ISO/IEC 42001 - AI Management Systems

International Organization for Standardization · ISO/IEC 42001:2023 · International standard for AI management systems. Published December 2023.

What it covers

ISO/IEC 42001 specifies requirements for establishing, implementing, maintaining, and continually improving an AI Management System within an organization. It is the international counterpart to NIST AI RMF and is structured to integrate with existing management system standards including ISO 27001 (information security) and ISO 27701 (privacy).

The standard covers AI policy, organizational roles, planning including AI risk assessment and treatment, operational controls across the AI lifecycle, performance evaluation, and continual improvement. Certification is offered by accredited bodies.

Who it applies to

ISO 42001 is voluntary but is becoming a procurement requirement in European tenders, government contracts, and increasingly in enterprise vendor reviews. Organizations with mature ISO 27001 programs are the most natural adopters because ISO 42001 plugs into the existing ISMS structure.

The AI-relevant control objectives

• Clause 5 (Leadership and AI Policy): AI governance accountability and stated AI policy
• Clause 6 (Planning): AI objectives, AI risk assessment, AI risk treatment, AI impact assessment
• Clause 7 (Support): resources, competence, awareness, documented information
• Clause 8 (Operation): AI system lifecycle controls, design and development, deployment, operation, decommissioning
• Clause 9 (Performance Evaluation): monitoring, measurement, internal audit, management review
• Clause 10 (Improvement): nonconformity handling and continual improvement

How sitkastack maps to it

• Clause 5 AI Policy → docs/phase-0/00-problem-definition.md
• Clause 6 Planning and AI Risk Assessment → docs/phase-0/01-risk-classification.md
• Clause 6 AI Impact Assessment boundaries → docs/phase-0/02-out-of-scope.md
• Clause 8 Operational controls and input governance → docs/phase-1/02-input-contract.md
• Clause 8 Output controls and structured records → docs/phase-1/03-output-contract.md
• Clause 8 Data governance → docs/phase-1/04-privacy-and-data-handling.md
• Clauses 9 and 10 (Performance Evaluation and Improvement) are covered by Phase 4 (Eval Depth + Retrieval Quality) and Phase 5 (Operational Hardening) of the sitkastack vendor-risk-triage framework, shipped at v1.0.5

What sitkastack delivers under this framework

sitkastack engagements produce ISO 42001-aligned documentation across clauses 5, 6, 8, 9, and 10, all covered by the vendor-risk-triage framework shipped at v1.0.5. Typical engagements: AI Policy & Risk Pack (ISO 42001 documentation package), ISO 42001 Readiness Sprint (ISO 42001 readiness gap assessment), or 90-Day AI Build (production AI workflow with ISO 42001 operational controls built in).

ISO 27001 integration note

ISO 42001 is designed to integrate with an existing ISO 27001 ISMS. Organizations with mature ISO 27001 programs typically extend their existing controls and documentation rather than build a parallel system. sitkastack engagements supporting joint ISO 27001 + 42001 organizations map AI controls into the existing ISMS structure.

Honest limitations

sitkastack produces ISO 42001-aligned artifacts and analysis. I do not act as an accredited certification body and do not issue ISO 42001 certificates. Certification audits are conducted by accredited bodies; sitkastack engagements prepare the documentation and controls that would be evaluated during certification.

Talk to me

Questions about how this maps to your environment? Email me.