ISO 42001. The AI Management System standard.

ISO/IEC 42001:2023 is the world's first international management system standard for artificial intelligence. Published in December 2023, it defines requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS). The standard follows the same high-level structure (HLS / Annex SL) as ISO 27001 and ISO 9001, with seven core clauses (4–10) and an Annex A of 38 reference controls organized in nine objectives. It applies to any organization that provides, develops, or uses AI systems — regardless of size or sector.

ISO 42001 is the closest existing standard to the AI Act's operational requirements, but it is not yet a harmonized standard under Article 40. The European Commission issued a standardization request (M/593) to CEN-CENELEC in May 2023, and JTC 21 is developing the AI Act-specific harmonized standards. Until those land (expected 2026–2027), ISO 42001 certification is the strongest available signal of AI governance maturity and a strong foundation for AI Act readiness — particularly for high-risk system providers needing risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), and post-market monitoring (Art. 72) processes.

ISO 42001 is scoped for any organization that develops, provides, or uses AI systems — covering AI providers, deployers, and integrators (the same role taxonomy as the EU AI Act). In practice the standard is most valuable for: (1) AI vendors selling into regulated EU buyers who will increasingly require it in RFPs, (2) high-risk AI providers preparing for AI Act conformity assessment, (3) enterprises deploying generative AI (OpenAI, Anthropic, Azure OpenAI) who need demonstrable governance for board, audit, and customer due-diligence questionnaires, (4) public-sector bodies subject to the AI Act's fundamental rights impact assessment requirement.

Annex A organizes 38 reference controls into nine control objectives: A.2 Policies related to AI, A.3 Internal organization, A.4 Resources for AI systems, A.5 Assessing impacts of AI systems, A.6 AI system lifecycle, A.7 Data for AI systems, A.8 Information for interested parties of AI systems, A.9 Use of AI systems, and A.10 Third-party and customer relationships. These are not mandatory — organizations apply them based on risk and document a Statement of Applicability (SoA), the same pattern as ISO 27001 Annex A.

ISO 27001 is an Information Security Management System (ISMS) — it protects confidentiality, integrity, and availability of information. ISO 42001 is an AI Management System (AIMS) — it governs how AI systems are designed, deployed, and operated, with attention to fairness, transparency, human oversight, and societal impact. They share the same HLS structure, can be operated as an integrated management system, and many controls overlap (especially around supplier management, change management, and incident response). But the impact and risk assessment lens is fundamentally different: ISO 27001 asks 'what could happen to our information,' ISO 42001 asks 'what could our AI system do to people.'

For an organization with a mature ISO 27001 ISMS already in place, ISO 42001 certification typically takes 4–9 months: gap analysis (4–6 weeks), AIMS implementation (3–5 months), Stage 1 audit (documentation review), Stage 2 audit (operational effectiveness). Greenfield organizations without an existing management system should plan for 9–18 months. As of 2026 the accredited certification body market is still maturing — a handful of bodies (BSI, DNV, Schellman, A-LIGN, TÜV Süd, DEKRA) offer accredited ISO 42001 certification.

Total program cost for a mid-sized organization (50–500 employees) typically falls in the €15,000–€60,000 range for the first three-year cycle: certification body fees (€8,000–€30,000), implementation effort (€5,000–€25,000 if internal, or €20,000–€80,000 with consultants), and ongoing surveillance audits in years 2 and 3. The biggest cost variable is whether you bolt the AIMS onto an existing ISO 27001 program (much cheaper) or build both standards in parallel. Matproof's ISO 42001 module reduces implementation effort by 60–80% through pre-built policies, automated evidence collection, and Annex A control mappings.

No. ISO 42001 is a voluntary management system standard; the AI Act imposes legally binding requirements on high-risk AI systems including a formal conformity assessment procedure (internal control under Article 43, or third-party notified body assessment for biometric systems and others). However, once harmonized standards based on ISO 42001 are adopted under Article 40, conformity with those harmonized standards will create a presumption of conformity with the AI Act's relevant requirements. Until then: ISO 42001 demonstrates governance maturity but does not satisfy the AI Act on its own.