Skip to main content

Getting Started with ISO 42001

ISO/IEC 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for organizations that develop, provide, or use AI systems to manage AI-related risks responsibly, establish governance, and demonstrate trustworthy AI practices. Published in December 2023, ISO 42001 is the first management system standard specifically for AI. It follows the familiar ISO high-level structure (Harmonized Structure), making it straightforward to integrate with ISO 27001, ISO 9001, and other management system standards. Matproof maps ISO 42001 requirements to controls, policies, and evidence workflows so you can build your AIMS and prepare for certification.
Activate ISO 42001 under Settings - Frameworks - ISO 42001. Controls are pre-populated based on the standard’s clauses and Annex A/B controls.

Who Should Implement ISO 42001?

ISO 42001 is relevant to any organization involved in the AI lifecycle:
  • Organizations that develop AI systems
  • Organizations that deploy or operate AI systems
  • Organizations that provide data or components for AI systems
  • Organizations seeking to demonstrate responsible AI governance to customers, regulators, or partners
ISO 42001 pairs well with the EU AI Act. While the AI Act sets legal requirements, ISO 42001 provides the management system framework to meet them systematically. Certification can support your conformity assessment evidence.

Standard Structure

ISO 42001 follows the ISO Harmonized Structure:
ClauseTopicMatproof Module
4Context of the organizationPolicies, Controls
5LeadershipPolicies, People
6Planning (risk and opportunity assessment)Risk Management
7Support (resources, competence, awareness, communication, documented information)People, Evidence
8Operation (AI risk assessment, AI risk treatment, AI system impact assessment)Risk Management, Controls
9Performance evaluation (monitoring, measurement, analysis, internal audit, management review)Audit Programs, Controls
10Improvement (nonconformity, corrective action, continual improvement)Corrective Actions

Annex A - AI Controls

Annex A provides a set of reference controls organized into key themes:
  • AI policies and governance
  • AI system lifecycle management
  • Data management for AI
  • AI system performance monitoring
  • Third-party and supply chain considerations
  • Responsible AI (fairness, transparency, accountability)

Annex B - Implementation Guidance

Annex B provides detailed implementation guidance for each Annex A control.
1
Step 1 - Define the AIMS scope and context
2
  • Identify the AI systems and activities covered by your AIMS
  • Document interested parties and their requirements (customers, regulators, affected persons)
  • Determine the boundaries and applicability of your AIMS
  • Record the scope in Settings - Organization
    • 3
    Step 2 - Establish AI governance and leadership
    4
  • Go to Policies - Generate and create your AI Management System Policy
  • Ensure top management demonstrates commitment to the AIMS
  • Assign roles and responsibilities for AI governance
  • Define your AI risk appetite and ethical principles
  • Document the governance structure in the People module
    • 5
    Step 3 - AI risk assessment
    6
    Clause 6.1 and Clause 8 require both organizational and AI system-level risk assessments:
    7
  • Go to Risk Management - New Risk Assessment
  • Assess organizational risks to the AIMS (Clause 6.1)
  • For each AI system, conduct an AI risk assessment covering: accuracy, reliability, security, bias, fairness, transparency, and safety
  • Conduct AI system impact assessments for systems that may significantly affect individuals or groups
  • Document risk treatment plans with clear ownership
    • 8
    Step 4 - Implement Annex A controls
    9
    Work through the Annex A control set in Controls - ISO 42001:
    10
  • AI system lifecycle controls (design, development, deployment, monitoring, decommissioning)
  • Data management controls (data quality, provenance, bias assessment)
  • Performance and monitoring controls
  • Third-party and supply chain controls
  • Responsible AI controls (fairness, transparency, explainability, accountability)
    • 11
    For each control, document its implementation, assign an owner, and link supporting evidence.
    12
    If you already have ISO 27001 implemented, many ISO 42001 controls around information security, access management, and risk methodology will overlap. Use the framework mapping in Matproof to identify shared controls and avoid duplicate effort.
    13
    Step 5 - Data governance for AI
    14
    AI systems depend on data quality. ISO 42001 requires specific data management practices:
    15
  • Document data sources, quality criteria, and preprocessing steps for each AI system
  • Assess training and testing data for bias and representativeness
  • Establish data provenance tracking
  • Define data retention and deletion policies aligned with your AI systems’ lifecycles
    • 16
    Step 6 - Monitoring and measurement
    17
  • Define performance metrics for each AI system (accuracy, fairness metrics, drift indicators)
  • Establish monitoring processes to detect performance degradation
  • Document how you measure the effectiveness of your AIMS
  • Set up regular management reviews (at least annually)
    • 18
    Step 7 - Internal audit
    19
  • Go to Audit Programs - New Audit - ISO 42001
  • Audit against all clauses and applicable Annex A controls
  • Document findings as Corrective Actions
  • Verify that corrective actions address root causes
  • Present audit results to management as input for the management review
    • 20
    Step 8 - Management review and certification
    21
  • Conduct a formal management review covering: AIMS performance, risk assessment results, audit findings, and improvement opportunities
  • Document management review outputs (decisions and actions)
  • When ready, engage an accredited certification body for Stage 1 and Stage 2 audits

    • Relationship to Other Standards

    StandardRelationship
    ISO 27001Shared Harmonized Structure. ISO 42001 addresses AI-specific risks while ISO 27001 covers information security. Many controls overlap.
    ISO 9001Quality management practices complement AI system lifecycle management.
    EU AI ActISO 42001 certification provides structured evidence for EU AI Act compliance, particularly for high-risk AI system governance.
    ISO/IEC 23894AI risk management guidance that complements the risk assessment requirements in ISO 42001.

    Next Steps