Die komplette Anleitung

ISO 42001:2023: The world’s
first standard for governing AI responsibly.

ISO/IEC 42001 is the international standard for AI Management Systems, the first framework that holds organizations accountable for how they build, deploy, and oversee AI. This guide walks through its requirements, the 38 Annex A controls, audit process, and how it ties into the EU AI Act.

ISO 42001

Was ist ISO 42001?

ISO/IEC 42001:2023 is the world’s first international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it gives organizations a structured framework to develop, deploy, and oversee AI systems responsibly, with clear accountability, risk management, and continuous oversight.

It applies to any organization that builds, provides, or uses AI, whether that’s a foundational model provider, a SaaS company embedding AI features, an enterprise deploying third-party AI, or a regulated business using AI for high-stakes decisions.

A few things worth knowing upfront:

  1. ISO 42001 is voluntary, but it’s quickly becoming a procurement and regulatory expectation, especially in the EU and US enterprise markets.
  2. The standard has 10 clauses plus Annex A, which contains 38 AI-specific controls grouped under 9 control objectives.
  3. Certification is granted by accredited third-party certification bodies, just like ISO 27001 and ISO 9001.
  4. Certificates are valid for three years with annual surveillance audits in between.
  5. Organizations already certified to ISO 27001 can typically achieve ISO 42001 certification 40-50% faster due to the shared management system structure.

Who needs ISO 42001 (and who doesn’t)

ISO 42001 isn’t relevant for every business, but if AI touches your product, your operations, or your supply chain, the conversation is starting to shift from “should we?” to “when?”

You probably need ISO 42001 if:

  • You build, train, or deploy AI/ML models as part of your product
  • You’re an AI-native company selling to enterprises or governments
  • Your buyers are asking about AI governance in vendor due diligence questionnaires
  • You operate in or sell into the EU, where some EU AI Act obligations already apply and others phase in through 2026-2028 under the updated AI Omnibus timeline.
  • You use AI for high-stakes decisions: hiring, credit, healthcare, education, insurance
  • You use third-party tools with AI features in those same decision areas (e.g., an ATS that screens candidates, an underwriting platform that scores applicants, or a vendor-supplied tool making automated recommendations)
  • You provide AI-powered services to regulated industries (BFSI, healthcare, public sector)
  • You’re already pursuing ISO 27001 and want to extend governance to AI systems
  • You’re an AI-native startup selling to enterprises, procurement teams increasingly screen for it

You probably don’t need ISO 42001 (yet) if:

  • You’re pre-revenue, and AI isn’t central to your offering
  • You only use third-party AI tools internally (with no customer-facing impact)
  • Your buyers haven’t asked about AI governance, and you’re not in a regulated market

Build an AI inventory before defining your ISO 42001 scope

Before you define the scope of your AIMS, build a working inventory of the AI systems your organization develops, buys, embeds, or uses internally. This keeps ISO 42001 from becoming a policy exercise that misses real AI activity.

Your inventory should capture:

  • AI use case and business purpose
  • System owner, department, and accountable reviewer
  • Whether the use case is internal, customer-facing, product-embedded, or vendor-provided
  • Model, vendor, platform, or provider used
  • Data categories processed, including personal, sensitive, customer, or regulated data
  • User groups affected by the AI system
  • Geography and regulatory exposure, including EU use where relevant
  • Risk rating and rationale
  • Human oversight or escalation controls
  • Testing, evaluation, bias review, and monitoring evidence
  • Vendor due diligence status and contract owner
  • Current status of the AI system, such as requested, approved for testing, in pilot, approved for production, live, paused for review, or retired

This inventory serves as the backbone of risk assessment, Statement of Applicability decisions, vendor review, monitoring, training, and audit evidence.

iso-9001-controls-img
Is ISO 42001 your next move? Talk to a Sprinto advisor about the right AI governance framework for your stage.

How ISO 42001 connects to the EU AI Act (and other regulations)

If you’re tracking AI regulation, ISO 42001 and the EU AI Act keep showing up together, and for good reason.

