The first global standard for AI. Prove you govern it responsibly.
ISO 42001 is the world's first certifiable AI management system standard. Whether you build AI, embed it, or simply use it, certification shows customers, regulators and partners that your AI is governed, not improvised. And it runs on the same management system you already use for ISO 27001.
- Builds on your existing IMS
- 38 controls mapped
- Certifiable in 3 to 6 months
AI moved faster than your governance. The standard caught up.
The trust question
Customers, partners and procurement teams now ask how you govern AI. Without a recognised framework, you are answering case by case. ISO 42001 lets you answer once, with evidence.
Regulation is converging
The EU AI Act is phasing in, Australia's Voluntary AI Safety Standard names ISO 42001 directly, and GCC strategies are pushing AI governance. One management system supports all of them.
First-mover advantage
Published in December 2023, it is the only certifiable AI standard and still early. AWS, Microsoft, Anthropic and Saudi Arabia's SDAIA were among the first. Certifying now is a genuine signal.
For anyone who builds, embeds or uses AI.
ISO 42001 applies to organisations of any size and sector. The controls flex to your role in the AI supply chain.
You build AI
Developers and AI-native products. Life cycle, training data, robustness and testing controls apply in full.
You embed AI
SaaS and scale-ups adding AI features. Prove governance to enterprise buyers running due diligence on your AI.
You deploy or use AI
Operational businesses, professional services and government suppliers using AI tools. Impact assessment, human oversight and disclosure apply.
Every sector and size
Tech, government, enterprise, startups, scale-ups and operational businesses. The standard is deliberately universal.
38 controls, nine objective groups.
Annex A groups the controls by what they govern. You select what applies to your scope and document it in a Statement of Applicability.
AI policy & accountability
An AI policy aligned to your other policies, with clear roles, ownership and a route to raise concerns.
AI system inventory & resources
A record of the AI systems you run and the data, tooling, compute and people behind them.
AI impact assessment
A documented assessment of how each AI system affects individuals, groups and society. The genuinely new requirement.
AI system life cycle
The largest group: design, data, bias, robustness, testing, human oversight, logging and deployment.
Data for AI
Data provenance, quality, representativeness and the handling of personal information used to build or run AI.
Transparency & third parties
Disclosing AI use and limits to affected people, governing intended use and misuse, and managing AI suppliers.
The AI impact assessment. Not the same as a privacy DPIA.
A privacy impact assessment asks what happens to personal data. An AI impact assessment asks something broader: how could this system affect the people and communities it touches, even where personal data is not the issue. Think bias, fairness, safety and societal effect. It is the heart of ISO 42001 and the part most organisations have never formally done.
- Assesses impact on individuals, groups and society, not just the business
- Covers bias, fairness, safety, transparency and misuse
- Runs alongside a DPIA, it does not replace it
- Repeatable and documented, so it stands up at audit
The world's first AI management system standard, published December 2023.
Across nine objective groups, selected to your scope and documented.
For a business that already runs an ISO management system in good standing.
Already certified to 27001? You're most of the way there.
ISO 42001 uses the same High Level Structure as 9001, 14001, 45001 and 27001. Your management review, internal audit programme, non-conformance workflow, risk methodology and document vault all carry across. You are extending the system you already run, not building a second one.
- Management review and internal audit add AI to the existing schedule
- Your NCR and corrective action workflow handles AI findings unchanged
- Supplier and privacy controls are largely mapping, not new work
- The genuine additions are the AI impact assessment and AI-specific controls
- One workspace, one dashboard, one evidence trail across every framework
Australia, the GCC and beyond.
Named in the national standard.
- The Voluntary AI Safety Standard names AS ISO/IEC 42001 as the leading AI management standard.
- Government AI use now requires a documented AI impact assessment before deployment.
- The National AI Plan takes a risk-based approach, uplifting existing law rather than a single AI Act.
A government-led head start.
- Saudi Arabia's SDAIA was the first organisation in the world certified to ISO 42001.
- The UAE AI Charter and National AI Strategy 2031 are pushing governance across sectors.
- Regional enterprises are beginning to certify as procurement expectations rise.
The governance foundation.
- The EU AI Act is phasing in: AI transparency duties from August 2026, with high-risk obligations following from 2027.
- ISO 42001 is the recognised governance foundation, not a substitute for per-system compliance.
- AWS, Microsoft and Anthropic certified early to signal responsible AI to the market.
Your 42001 programme running every day. Not just before certification.
Clause-by-clause coverage
Every clause mapped from day one. Controls assessed, linked to evidence, gaps surfaced as they appear.
Annex A tracking
All 38 controls assessed against your scope. Statement of applicability generated and maintained.
AI inventory & impact assessments
Your AI systems registered and impact-assessed on a repeatable, documented, auditable process.
Data & life cycle controls
Data quality, provenance, bias, robustness and human oversight tracked across the AI life cycle.
Internal audit programme
42001 clauses on your audit schedule alongside your other frameworks. Findings tracked to closure.
Integrated with your IMS
42001 sits beside 9001, 14001, 45001 and 27001. One dashboard, one audit schedule, one evidence trail.
Common questions.
We only use third-party AI like Copilot or ChatGPT. Does it still apply?
Yes. ISO 42001 covers organisations that use and deploy AI, not just those that build it. Some development-only controls can be excluded with justification, but impact assessment, human oversight, disclosure and third-party governance still apply.
Do we need a data science or AI team to get certified?
No. Someone needs to own the AI management system, but it is a governance role, not a technical one. Quality and compliance managers run 42001 programmes successfully, and Vissibl provides the structure.
Does ISO 42001 make us compliant with the EU AI Act?
Not on its own. ISO 42001 is a voluntary management system standard and is not a harmonised standard under the Act, so it does not grant presumption of conformity. It is the governance foundation that maps onto AI Act obligations and accelerates compliance, not a substitute for assessing each system.
We already hold ISO 27001. How much extra work is 42001?
Less than most expect. The shared High Level Structure means your management review, internal audit, risk and corrective action processes transfer. The practical additions are the AI impact assessment and the AI-specific controls.
How long does certification take?
For a business with an existing management system in good standing, typically three to six months. Vissibl surfaces your gap position on day one, so you know where you stand before Stage 1.
See where your AI governance stands before a customer or regulator asks.
Bring your existing documentation and AI tools. We run Vissi Audit against ISO 42001 and surface your gaps in 11 minutes. No prep, no obligation.