On 18 December 2023, ISO published ISO/IEC 42001:2023. It is the world’s first international standard for Artificial Intelligence Management Systems — and it arrives at a moment when every organisation deploying AI is asking the same questions: How do we govern this responsibly? How do we demonstrate that governance to regulators, clients, and the public? And how do we do it in a way that scales as our AI footprint grows?

ISO 42001 is the answer the standards community has been building towards. This post explains what it is, what it requires, and why organisations that move early will have a meaningful advantage over those that wait.

What ISO 42001 Actually Is

ISO/IEC 42001:2023 specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System — an AIMS. Like ISO 27001 for information security and ISO 27701 for privacy, it provides a certifiable framework: organisations can be independently audited against the standard and receive third-party certification.

An AIMS under ISO 42001 is a governed approach to how your organisation develops, deploys, monitors, and retires AI systems. It covers:

The standard uses the same Annex SL high-level structure as ISO 27001, ISO 27701, and other management system standards. This means organisations already running ISO 27001 or ISO 27701 will find the clause structure familiar — and can integrate an AIMS into their existing management system programme more efficiently than building from scratch.

Who Needs This — And Who Will Be Asked for It

ISO 42001 applies to any organisation that develops, provides, or uses AI systems as part of its operations. That is a deliberately broad scope. It covers:

The question of who will be asked for ISO 42001 certification is different from who it applies to. Based on the trajectory we have seen with ISO 27001 — which moved from voluntary standard to procurement requirement over roughly five years — expect ISO 42001 to follow a similar path. Enterprise clients, regulated sector buyers, and public sector procurement teams are already beginning to include AI governance requirements in their vendor assessments. ISO 42001 certification will become the clearest way to satisfy those requirements.

What the Standard Requires: The Core Elements

ISO 42001 follows the Plan-Do-Check-Act cycle common to all ISO management system standards. The key requirements cluster around:

Organisational context (Clause 4). Understanding your organisation’s internal and external environment as it relates to AI — the stakeholders whose interests matter, the AI-specific issues that affect your objectives, and the scope of the AIMS.

Leadership and policy (Clause 5). Top management must demonstrate commitment to the AIMS, establish an AI policy, and assign roles and responsibilities. Unlike information security policies, an AI policy must address topics specific to AI governance: intended use boundaries, ethical principles, human oversight commitments, and transparency obligations.

AI risk management (Clause 6 and 8). The standard requires a structured approach to identifying and treating AI-specific risks — including risks to individuals affected by AI outputs, risks from AI system failures, and risks arising from the data used to train or operate AI systems. This is distinct from standard information security risk management and requires dedicated methodology.

Annex A controls. ISO 42001 includes an Annex A with controls covering AI system impact assessment, data governance for AI, documentation of AI systems, responsible AI guidelines, and human oversight mechanisms. As with ISO 27001’s Annex A, organisations must review all controls, document applicability decisions in a Statement of Applicability, and implement applicable controls with evidence.

Internal audit and management review. The standard requires planned internal audits of the AIMS and formal management reviews — ensuring that AI governance is a continuous operational programme, not a one-time implementation.

Why Certification Matters Beyond the Certificate

The AI governance landscape in 2024 is moving fast. The EU AI Act is now in force. Regulators across financial services, healthcare, and critical infrastructure are paying close attention to how organisations deploy AI. Clients are increasingly asking their vendors to demonstrate AI governance maturity.

ISO 42001 certification provides something that internal policies and self-assessment cannot: independent, third-party verified evidence that your organisation has a functioning AI Management System that meets an internationally recognised standard. That evidence is becoming commercially relevant now — and will become contractually required in the near future.

The organisations that certify in 2024 and 2025 will be the ones that can say yes when clients ask. The ones that wait will be scrambling to catch up when saying yes becomes a condition of doing business.

At Bitsecura, we implement ISO 42001:2023 AIMS tailored to your actual AI footprint — not a generic template applied to a theoretical organisation. We start by mapping your AI systems and benchmarking against the standard’s requirements, then build controls that work in practice. Our team delivers ISO 42001 the way it was designed to be implemented: with rigour, without bureaucracy.

If you want to understand what ISO 42001 means for your organisation specifically, start a conversation with us here. No commitment, no sales process — just a straight assessment of where you stand.


Bitsecura provides ISO 42001 AIMS implementation, internal audit, and maintenance services. Learn more about our ISO 42001 services.