ISO/IEC 42001:2023 · AI management systems
ISO 42001: what it is, what it requires, and the documents you need
ISO/IEC 42001:2023 is the international standard for an AI management system - a framework for governing how an organisation develops, provides or uses artificial intelligence responsibly. This is what it requires, the Annex A controls, a rollout checklist, and the exact document set you need.
Overview
What is ISO 42001?
ISO/IEC 42001:2023, published in December 2023, is the first international management-system standard for artificial intelligence. It defines the requirements for an AI management system (AIMS): the policies, processes and controls an organisation uses to develop, provide or use AI responsibly, and to keep improving how it does so.
Like ISO 27001, it follows the Annex SL harmonised structure, so if you already run a management system the shape will be familiar - a policy, a risk-and-impact assessment, a set of controls chosen for your scope, and the records that prove the system is working.
Who needs ISO 42001?
Organisations that build, deploy, procure or embed AI systems - and increasingly those being asked by customers, procurement teams or regulators to show they govern AI responsibly. That includes a SaaS company shipping an LLM feature, an MSP managing AI tools for clients, or any business adopting AI in a decision that affects people.
Is ISO 42001 a certification?
The standard is the set of requirements; an accredited certification body can audit and certify an organisation against it. Certification, its cost and any exam or training pathway are a separate job from producing the documentation - for that pathway, the Mindset Cyber family provides PECB-accredited ISO 42001 training and MindsetPrep covers exam preparation. PolicyMint produces the documentation you are audited against, not the certificate.
The requirements
The management-system clauses (4-10)
Clauses 4 to 10 are the mandatory core of the AIMS. They apply whatever your AI does. Here is what each asks, paraphrased, and the PolicyMint documents that satisfy it.
| Clause | What it asks | Documents |
|---|---|---|
| Clause 4 Context of the organisation | Define the scope of your AI management system and the internal and external issues, interested parties and requirements that shape it. | AIMS scope & context |
| Clause 5 Leadership | Top management sets the AI policy, assigns roles and responsibilities and commits to the system. | AI management policy · roles & responsibilities |
| Clause 6 Planning | Assess AI-related risks and opportunities, run AI impact assessments and set measurable objectives. | AI risk assessment · AI impact assessment · objectives |
| Clause 7 Support | Provide the competence, awareness, communication and documented information the system needs. | Competence & awareness · documented-information control |
| Clause 8 Operation | Put the planned controls and processes into practice across the AI system life cycle. | AI system life-cycle procedures · operational controls |
| Clause 9 Performance evaluation | Monitor, measure, audit and review how well the system is working. | Internal audit · management review · monitoring records |
| Clause 10 Improvement | Correct nonconformities and continually improve the system. | Corrective action · continual-improvement records |
Annex A
The ISO 42001 Annex A controls
Annex A groups the AI-specific controls into categories. You choose the ones that apply to your scope and record those decisions in the Statement of Applicability. The categories are:
| Ref | Category | What it governs |
|---|---|---|
| A.2 | Policies related to AI | Setting and maintaining the organisation's AI policy and its supporting policies. |
| A.3 | Internal organization | Accountability, roles and decision-making for AI systems. |
| A.4 | Resources for AI systems | The data, tooling, compute and people the AI depends on. |
| A.5 | Assessing impacts of AI systems | Assessing impacts on individuals, groups and society. |
| A.6 | AI system life cycle | Responsible design, development, deployment and retirement. |
| A.7 | Data for AI systems | How data is acquired, prepared and governed for AI. |
| A.8 | Information for interested parties of AI systems | What you tell users and affected parties about the AI. |
| A.9 | Use of AI systems | Intended, responsible use and human oversight. |
| A.10 | Third-party and customer relationships | Managing AI risk across suppliers, providers and customers. |
See the full ISO 42001 Annex A controls list for every control by reference and title. PolicyMint decides which apply from your business profile and assembles your Statement of Applicability; to track implementation status control by control, our sister tool ControlStack maps the same controls in an interactive tracker.
The wedge
The ISO 42001 documents you actually need
The explainers rank; almost none of them tell you the actual document set. Here it is, tiered by what applies to you.
