ISO/IEC 42001: The AI Management Standard Worth Aiming For

ISO/IEC 42001:2023 is the only certifiable international standard for AI management systems. Fewer than 100 organisations worldwide are certified. For SaaS firms, regulated sectors and anyone selling to enterprise, that's about to become a powerful trust signal. The firms that move first will look like the grown-ups.

What is ISO/IEC 42001?

ISO/IEC 42001:2023 is the international standard for an Artificial Intelligence Management System (AIMS). It was published in December 2023 by ISO and IEC jointly and sits alongside the more familiar 27001 (information security) and 9001 (quality) as the AI-specific certifiable management-system standard.

Like all ISO management-system standards, it sets out the organisational processes you need to identify, assess and manage the risks associated with your AI, not the technical performance of any specific AI product. It's about how your business is run, not how your models are tuned.

What does it actually require?

42001 is structured around the familiar Plan-Do-Check-Act cycle:

• Context and leadership. Senior accountability for AI risk, defined scope, and an AI policy approved at board level.
• Planning. AI risk and opportunity assessment, AI system impact assessments, and documented AI objectives.
• Support. Competence, awareness, internal communication, and a controlled body of AI-related documentation.
• Operation. AI lifecycle controls covering design, development, deployment, monitoring and decommissioning, including data governance, technical documentation, transparency to users, and supplier management.
• Performance evaluation. Internal audit, management review, and a formal mechanism for handling complaints, incidents and continual improvement.
• Improvement. Corrective action and demonstrable learning from incidents.

The standard's Annex A also lists detailed AI-specific controls covering everything from training data quality through to communication with affected parties and incident response.

Why this matters commercially right now

Three forces are converging.

One: enterprise procurement. Large enterprises are starting to ask their suppliers about AI governance, and the answer they want to see is a recognisable third-party certification. ISO 27001 used to be optional; it's now table-stakes for selling to enterprise. ISO 42001 is on the same trajectory.

Two: insurance. Cyber-insurance underwriters are starting to ask AI-specific questions. A certified AIMS materially affects how an underwriter prices your renewal.

Three: scarcity. With fewer than 100 certified organisations globally, being certified now puts you in a tiny club. UK SaaS firm OneAdvanced became one of the first UK companies certified. The trust premium for early movers will not last forever; by 2028 it'll be table-stakes.

How AIME, the EU AI Act and ISO 42001 relate

This is where most clients get confused. Here's the clean version:

• AIME is the UK government's free SME-friendly self-assessment, built on ISO 42001, the EU AI Act and NIST. It gives you a baseline. It's not certifiable.
• The EU AI Act is a regulation, a legal duty for firms in scope. Compliance is not a certification, but you can use AIME and ISO 42001 to demonstrate the operational processes the Act expects.
• ISO/IEC 42001 is a certifiable management-system standard. It overlaps heavily with AIME and the EU AI Act, but it's independently audited by an accredited certification body, and you get a certificate you can show customers.

The right journey for most firms is: AIME baseline → close the highest-priority gaps → ISO 42001-aligned governance framework → certification readiness → stage 1 and stage 2 audits with a certification body. We package that as our ISO/IEC 42001 Certification Pathway retainer.

What the journey actually looks like

Plan for 12–18 months end-to-end for a firm starting from a low governance baseline. The phases:

1. Gap analysis (4–6 weeks). Where does your current state sit against each ISO 42001 clause and Annex A control? Output: prioritised remediation backlog.
2. Controls implementation (3–9 months, depending on starting point). Build out the management system: AI policy, risk register, impact assessments, lifecycle controls, supplier governance, incident management.
3. Operate and evidence (3–6 months). The standard requires evidence that the system is operating, not just documented. Internal audit cycles, management reviews, and at least one full feedback loop.
4. Certification audit (stage 1 and stage 2, weeks apart). An accredited certification body reviews your documentation (stage 1), then audits your operation in practice (stage 2).

Is it right for you?

ISO 42001 is the right answer if any of these apply:

• You're a SaaS firm whose customers are increasingly asking about AI governance.
• You sell to regulated enterprise customers (financial services, healthcare, government) and you want a credentialled answer.
• You operate in a high-risk AI domain (employment, credit, insurance, healthcare) and want a defensible trust signal.
• You're already ISO 27001 certified and your management system can absorb 42001 efficiently.
• You're investor-backed and your board is asking about responsible AI maturity.

It's probably not right yet if you're a five-person SME using ChatGPT and have no immediate enterprise procurement pressure. In that case, the AIME Health Check plus our Policy Starter Pack is the proportionate place to start.

The honest first step

Take the free Scorecard. If you're already in territory where 42001 makes sense, your readiness score and recommended next step will reflect it. If you're not, we'll tell you what's proportionate for where you are.