Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is ISO 42001?

ISO/IEC 42001 is the first international standard for governing AI. If your organisation builds or uses AI, it is the framework to know.

6 min read

ISO/IEC 42001:2023 is the first international standard for an Artificial Intelligence Management System (AIMS). It does for AI what ISO 27001 does for information security: it gives organisations a certifiable, risk-based way to govern how AI is developed, deployed, and used responsibly.

As AI moves into core products and workflows, customers, regulators, and boards increasingly ask how it is governed. ISO 42001 is becoming the answer, and this guide covers what it involves.

Key takeaways
  • ISO 42001 is a certifiable management-system standard for AI, launched in 2023.
  • It is risk-based and lifecycle-focused, covering how AI is built, bought, and used.
  • It complements ISO 27001 and maps well to the NIST AI RMF and the EU AI Act.
  • It signals to customers and regulators that your AI use is governed, not ad hoc.

What an AIMS covers

An AI Management System is the set of policies, roles, and controls for governing AI across its lifecycle. ISO 42001 expects you to define scope and objectives, assess AI-specific risks and impacts, put controls in place to treat them, and continually improve, with leadership accountability throughout.

AI-specific concerns it addresses

Beyond general security, ISO 42001 targets risks that are unique to AI:

  • Data quality, provenance, and bias in training and inputs.
  • Transparency and explainability of AI decisions.
  • Impact assessments for people affected by AI systems.
  • Human oversight and accountability for AI outcomes.
  • Governance of third-party and foundation models you consume.

How it fits with what you already do

ISO 42001 is designed to sit alongside ISO 27001 and reuse its management-system structure, so an organisation already certified for information security has a head start. It also aligns with the NIST AI RMF and supports readiness for the EU AI Act, letting one governance programme serve several obligations.

Frequently asked questions

Is ISO 42001 only for companies that build AI?
No. It applies to organisations that develop, provide, or use AI systems. Most organisations consume far more AI than they build, and governing that use is squarely in scope.
How does ISO 42001 relate to ISO 27001?
They share the same management-system structure. ISO 27001 governs information security; ISO 42001 governs AI. Many controls and processes overlap, so they are efficient to run together.
Does ISO 42001 satisfy the EU AI Act?
It is not a substitute for legal compliance, but adopting ISO 42001 builds much of the governance the EU AI Act expects, making act-readiness far easier.
How does NMT help with ISO 42001?
NMT helps you discover where AI is used, set policy from frameworks, evaluate AI usage against those policies, and maintain the evidence an AIMS requires.

Govern your AI with confidence

Start by seeing how AI is used across your organisation, then govern it against a framework.

Talk to us
Related
Guide: What is AI Governance? Guide: What is ISO 27001? NOVA DRIM platform