Glossary · Frameworks & standards
What is ISO 42001?
Also known as: ISO/IEC 42001, ISO 42001:2023, AI management system standard, AIMS
ISO 42001 is the world's first international standard for an artificial intelligence management system (AIMS), published in 2023 by ISO and IEC. It defines requirements for governing the responsible development and use of AI, including an AI impact assessment, and is certifiable by an accredited registrar. Annex A provides 38 controls across nine objectives.
Key takeaways
- ISO 42001:2023 is the first certifiable AI management system (AIMS) standard.
- It requires an AI impact assessment to evaluate effects on individuals and society.
- Annex A contains 38 controls organized under nine control objectives.
- It mirrors the management-system structure of ISO 27001, so the two integrate cleanly.
- Aimed at any organization that develops, provides, or uses AI systems.
Why a dedicated AI management standard?
AI introduces risks that traditional security and quality standards do not fully address - bias, opacity, automated decision-making, model drift, and broad societal impact. ISO 42001 gives organizations a structured, auditable way to govern these risks across the AI lifecycle, from design and data through deployment and monitoring.
Like ISO 27001, it follows the harmonized ISO management-system structure (clauses 4 to 10), so an organization with an existing ISMS can extend its governance to AI rather than start from scratch.
What does ISO 42001 require?
The standard requires leadership to set an AI policy, define roles, assess AI-related risks, and crucially conduct an AI impact assessment that considers consequences for individuals, groups, and society. Organizations must manage the AI system lifecycle, data quality, transparency, and supplier relationships.
- An AI policy and clear governance roles and responsibilities.
- Risk assessment and treatment specific to AI systems.
- An AI impact assessment documenting effects on people and society.
- Lifecycle controls for data, development, deployment, and monitoring.
- 38 Annex A controls grouped under nine objectives.
How it relates to the EU AI Act and NIST AI RMF
ISO 42001 complements emerging AI regulation. The EU AI Act sets legal obligations for high-risk AI in Europe, while the NIST AI RMF offers a voluntary US risk framework. ISO 42001 provides a certifiable management system that can serve as the operational backbone for demonstrating conformity with both.
Organizations often combine them: NIST AI RMF for risk language, the EU AI Act for legal requirements where applicable, and ISO 42001 as the auditable governance system that ties controls together.
Governing and attack-testing AI together
Governance alone does not prove an AI system is resilient. CATAAM is built to both govern and attack-test AI: it maps ISO 42001 AIMS controls alongside breach and attack simulation against AI pipelines, so organizations can show not only that an impact assessment was performed but that the system withstands adversarial testing.
Frequently asked questions
- Is ISO 42001 a certification?
- Yes. ISO 42001 is a certifiable management-system standard; an accredited registrar can audit and certify your AIMS, similar to ISO 27001.
- How many controls does ISO 42001 have?
- Annex A lists 38 controls organized under nine control objectives covering policies, resources, lifecycle, data, and impact.
- Who should adopt ISO 42001?
- Any organization that develops, provides, or uses AI systems - including those embedding third-party models - can use it to demonstrate responsible AI governance.
- Does ISO 42001 satisfy the EU AI Act?
- Not by itself, but it provides a strong operational foundation. The EU AI Act imposes specific legal duties, and ISO 42001 helps organize the governance and evidence needed to meet them.