ISO 42001 certification

ISO 42001, AI management system, made practical

The world's first AI management system standard is here. ISO 42001 turns responsible AI into an operating model, not a slide deck. VerifyWise translates its requirements into a plan with owners, timelines, and evidence your auditor can trust.

Start free gap assessment Book roadmap call

What is ISO 42001?

ISO 42001 is an international standard that sets requirements for establishing, implementing, maintaining and continually improving an Artificial Intelligence Management System (AIMS). It is built for organizations that provide, develop or use AI systems, making responsible AI measurable and auditable.

Why this matters now: It gives you a structured way to govern AI, prove accountability and prepare for regulation while keeping innovation moving.

Risk-based

Apply controls based on your AI risk profile

Plan-Do-Check-Act

Continuous improvement cycle

Complements EU AI Act compliance and aligns with NIST AI RMF practices.

Who needs ISO 42001?

AI providers & developers

Build or deploy AI systems

AI users

Rely on third-party AI in products or workflows

Regulated industries

Need to prove AI governance to customers & regulators

ISO-certified organizations

Integrates with ISO 27001 & ISO 9001

How VerifyWise supports ISO 42001 certification

Concrete capabilities that address specific standard requirements

AI system inventory with context mapping

Register every AI system with structured metadata covering intended purpose, stakeholders and operational context. The platform captures the information Clause 4 requires about your organization's AI landscape and helps define clear AIMS boundaries.

Addresses: Clause 4 (Context of the organization), Clause 8.2 (AI system impact assessment)

Risk assessment and treatment workflows

Identify AI-specific risks using structured assessment methods, assign risk owners and document treatment decisions. The platform tracks residual risk acceptance and generates the risk registers auditors expect under Clause 6.1 and Annex A controls.

Addresses: Clause 6.1 (Actions to address risks), Annex A.3 (Risk management)

Policy generation and document control

Generate AI policies aligned with ISO 42001 requirements using built-in templates. The platform maintains version history, approval workflows and access controls that satisfy Clause 7.5 documented information requirements.

Addresses: Clause 5.2 (AI policy), Clause 7.5 (Documented information)

Lifecycle controls and deployment gates

Configure stage gates for AI system development, testing and deployment. The platform captures verification and validation evidence, tracks change requests and maintains the operational records Clause 8 requires.

Addresses: Clause 8 (Operation), Annex A.5-A.7 (AI system lifecycle)

Monitoring dashboard and performance tracking

Track AI system performance metrics, model drift indicators and incident patterns. The platform consolidates monitoring data for management reviews and provides the performance evaluation evidence Clause 9 requires.

Addresses: Clause 9 (Performance evaluation), Annex A.9 (Improvement)

Internal audit and continuous improvement

Plan and execute internal audits with built-in checklists mapped to ISO 42001 clauses. The platform tracks findings, corrective actions and improvement initiatives to demonstrate the Clause 10 improvement cycle.

Addresses: Clause 9.2 (Internal audit), Clause 10 (Improvement)

All compliance activities are tracked with timestamps, assigned owners and approval workflows. This audit trail demonstrates systematic governance rather than documentation created after the fact.

Complete ISO 42001 requirements coverage

VerifyWise provides dedicated tooling for every clause and Annex A control

ISO 42001 requirements

Requirements with dedicated tooling

100%

Coverage across all clauses

Clause 44/4

Context of the organization

Clause 53/3

Leadership

Clause 63/3

Planning

Clause 75/5

Support

Clause 84/4

Operation

Clause 93/3

Performance evaluation

Clause 102/2

Improvement

Annex A38/38

Reference controls (38 controls)

Built for ISO 42001 from the ground up

Statement of Applicability

Generate your SoA with control justifications and evidence links

Management review pack

Consolidated reporting for Clause 9.3 management reviews

AI impact assessments

Structured workflows for Clause 8.2 impact evaluation

Supplier governance

Third-party AI management per Annex A.8 requirements

90 days to audit-ready

Your implementation roadmap with clear phases and deliverables

Days 0-15

Get organized

Confirm scope, roles, and objectives
Import systems into model inventory
Stand up policy set and training plan

Days 16-45

Close the big gaps

Run risk and impact assessments on priority systems
Implement high-value controls
Turn on logging and evidence capture

Days 46-75

Operationalize

Complete internal audit and management review
Finish Statement of Applicability
Generate Stage 1 evidence pack

Days 76-90

Prove it works

Dry-run interviews with owners
Collect samples for Stage 2
Lock improvement plan and schedule audit

38 Annex A controls, simplified

Apply controls based on risk - you justify choices in your Statement of Applicability

Strategy & policy

AI policy
Objectives
Roles
Competence
Awareness

Lifecycle governance

Requirements management
Change control
V&V
Deployment gates

Data & models

Data quality
Dataset suitability
Model versioning
Evaluation

Risk & impact

Risk methods
Thresholds
Treatment
Acceptance

Transparency & records

Model cards
User information
Logging
Traceability

Human oversight

Oversight design
Fallback
Rollback
Incident response

Security & robustness

Threat modeling
Adversarial robustness
Vulnerability handling

Third-party management

Supplier evaluation
Contracts
Intake
Monitoring

Improvement

Internal audits
Management reviews
Corrective actions
KPIs

What auditors will look for

Certification uses a two-stage audit by an accredited body, then annual surveillance

Stage 1

Readiness & design

Documentation review

AIMS documentation
Scope & policies
Risk & impact methods
Control design
Internal audit
Management review

Stage 2

Effectiveness

Operational evidence

Control implementation
Process interviews
Sample testing
Lifecycle records
Performance data
Incident handling

