1. Home
  2. Resources
  3. What is ISO 42001? An overview of the AI governance framework

What is ISO 42001? An overview of the AI governance framework

Article by Advisera Dejan KosuticDejan Kosutic 7 min read

ISO 42001 essentials

The full name of this standard is “ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system,” but for reasons of simplicity it is often called “ISO/IEC 42001” or simply “ISO 42001.”

The number “2023” in its name indicates the year when it was published — actually, it was published in December 2023, a year after the AI hype started with the launch of ChatGPT in November 2022.

ISO 42001 was published by ISO, which stands for International Standardization Organization — this is an international organization founded by governments around the world, and each standard needs to be approved by representatives from many countries. In effect, each standard that is published by ISO is accepted by each country in the world.

ISO 42001 is a leading international standard that defines how to manage AI systems — it defines how companies can decrease risks of AI in a systematic way by establishing an Artificial Intelligence Management System (AIMS) — in other words, how to establish AI governance to build trustworthy AI.

Which companies can implement ISO 42001?

ISO 42001 is written in such a way that any type of organization, for profit or non-profit, large or small, from any industry, can comply with ISO 42001 requirements.

Basically, ISO 42001 is intended for companies that create or use AI systems — since AI is becoming more and more dominant in the business world, it is expected that this standard will become one of the most widely implemented standards, like ISO 9001, ISO 14001, or ISO 27001.

Is ISO 42001 mandatory?

For now, ISO 42001 is not mandatory because no country has yet prescribed that companies must implement this standard.

However, more and more countries are publishing their AI regulations, like the EU AI Act — some of those upcoming regulations might require ISO 42001 implementation.

In any case, companies that do implement ISO 42001 will find compliance with AI regulations much easier.

Why is ISO 42001 important?

AI is a new technology that brings huge benefits, but also significant risks — which is the reason many companies are skeptical about its use. This is why ISO 42001 is important — it describes how to manage AI systems in a systematic way, in order to decrease those risks.

For example, a company that uses an AI chatbot for customer support might have several risks: providing incorrect or misleading information, leakage of personal data during conversations, or system downtime. To counter those problems, the company might use the following controls: a response validation control where AI answers are checked against a proprietary knowledge base before sending to users, cybersecurity and privacy controls to prevent leakage of personal data, and a fallback mechanism in which a human agent takes over if needed.

ISO 42001 describes how to assess those risks, and how to introduce the right AI controls — in other words, it describes how to use AI governance to build trustworthy AI systems.

Relationship between AI governance and ISO 42001

The word “governance” means a framework with a set of processes, structures, rules, and roles, and ISO 42001 is a framework that contains exactly this — it also defines how all of those things need to be done in the context of AI systems.

Since ISO 42001 is a leading international standard for managing AI, it has the potential to become the leading worldwide framework for AI governance — like the way ISO 27001 became the leading framework for cybersecurity governance.

Artificial Intelligence Management System (AIMS)

Actually, ISO 42001 does not use the phrase “AI governance,” but another phrase for the systematic governance of AI systems: Artificial Intelligence Management System, or AIMS.

Why is this so? Because ISO 42001 and other similar standards describe management systems — e.g., ISO 27001 describes Information Security Management Systems (ISMS), and ISO 9001 defines Quality Management Systems (QMS).

In any case, AIMS and AI governance basically have the same meaning.

But why is such systematic governance of AI systems needed in the first place? This is because a company might have not only, e.g., an AI chatbot for customer support, but it might also use AI systems internally for marketing materials, translation, the hiring process, training, and many other processes. And on top of this, a company might develop AI systems like large language models that could have a big impact on its customers or societies in general.

And without a systematic approach to managing all those AI systems, it would be very easy to miss some of the major risks — this is why a system that defines, e.g., how to perform the risk assessment, what kind of controls need to be used, how to control the whole system, etc., is crucial. And ISO 42001 provides the know-how for exactly such an AI Management System.

How does ISO 42001 work?

As mentioned earlier, the key concept in ISO 42001 is to assess the risks related to AI systems (i.e., to think through what could go wrong), and then define AI controls with which to decrease those risks (i.e., use various methods to prevent those problems).

ISO 42001 defines several requirements on how this risk assessment needs to be performed — for example, it specifies that companies must assess AI risks for the company, but also for individual users, and for societies, and that they need to assess how big the consequences could be, and also how likely it is that those problems could happen.

It also provides a list of 38 AI controls in its Annex A, which can be used to decrease those risks.

The structure and requirements of ISO 42001

ISO 42001 uses the high-level structure (HLS), which means that it has the same clause names and structure as other standards, including ISO 27001, ISO 9001, ISO 14001, and ISO 22301.

