Regulatory compliance
If your organization uses or develops artificial intelligence, ISO 42001 is the standard that helps you govern it sensibly: transparency, human oversight, risk management and accountability. We implement the AI management system for you and get you ready for certification.
Lead auditors for ISO 42001 and ISO 27001 (CISA, CISSP, CISM), with experience in AI governance.
What it is
ISO 42001 is the first certifiable international standard for artificial intelligence management systems. It follows the same structure as ISO 27001, so it defines how to manage AI responsibly: with policies, risk assessment, human oversight and continuous improvement. It does not regulate a specific system, but rather how your organization governs all of its AI.
Unlike a code of good practice, ISO 42001 is certified with an accredited body through a two-stage audit, just like ISO 27001. The certificate proves to third parties that you govern your AI rigorously.
AI governance is becoming a commercial requirement: more and more clients ask in their procurement processes whether you are certified in ISO 42001 or implementing it, just as happened with ISO 27001.
The European AI Regulation is binding; ISO 42001 does not replace it, but it covers much of its governance and leaves a large part of the path done so you can comply.
Who it serves
ISO 42001 serves any organization that uses, develops or integrates artificial intelligence and wants to demonstrate that it does so responsibly. It does not matter whether you build your own models or use third-party AI: what is governed is your use.
You build models, products or services with artificial intelligence and want to demonstrate that you design them with control and transparency.
You integrate vendor AI into your processes or decisions and need to govern that use, its risks and its oversight.
Your clients or your sector are starting to require AI governance guarantees, and you want to get ahead with a recognized certificate.
The framework
ISO 42001 is organized into requirement clauses and an annex of controls. The controls address the points where AI needs governance, and you adapt them to your context instead of applying them all blindly.
Quality, origin and protection of the data with which AI is trained and operates. Without reliable data there is no reliable AI.
Being able to explain what each AI system does and how it reaches its decisions, so it is not a black box.
That a person can intervene, review and reverse what the AI decides when needed.
Clear roles and responsibilities over each system, with traceability of who decides what.
The standard does not tell you which AI you can use, but it requires you to know what you use, for what, with what risks and who is responsible. That cultural change is most of the work.
Service
AI systems inventory: what artificial intelligence you use or develop, your own or third-party, and for what.
Gap analysis against the requirements of the standard and the Annex A controls, to see the real distance.
Risk and impact assessment of your AI systems, including the impact on people.
AI management system: policies, processes, human oversight and the Annex A controls that apply.
Integration with your ISO 27001: if you already have an ISMS, we build the AI on top without duplicating what already works.
Support during certification: we get you ready for the two-stage audit and the closing of findings.
Method
We identify your AI systems and measure the distance against the standard and its controls.
Roadmap prioritized by risk, leveraging whatever you already have from ISO 27001.
Management system, risk and impact assessment, human oversight and Annex A controls.
We support you through the two-stage audit and the closing of findings up to the certificate.
Synergies
The three fit together. ISO 42001 shares its structure with ISO 27001, so if you already have an ISMS much of the management system is done and you only add the AI layer, without duplicating. And since the European AI Regulation requires governance, the standard leaves a good part of the path prepared: it does not replace the AI Act, but it covers its risk management, data, transparency and human oversight points. And to verify that those controls hold up in practice, there is our AI and LLM pentest, which truly puts the system to the test.
What sets us apart: we are lead auditors for ISO 42001 and ISO 27001, so we understand all three pieces at once and build them as a single coherent system. We know what evidence the auditor will ask for because we work with that logic every day.
Questions
It is the first certifiable international standard for artificial intelligence management systems. It defines how an organization governs its AI responsibly: policies, risk assessment, human oversight, transparency and continuous improvement. It follows the same structure as ISO 27001, so it does not regulate a specific AI system but rather the way your organization manages all of its artificial intelligence.
No. The AI Act is a binding European law with penalties; ISO 42001 is a voluntary and certifiable standard. They are not the same, but they work very well together: the standard covers much of the governance that the AI Act requires, so implementing it leaves a large part of the path done. That said, ISO 42001 is not enough on its own to comply with the AI Act for high-risk systems, which have their own obligations.
Yes, and it is a very common case. What ISO 42001 governs is your use of AI, not who builds it. If you make decisions with third-party artificial intelligence tools, integrate models into your processes or use AI assistants, the standard helps you control those uses, their risks and their oversight. You do not need to build your own models.
A lot. ISO 42001 shares its structure with ISO 27001, so if you already have a security management system much of the work is done: governance, roles, risk assessment and continuous improvement are reused. We build the AI layer on top without duplicating, which reduces the effort and the audit burden.
No, ISO 42001 is voluntary and has no penalties on its own. But it is becoming a market requirement: more and more clients ask for it in their procurement processes as proof that you govern your AI rigorously. Getting ahead is a competitive advantage, just as it was with ISO 27001.
It depends on the size of your organization, how much AI you use and whether you already have a management system such as ISO 27001 to lean on. What most influences the timeline is the starting point: if you already govern your security rigorously, the AI layer is built much sooner. In the first conversation we look at your case and give you a realistic estimate, with no surprises halfway through.
As with other ISO standards, it is granted by an accredited body through a two-stage audit: first it reviews the design of your management system and then it checks that it is implemented and working. If you pass, you obtain the certificate. We get you ready for that process and support you in closing findings.
Shall we talk?
Tell us what artificial intelligence you use or develop and where you stand. In a first conversation we tell you what separates you from the certificate and how it fits with the AI Act.
Get in touch