What is ISO/IEC 42001 (the AI management standard)?
ISO/IEC 42001 is the world's first certifiable international standard for managing artificial intelligence. Published in 2023 by ISO and IEC, it defines how an organization should build an AI Management System (AIMS): a use policy, risk and impact assessment, controls and continual improvement across the entire AI lifecycle. It is, for AI, the equivalent of what ISO/IEC 27001 is for information security: a company can be audited by an independent third party and earn certification to prove it uses AI responsibly.
How ISO/IEC 42001 works in practice
The standard is not a tool you install; it is a management system the company builds and maintains over its use of AI, on the same continual-improvement model (plan, do, check, act) as other ISO standards. The cycle has four parts.
Set the policy and accountability
The company puts in writing what it uses AI for, what is allowed, who approves each tool and who owns the program. With no owner and no rule, there is no management system.
Assess AI risk and impact
Each use of AI goes through a risk and impact assessment: what data goes in, what decision the AI influences, who could be affected. This is what sets an AI standard apart from a security-only one.
Apply the controls and record the evidence
From the standard's Annex A, the company selects the applicable controls, puts them into practice and keeps the proof that they work, in a Statement of Applicability.
Audit, certify and improve
An independent certification body audits the system in two stages (documentation and operation). Once approved, it issues the certificate; the cycle then repeats to improve continually.
Source: ISO/IEC 42001:2023 (Artificial Intelligence Management System) and the ISO management-system model.
What an AI Management System (AIMS) covers
- AI policy and governance The rules of use, the roles and the accountability: who decides, who approves tools and who answers for the outcome.
- Risk and impact assessment A repeatable method to judge each use of AI before it is released, including the impact on people and on the business.
- Annex A controls A catalog of reference controls (data, transparency, human oversight, lifecycle) from which the company picks the applicable ones and proves adoption.
- Data and lifecycle management Rules over the data that feeds the AI and over every phase of the system's life, from design to retirement.
- Continual improvement and certification Periodic audits, fixing what fails, and certification by a third party as external proof that the program exists and works.
Why ISO/IEC 42001 became the trustworthy-AI seal the market started to require
AI adoption ran ahead of governance, and the market responded. Just as ISO/IEC 27001 became a prerequisite in technology procurement, ISO/IEC 42001 is becoming the seal large buyers ask for before signing: instead of asking whether your AI is safe, the customer now asks whether you are ISO 42001 certified. Because it is international, it works as a single proof before regulators and clients across several markets at once, from the Americas to Europe and Asia, where new AI laws (such as the European Union's AI Act) demand exactly this kind of demonstrable governance. For the business, certification stops being a cost and becomes a differentiator that opens doors.
How a company prepares for ISO/IEC 42001
Preparing for the standard is less about a last-minute certificate and more about starting to govern the AI use that is already happening. The most direct path:
- See which AI the company already usesBefore any policy, you have to see the shadow AI: which tool each department uses, with what data. What you cannot see, you cannot govern.
- Write the policy and name the ownerA clear rule of use and one person accountable for the program. It is the base the standard requires and that most companies still lack.
- Assess risk and apply the controlsRun the risk and impact assessment, select the Annex A controls and start collecting the evidence that they work.
- Treat it as a continuous postureCertification is not a snapshot, it is a film: evidence is gathered continuously, not assembled in a rush the night before the audit.
- Only then pursue certificationWith the system running, an independent body audits and certifies. Reaching the auditor with the system already live shortens the road.
In practice
The question that reveals the real risk: if a major client demanded AI certification tomorrow as a condition of the contract, would the company know where to begin, or would it discover it never wrote a single line of AI policy?
How Zamak handles ISO/IEC 42001 compliance
Zamak Technologies supports the journey toward ISO/IEC 42001 as part of the Governance and Compliance of the Zamak Method: AI use policy, data classification, risk assessment, tool approval and auditable evidence on a compliance platform. One honest distinction: the standard documents and proves responsible AI use, it does not technically block data from leaving, which is a separate technical defense layer, scoped on its own. A good starting point is the AI exposure self-check, which shows in minutes where the company is most exposed.