The world's first AI management system standard. We implement your AIMS, align it with the EU AI Act, and prepare you for certification — before your enterprise buyers start asking.
ISO/IEC 42001:2023 is the world's first international standard for AI Management Systems (AIMS). Published in December 2023, it provides a framework for organisations that design, develop, or deploy AI systems to manage associated risks responsibly — covering AI governance, transparency, accountability, bias identification, and continual improvement throughout the AI system lifecycle.
Enterprise buyers are beginning to include AI governance questions in security questionnaires. The EU AI Act came into force in August 2024 and imposes ongoing governance obligations on AI providers operating in the EU. Regulators in the UK, US, and Singapore are developing parallel AI governance frameworks.
ISO 42001 is voluntary — but it is rapidly becoming the benchmark that enterprise procurement and regulatory compliance will measure against. AI startups that adopt it now build a durable competitive advantage: they can answer governance questions confidently, demonstrate responsible AI practices to investors and customers, and have a certification-body-validated AIMS ready when regulators start asking harder questions.
ProtectifyAI is one of the few implementation teams in the UK with hands-on ISO 42001 experience. We have seen what certification bodies expect, and we build AIMS programmes that pass the first time.
AI system inventory, scope definition, context of the organisation, and AIMS boundary documentation aligned to ISO 42001 clause 4.
AI-specific risk methodology, risk register covering bias, fairness, transparency, and safety risks across your AI systems.
Full policy suite covering AI system development, deployment, monitoring, and decommissioning — aligned to Annex A controls.
Documentation of AI system capabilities, limitations, and intended use — the controls enterprise buyers and regulators ask for most.
Bias identification processes, fairness metrics, and ongoing monitoring cadence for your AI models and outputs.
Risk classification under the EU AI Act, conformity assessment mapping, and documentation pack for high-risk AI systems.
KPIs for AI system performance, monitoring processes, and management review documentation required by the standard.
Certification body selection (ISO 42001 is new — not all bodies are accredited), audit preparation, and certificate procurement.
| Phase | Duration | What happens |
|---|---|---|
| 01 | Weeks 1–2 | AI system inventory, scope definition, gap assessment against ISO 42001 clauses 4–10, certification body identification |
| 02 | Weeks 3–6 | AI risk assessment methodology, risk register build, AIMS policy creation, Annex A control selection and Statement of Applicability |
| 03 | Weeks 7–12 | Control implementation — transparency documentation, bias monitoring, performance evaluation processes, supplier AI management |
| 04 | Weeks 13–15 | Internal audit, management review, EU AI Act alignment mapping, pre-certification readiness review |
| 05 | Weeks 16–20 | Stage 1 and Stage 2 audits with accredited certification body. Certificate issued on successful completion. |
| Factor | ISO 42001 | EU AI Act |
|---|---|---|
| Type | Voluntary certification standard | Mandatory regulation (EU) |
| Who it applies to | Any organisation using or building AI | AI providers/deployers operating in the EU |
| Output | AIMS certification from accredited body | Legal compliance obligation |
| Risk classification | Organisation-defined | Prescribed (Prohibited / High-risk / Limited / Minimal) |
| Relationship | ISO 42001 provides the governance framework that underpins EU AI Act compliance — organisations certified against ISO 42001 are better positioned for EU AI Act conformity | |
| Enforcement started | Available now | Phased from August 2024 — prohibited AI: Feb 2025; High-risk: Aug 2026 |
The 38-point checklist we use before every ISO 42001 engagement — covering AIMS scope, AI risk assessment, Annex A controls, transparency documentation, and EU AI Act alignment. Enter your email to receive it.
Outcome-based pricing — fixed fee, payable on certification. No hourly meters.
Certification body fees are separate. ISO 42001 is new — not all certification bodies are accredited. We identify the right body for your scope.
ISO/IEC 42001:2023 is the world's first international standard for AI management systems. It was published in December 2023 and provides a framework for organisations that design, develop, or deploy AI to manage AI-specific risks — covering governance, transparency, accountability, bias, and continual improvement throughout the AI lifecycle.
ISO 42001 is relevant to any organisation that creates, deploys, or uses AI systems. It is particularly important for AI startups selling to enterprise buyers in the UK and EU, where AI governance is increasingly part of procurement due diligence — and for any AI company operating in the EU under the EU AI Act.
ISO 42001 is not yet a harmonised standard for EU AI Act conformity, but it provides the systematic AI risk management and governance framework the Act requires. Organisations certified against ISO 42001 will be significantly better positioned when the final QMS conformity standard is released — and already demonstrate responsible AI governance to regulators and customers now.
ISO 42001 implementation typically takes 3–5 months from engagement start to certification. For organisations already certified against ISO 27001, the timeline is shorter — the management system structure is familiar, and approximately 40% of ISO 42001 requirements overlap with ISO 27001.
ISO 42001 is a voluntary standard. However, it is rapidly becoming the benchmark for AI governance in enterprise procurement and regulatory frameworks. Early adoption provides competitive advantage, demonstrates responsible AI practices to investors and customers, and positions your organisation ahead of regulatory developments.
Both standards use the ISO High Level Structure (HLS), meaning their management system frameworks are compatible. Organisations already certified against ISO 27001 can extend their ISMS to cover AI management with significantly less effort than building from scratch. ProtectifyAI specialises in combined ISO 27001 + ISO 42001 implementations for AI startups.
45 minutes on your AI compliance situation. No follow-up sequences if we're not the right fit.
Book a working session →