Here is a list of the most important clauses and annexes from ISO 42001:

  • Clause 4, called “Context of the organization,” requires analyzing internal and external factors or issues, identifying stakeholder expectations, and defining the scope of the AIMS.
  • Clause 5, “Leadership,” specifies what the senior management must do, as well as how to define roles and responsibilities, and also how to create the AI Policy that will provide direction for the AI efforts.
  • Clause 6, “Planning,” focuses on managing risks, defining AI objectives, and managing change because of AI.
  • Clause 7, “Support,” covers resources, competence, training, awareness, communication, and management of documents and records.
  • Clause 8, “Operation,” specifies requirements for operational planning and control over the AI system lifecycle.
  • Clause 9, “Performance evaluation,” sets requirements for monitoring, measuring, analyzing, and evaluating AI systems’ performance; conducting internal audits; and performing management reviews.
  • Clause 10, “Improvement,” covers corrective action and continual improvement of the AIMS.
  • Annex A is called “Reference control objectives and controls,” and it lists 38 controls organized into nine sections that describe how to reduce AI risks.
  • Annex B, “Implementation guidance for AI controls,” provides detailed guidance for each control from Annex A.

To see a list of all sub-clauses and their explanations, see this article: ISO 42001 Requirements: Clauses and Structure.

What is the process of ISO 42001 implementation?

For companies that implement an AIMS for the first time, it is recommended that they follow these steps:

  1. Obtain management support. (clause 5.1)
  2. Treat it as a project.
  3. Define your role for the AI system. (clause 4.1)
  4. Define stakeholders and their requirements. (clause 4.2)
  5. Define the scope. (clause 4.3)
  6. Write the AI Policy and define responsibilities. (clauses 5.2 and 5.3)
  7. Perform AI risk assessment and treatment. (clauses 6.1.2 and 6.1.3)
  8. Perform AI system impact assessment. (clause 6.1.4)
  9. Write the Statement of Applicability (SoA). (clause 6.1.3)
  10. Write the Risk Treatment Plan. (clause 6.1.3)
  11. Prepare supporting activities. (clause 7)
  12. Implement the AI controls. (Annexes A & B)
  13. Implement training & awareness. (clauses 7.2 and 7.3)
  14. Operate the AIMS. (clause 8)
  15. Monitor and measure the AIMS. (clause 9.1)
  16. Conduct the internal audit. (clause 9.2)
  17. Perform the management review. (clause 9.3)
  18. Implement corrective actions and continual improvement. (clause 10)

You’ll find a detailed description here: ISO 42001 Checklist of Implementation Steps.

ISO 42001 certification

The concept of “ISO 42001 certification” can be used in two different ways.

  1. When individuals want to get a certificate as confirmation of their knowledge about ISO 42001 — such certificates are issued by training providers based on an exam. See examples of ISO 42001 courses here.
  2. When companies implement ISO 42001, and want to certify that their AIMS is fully compliant with the standard — in this case, certificates are issued by certification bodies.

Supporting standards for ISO 42001

There are several other standards that can help you learn more about AI governance. Here are some of the most useful.

ISO 22989 explains artificial intelligence concepts and terminology, and is very useful for beginners in AI governance because it explains the basics.

ISO 23894 is guidance on AI risk management, and it is useful for professionals who want to learn more on how to assess and treat AI risks.

ISO 42005 is guidance on the AI system impact assessment, and it is useful for professionals who want to learn the details on how this assessment needs to be performed.

There are also numerous other standards that go into more depth for particular areas of AI — for example, ISO 24028 speaks about trustworthiness in AI.

Also worth mentioning is the AI Risk Management Framework developed by the U.S. National Institute of Standards and Technology (NIST) — it provides voluntary guidance for trustworthy AI, emphasizing risk-based approaches and stakeholder trust.

Similarities to other ISO standards

As mentioned above, ISO 42001 is aligned with the high-level structure; in addition, many of its clauses are very similar to those of other ISO standards — consequently, many activities in the AIMS are very similar to those in these standards:

  • Resources management
  • Training and awareness
  • Document and record control
  • Internal audit
  • Management review
  • Corrective actions
  • etc.

However, ISO 42001 is most similar to ISO 27001, since it has very similar requirements for risk management, the Statement of Applicability, and the selection of controls from Annex A.

To learn more, see this article: ISO 42001 vs. ISO 27001: Similarities and differences.

To learn about the details of ISO 42001, sign up for this free ISO 42001 Foundations Course it will give you a detailed overview of each clause from this AI governance standard, together with practical examples of how to implement them.

Tags Articles ISO 42001 Basics Artificial Intelligence
Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this. As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic