementary, not competing.

A four-step process: gap analysis against the standard, implementation and evidence collection, internal audit and management review, then external audit (Stage 1 documentation review and Stage 2 implementation audit). After a successful Stage 2, the certification body issues the certificate. Annual surveillance audits follow. Evidence collection is the bottleneck and where software solves time.

Typical timeline is 6 to 12 months from kickoff to certificate. The audit itself is short. The bulk of time goes into implementation, evidence collection, and management review cycles. With Modulos, Xayn reached audit-readiness in four weeks, becoming the first German company to achieve ISO/IEC 42001 certification, audited by SGS.

Total cost is a mix of audit fees paid to the certifying body (scope-dependent), implementation cost (internal time plus tooling), and ongoing surveillance audits each year. Audit fees vary widely by scope, organisation size, and chosen body. Most of the cost in practice is internal effort: scoping, evidence collection, internal audit, and management review.

Independent accredited certification bodies issue ISO/IEC 42001 certificates. The choice of auditor is yours, driven by scope, geography, and any existing certification relationships. Modulos is auditor-agnostic: the platform manages your AIMS records regardless of which accredited body you select. Verify accreditation through your national accreditation body or the International Accreditation Forum (IAF) directory.

Modulos automates evidence collection and audit preparation across clauses 4 to 10 and Annex A controls. AI agents (Scout, Evidence Agent, Control Assessment Agent) reduce manual work. Modulos holds CertX product conformity certificate 213-001/24, the first issued under the CertX-AI V1.0 scheme; was selected by the Canton of Zurich Innovation Sandbox; and powered Xayn’s 4-week certification.