ISO 42001

ISO 42001 (formally ISO/IEC 42001:2023) is the first international standard specifically designed for artificial intelligence management systems. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for organisations that develop, provide, or use AI systems to manage the associated risks, governance, and ethical considerations.

If your organisation is building AI into products, using AI-driven decision-making, or deploying large language models, ISO 42001 gives you a structured approach to doing it responsibly, with accountability, transparency, and risk management built in from the start.

Field	Detail
Full name	ISO/IEC 42001:2023 – Information technology – Artificial intelligence – Management system
Type	Standard
Maintained by	ISO/IEC JTC 1/SC 42 (Artificial Intelligence)
First published	December 2023
Applies to	Organisations developing, providing, or using AI systems
UK relevance	Aligns with the UK AI Code of Practice; supports EU AI Act compliance for UK organisations operating in Europe
Wikipedia	No dedicated article
Wikidata	Q138351903

Why ISO 42001 matters now

AI adoption is accelerating across every sector, and regulation is catching up. The EU AI Act classifies AI systems by risk level and imposes requirements on high-risk applications, with obligations phasing in through 2025 and 2026. The UK’s AI Code of Practice takes a principles-based approach but sets clear expectations for responsible AI deployment.

For organisations navigating this landscape, ISO 42001 provides the management system framework that sits underneath both regulatory approaches. It doesn’t tell you what to build, it tells you how to govern what you’re building.

This is particularly relevant for heavily regulated sectors and suppliers into these sectors including financial services, where AI drives credit decisions, fraud detection, and trading algorithms. For healthcare, where AI assists diagnostics and treatment planning. For defence and government, where AI supports intelligence analysis and decision support. And for any organisation deploying large language models, where risks include hallucination, data leakage, prompt injection, and bias.

What ISO 42001 covers

The standard follows the familiar ISO management system structure (Annex SL), making it straightforward for organisations already running ISO 27001 to integrate AI governance alongside existing frameworks. It includes 38 distinct controls covering AI policy and objectives, risk assessment specific to AI systems, lifecycle management from design through deployment and decommissioning, data governance, human oversight, transparency and explainability, and continuous improvement.

For organisations already certified to ISO 27001, adding ISO 42001 creates an integrated approach to both information security and AI governance, reducing duplication and strengthening your overall posture.

How ISO 42001 connects to other frameworks

ISO 42001 doesn’t exist in isolation. It provides the certifiable management system layer that operationalises the EU AI Act’s governance requirements for high-risk AI. It aligns with the UK AI Code of Practice’s principles around transparency, accountability, and human oversight. It complements the NIST AI Risk Management Framework (RMF), the US approach to AI risk, and it extends ISO 27001 into AI-specific risks and governance. Organisations using ISO 42001 are effectively operationalising the OECD AI Principles into auditable, certifiable processes.

The AI security angle

ISO 42001 covers governance and management. But AI systems also face security threats that traditional frameworks don’t address: adversarial inputs, prompt injection, model poisoning, data extraction attacks, and the weaponisation of AI for social engineering.

This is where AI security testing complements ISO 42001. The standard tells you to assess risks. Dedicated AI security services, including AI red teaming, LLM penetration testing, and adversarial testing, help you identify those risks with precision.

We combine ISO 42001 consultancy with hands-on AI security assessment. Our consultants help you build the governance framework; our testers help you find the vulnerabilities that governance alone won’t catch. Whether you need a readiness gap analysis, AI risk assessment, management system design that integrates with your existing ISO 27001 framework, or AI-specific penetration testing, we deliver both the governance and the technical assurance.

Learn more about our cyber risk management services →

Related glossary terms

• MITRE ATT&CK – adversary tactics framework increasingly applied to AI system threats
• Threat modelling – structured threat analysis applicable to AI system risk assessment
• NCSC CAF – UK government cyber assessment framework, complementary to ISO 42001

External references

• ISO: ISO 42001 explained – official ISO overview
• Wikidata: Q138351903 – canonical entity identifier

Frequently asked questions