Private BetaWe're currently in closed beta.Join the waitlist
Empress
All posts
ComplianceFebruary 14, 2025

Get ISO/IEC 42001 Certified: Complete AI Management System Guide

Step-by-step guide to ISO/IEC 42001 certification for AI management systems. Learn the requirements, controls, and certification path for the world's first international AI standard.

TL;DR: ISO/IEC 42001 is the world's first international standard for AI management systems. Published in December 2023, it provides a certifiable framework for responsible AI development and deployment.

Organizations have ISO 9001 for quality, ISO 27001 for security, and now ISO/IEC 42001 for AI. This isn't another voluntary guideline—it's a certifiable standard that auditors can verify.

Pro tip: If you already have ISO 27001 or ISO 9001, ISO/IEC 42001 uses the same Annex SL structure. You're not starting from scratch—you're extending your existing management system.

Why a Management System Standard?

What
Requirements
How
Controls
Who
Governance
When
Continuous

ISO/IEC 42001 applies this proven structure to AI. It doesn't tell you how to build AI—it tells you how to manage AI responsibly.

The AIMS Structure

flowchart TB
    subgraph PLAN["PLAN"]
        P1[Context]
        P2[Leadership]
        P3[Planning]
    end

    subgraph DO["DO"]
        D1[Support]
        D2[Operation]
    end

    subgraph CHECK["CHECK"]
        C1[Performance Evaluation]
    end

    subgraph ACT["ACT"]
        A1[Improvement]
    end

    PLAN --> DO --> CHECK --> ACT --> PLAN

    style PLAN fill:#10b98115,stroke:#10b981
    style DO fill:#3b82f615,stroke:#3b82f6
    style CHECK fill:#a855f715,stroke:#a855f7
    style ACT fill:#f59e0b15,stroke:#f59e0b

The AI Management System (AIMS) follows the Plan-Do-Check-Act cycle familiar from other ISO standards.

Key Requirements

Clause 4: Context of the Organization

Before building an AIMS, you must understand:

  • Who are your interested parties (stakeholders)?
  • What are their requirements regarding AI?
  • What's the scope of your AI activities?
  • What internal and external factors affect your AI use?

Clause 5: Leadership

Top management must:

  • Establish AI policy
  • Define roles and responsibilities
  • Ensure adequate resources
  • Promote risk-based thinking

This isn't optional. Without executive commitment, certification isn't possible.

Clause 6: Planning

You must plan for:

  • Risk assessment and treatment
  • AI objectives and how to achieve them
  • Changes to the management system

Clause 7: Support

The organization needs:

  • Competent personnel
  • Adequate resources
  • AI system documentation
  • Communication processes

Clause 8: Operation

This is where the AI-specific requirements live:

  • AI system impact assessment
  • AI system lifecycle processes
  • Data management
  • Third-party relationships

Clause 9: Performance Evaluation

You must:

  • Monitor and measure AI system performance
  • Conduct internal audits
  • Perform management reviews

Clause 10: Improvement

When things go wrong:

  • Address nonconformities
  • Take corrective action
  • Continuously improve the AIMS

Annex A: Controls

ISO/IEC 42001 includes 37 controls across 8 domains:

A.5 AI Policies
Organizational AI governance
A.6 Internal Organization
Roles, responsibilities, segregation
A.7 Resources
Data, tools, system management
A.8 AI Lifecycle
Development, deployment, monitoring
A.9 Third Parties
Suppliers, partners, customers
A.10 Use of AI
Responsible use, impact assessment

Certification Path

Getting certified involves:

  1. Gap analysis: Compare current practices to requirements
  2. Implementation: Build or improve your AIMS
  3. Internal audit: Verify your own compliance
  4. Stage 1 audit: Auditor reviews documentation
  5. Stage 2 audit: Auditor verifies implementation
  6. Certification: 3-year certificate with annual surveillance

Relationship to Other Standards

ISO/IEC 42001 is designed to integrate with:

  • ISO 27001: Information security
  • ISO 9001: Quality management
  • ISO 27701: Privacy
  • EU AI Act: Maps to high-risk requirements

If you already have ISO certifications, ISO/IEC 42001 uses the same Annex SL structure, making integration straightforward.

Certification Roadmap

Phase 1: Gap Analysis Compare current AI practices against ISO/IEC 42001 requirements. Identify what you have vs. what you need.

Phase 2: AIMS Implementation Build your AI Management System—policies, processes, controls, and documentation.

Phase 3: Internal Audit Verify your own compliance before the external auditor arrives.

Phase 4: Stage 1 Audit External auditor reviews your documentation and readiness.

Phase 5: Stage 2 Audit External auditor verifies your implementation is working in practice.

Phase 6: Certification 3-year certificate with annual surveillance audits.

Warning: Documentation alone won't get you certified. Auditors verify implementation—your AIMS must be actively used and producing records.
Key Takeaway

ISO/IEC 42001 transforms AI governance from good intentions into certifiable practice. It provides the structure for managing AI responsibly and the evidence to prove it. Early adopters will have an advantage as customers and regulators increasingly demand AI assurance.

Empress provides the operational records ISO/IEC 42001 requires. Every AI decision, impact assessment, and monitoring event is logged in a format auditors can verify—accelerating your path to certification.

Ready to see what your AI agents do?

Join the waitlist for early access.

Join Waitlist