Surveillance

Maintenance

Annual reviews

Control updates
New risks addressed
Corrective actions
Continuous improvement
Scope changes
Recertification prep

Evidence your auditor will expect

VerifyWise generates and organizes the documentation you need

Scope & inventory

In-scope systems, roles, and boundaries

Generated from: Model inventory and scope wizard

Policies & procedures

Approved AI policy, lifecycle procedures

Generated from: Policy generator with version history

Risk & impact records

Assessments with treatments and acceptance

Generated from: Risk register and assessment workflows

Lifecycle records

Testing, evaluation, deployment gates

Generated from: Release management and CI/CD integration

Monitoring & incidents

Logs, alerts, drift findings

Generated from: Monitoring dashboard and incident tracker

Audit & reviews

Plans, reports, actions, follow-ups

Generated from: Audit module and management review tracker

Policy templates

Complete AI governance policy repository

Access 37 ready-to-use AI governance policy templates aligned with ISO 42001, EU AI Act and NIST AI RMF requirements

Core governance

• AI Governance Policy
• AI Risk Management Policy
• Responsible AI Principles
• AI Ethical Use Charter
• Model Approval & Release
• AI Quality Assurance
+ 6 more policies

Data & security

• AI Data Use Policy
• Data Minimization for AI
• Training Data Sourcing
• Sensitive Data Handling
• Prompt Security & Hardening
• Incident Response for AI
+ 2 more policies

Lifecycle & compliance

• AI Vendor Risk Policy
• Model Lifecycle Management
• AI Testing & Validation
• Human Oversight Policy
• AI Documentation Standards
• Continuous Monitoring
+ 7 more policies

Browse all policy templates

Frequently asked questions

Common questions about ISO 42001 certification

No, it is voluntary. Certification signals trust and maturity to customers and regulators and can be a competitive advantage in enterprise sales cycles. Some organizations pursue certification to satisfy customer due diligence requirements or to prepare for anticipated regulatory expectations.

It depends on scope and readiness. Teams familiar with ISO programs can move faster because the process mirrors ISO 27001 and 9001 with Stage 1, Stage 2 and annual surveillance. Organizations typically achieve certification within 3-6 months with proper preparation. Complex organizations with many AI systems may need longer.

No, you apply controls based on risk and context, then justify choices in your Statement of Applicability (SoA). The risk-based approach allows you to focus on controls relevant to your AI systems and use cases. You must document why excluded controls are not applicable to your scope.

ISO 27001 focuses on information security management while ISO 42001 addresses AI-specific governance including model lifecycle, data quality, bias mitigation and human oversight. They share the same high-level structure (Clauses 4-10) which simplifies integration. Organizations often pursue both, using ISO 27001 for general security and ISO 42001 for AI-specific controls.

Yes. ISO 42001 shares the harmonized structure with other management system standards, so integration reduces duplicate work and strengthens your existing programs. Common integration points include risk management processes, document control, internal audit and management review.

You still need governance over selection, usage, transparency and monitoring. ISO 42001 expects you to manage suppliers per Annex A.8 controls and maintain evidence of ongoing oversight, even when using external AI services. This includes evaluating provider documentation, monitoring performance and managing contractual requirements.

ISO 42001 requires documented information including your AI policy, AIMS scope, risk assessment methodology, Statement of Applicability, AI system impact assessments, operational procedures and records of performance evaluation. Clause 7.5 specifies document control requirements. The standard emphasizes proportionality, so documentation should match your organization's complexity.

Internal audits per Clause 9.2 must cover all AIMS requirements at planned intervals. Auditors should be independent of the areas they audit and competent in both ISO 42001 requirements and AI concepts. Audit findings feed into management reviews and corrective action processes. Many organizations audit AI controls quarterly and conduct full AIMS audits annually.

Annex A controls cover data quality, dataset suitability and model evaluation including fairness considerations. The standard requires organizations to identify and mitigate risks from biased training data or discriminatory outcomes. Clause 8.2 impact assessments should evaluate potential harms to affected parties.

Certificates are valid for 3 years with annual surveillance audits. You need to maintain your AIMS, conduct internal audits and management reviews and demonstrate continuous improvement. Surveillance audits verify ongoing compliance. At the 3-year mark you undergo recertification with a full Stage 2 audit.

Select an accredited certification body with experience in AI and technology sectors. Look for auditors who understand your industry context and can provide valuable insights beyond compliance checking. ANAB, UKAS and DAkkS are key accreditation bodies to look for. Ask about auditor qualifications and experience with AI systems.

While different in purpose, ISO 42001 provides a strong foundation for EU AI Act compliance. The management system approach helps operationalize many AI Act requirements like risk management, documentation and monitoring. Specific AI Act obligations around prohibited practices, conformity assessment and incident reporting still need separate attention.

Yes, you define your AIMS scope in Clause 4.3. The scope can cover specific AI systems, business units or use cases rather than all AI across the organization. A well-defined scope makes certification more achievable and focused. You can expand scope over time as your AIMS matures.

Clause 7.2 requires personnel affecting AIMS performance to be competent based on education, training or experience. This includes AI developers, operators, risk managers and governance staff. You need to identify competence requirements for each role, provide training where gaps exist and retain records of competence. Training typically covers AI concepts, your organization's AIMS procedures and role-specific technical skills.

Yes, the standard is scalable. Smaller organizations can implement proportionate controls and documentation. The key is focusing on what's material to your AI risks rather than creating excessive bureaucracy. Many controls can be streamlined for smaller teams while still meeting certification requirements.

Ready to achieve ISO 42001 certification?

Turn your AI governance into a certified management system with our comprehensive platform and expert guidance.

Start free gap assessment Book roadmap call