Required for every AIMS
- AI management system policy
- AIMS scope statement
- AI risk assessment procedure & results
- AI impact assessment procedure
- Statement of Applicability (auto-assembled)
- Roles, responsibilities & authorities
- AI objectives & planning
- Internal audit programme
- Management review records
Required if the control applies
- Data management for AI policy
- AI system life-cycle / development procedure
- Human oversight procedure
- Supplier & third-party AI policy
- Transparency & information-to-users policy
- AI incident management procedure
- Competence & training records
Supporting / optional
- Responsible-AI / ethics statement
- Model & dataset documentation templates
- Change management procedure
- ISO 27001 documents
-
36
ISO 27001 documents
tiered by what you actually need
- ISO 42001 documents
-
21
ISO 42001 documents
for AI management systems
- Clauses and controls mapped
-
182
Clauses and controls mapped
every document cites the ones it satisfies
- Verifiers per section
-
3
Verifiers per section
on a different model to the writer
How it goes
An ISO 42001 implementation checklist
- 1
Define scope and inventory your AI
Decide which AI systems the management system covers and build an inventory of them.
- 2
Secure leadership and set the AI policy
Get top-management commitment and publish the AI policy that everything else hangs from.
- 3
Run AI risk and impact assessments
Assess risks to the organisation and impacts on people, and decide how you will treat them.
- 4
Select Annex A controls and build the SoA
Choose the controls that apply to your scope and record the decisions in the Statement of Applicability.
- 5
Produce the document set
Turn those decisions into the policies, procedures and records an auditor will assess.
- 6
Operate, record and train
Run the controls day to day, keep the evidence, and make sure people know their part.
- 7
Audit, review and (optionally) certify
Run an internal audit and management review; an accredited certification body can then audit you against the standard.
Two standards
ISO 42001 vs ISO 27001
ISO 27001 governs information security (an ISMS). ISO 42001 governs AI management (an AIMS). They share the same Annex SL structure, so the management clauses (4-10) line up and the two integrate cleanly - many organisations run both, with shared clauses and separate Annex A control sets. If AI is part of how you handle information, they reinforce each other rather than compete.
PolicyMint generates the document set for both ISO 27001 and ISO 42001, and keeps overlapping documents consistent across the two systems so you are not maintaining the same policy twice. For a fuller breakdown, see ISO 42001 vs ISO 27001.
How it works
How PolicyMint generates your ISO 42001 documents
A template pack hands you blank files. Prompting a chatbot invents controls you never bought and is equally confident whether it is right or wrong. PolicyMint is different: it is grounded in the licensed clause text for the exact clauses each document maps to, it knows the full ISO 42001 document set and tells you which ones you actually need, and it checks its own work with three independent verifiers running on a different AI model before you ever see the draft - then exports everything in your branding.
ISO 42001 FAQ
ISO 42001, answered
The questions people ask before they start.
What is ISO 42001 in simple terms?
ISO/IEC 42001:2023 is the international standard for an AI management system - a framework for governing how an organisation develops, provides or uses artificial intelligence responsibly. It sits alongside standards like ISO 27001 and uses the same management-system structure.
When was ISO 42001 published?
ISO/IEC 42001 was published in December 2023. It is the first international management-system standard specifically for artificial intelligence.
Is ISO 42001 a certification?
The standard is a set of requirements; an accredited certification body can audit and certify an organisation against it. Certification, its cost and any exam or training pathway are a separate job from producing the documentation - for that pathway see the Mindset Cyber family (PECB-accredited training) and MindsetPrep. PolicyMint produces the documentation you are audited against, not the certificate.
How is ISO 42001 different from ISO 27001?
ISO 27001 governs information security (an ISMS); ISO 42001 governs AI management (an AIMS). Both share the same Annex SL structure, so they integrate cleanly - many organisations run both, with shared management clauses and separate Annex A control sets.
What documents do you need for ISO 42001?
At minimum: an AI management policy, defined scope, an AI risk assessment, an AI impact assessment, a Statement of Applicability and the records that show the system is running. Further Annex A policies apply depending on your scope. PolicyMint works out which of its ISO 42001 documents you actually need and drafts them for your business.
Do I need ISO 27001 before ISO 42001?
No. You can pursue ISO 42001 on its own. Because the two standards share a management-system structure, an existing ISO 27001 programme gives you a head start, but it is not a prerequisite.
Does PolicyMint get me ISO 42001 certified?
It produces the documentation, not the certificate. A certification body audits your organisation, not your PDFs. PolicyMint gives you a complete, consistent, credible ISO 42001 document set, grounded in the standard and written for how you actually operate.
Stop staring at an empty document set
Set up your business once. Get the documents you actually need, written for how you really operate, in your branding, checked before you see them.
When we launch, your first documents are on us. No credit card, no sales call.