The EU AI Act entered into force on August 1, 2024, with full applicability targeted for August 2, 2026. Enforcement for high-risk AI systems began phasing in starting February 2026 (note: a May 2026 provisional agreement on the Digital Omnibus deferred some Annex III deadlines to December 2027, pending ratification). The Act mandates:

  • Risk management systems for high-risk AI (Article 9)
  • AI literacy across the organization (Article 4)
  • Data governance and quality (Article 10)
  • Technical documentation, transparency, and human oversight (Articles 11-14)
  • Ongoing monitoring and post-market surveillance

ISO 42001 doesn’t grant EU AI Act compliance, but it provides the management system structure that maps directly onto the Act’s requirements. The European Commission is exploring harmonized standards for demonstrating AI Act conformity, and ISO 42001 is the leading candidate.

Beyond the EU AI act, ISO 42001 also aligns closely with:

  • NIST AI Risk Management Framework (US): Shared focus on AI risk identification, measurement, and management
  • UK AI Regulatory Framework: Principles-based approach with strong overlap on accountability and transparency
  • Colorado AI Act, California’s AI legislation, and other state-level US laws: ISO 42001 helps build the governance baseline these laws assume

A single ISO 42001 program can support compliance across multiple jurisdictions, which is why global AI vendors are prioritizing it.

Where ISO 42001 maps to the EU AI Act:

EU AI Act requirementISO 42001 mappingWas dies bedeutet,
Article 9: Risk managementClause 6: Planning + Annex A.5: AI system impact assessmentThe Act requires a documented risk management system for high-risk AI. ISO 42001 supports this through AIMS planning, AI risk assessment, and AI system impact assessment processes.
Artikel 10: Daten und Daten-GovernanceAnnex A.7: Data for AI systemsThe Act requires appropriate governance for training, validation, and testing data used in high-risk AI systems. Annex A.7 supports this through controls for data acquisition, provenance, quality, preparation, and use.
Articles 11-12: Technical documentation and record-keepingClause 7.5: Documented informationThe Act requires technical documentation and record-keeping for high-risk AI systems. Clause 7.5 supports this by requiring controlled, maintained, and available AIMS documentation.
Article 13: Transparency and information to deployersAnnex A.8: Information for interested partiesThe Act requires providers to give deployers clear information on a high-risk AI system’s purpose, capabilities, limitations, and proper use. Annex A.8 supports this through stakeholder communication and system information controls.
Artikel 14: Menschliche AufsichtAnnex A.9: Use of AI systemsThe Act requires effective human oversight for high-risk AI. Annex A.9 supports this by defining responsible use, intended use, and operational controls for people using AI systems.
Article 15: Accuracy, robustness, and cybersecurityAnnex A.6: AI system lifecycleThe Act requires high-risk AI systems to perform consistently and securely throughout their lifecycle. Annex A.6 supports this through lifecycle controls for requirements, design, verification, deployment, operation, and monitoring.

The 10 Clauses, decoded

ISO 42001 follows the same Harmonized Structure used across ISO management system standards, including ISO 27001 und ISO 9001 . The first three clauses are introductory. The auditable requirements live in Clauses 4 through 10.

Klausel 1 – Geltungsbereich

Defines what ISO 42001 covers. No action items.

Abschnitt 2 – Normative Verweise

Points to ISO/IEC 22989. No action items.

Klausel 3 - Begriffe und Definitionen

Glossary. No action items.

Clause 4 – Context of the organization

Identify AI-related issues, stakeholders, and AIMS scope.

Klausel 5 – Führung

Top management owns AI governance, policy, and roles.

Abschnitt 6 – Planung

Identify AI risks, set objectives, and run impact assessments.

Klausel 7 – Support

Provide people, training, and documentation for the AIMS.

Klausel 8 – Betrieb

Operationalize AI risk and lifecycle controls.

Klausel 9 – Leistungsbewertung

Monitor, audit, and review AIMS effectiveness.

Klausel 10 – Verbesserung

Address nonconformities and continually improve.

ISO 42001 Controls (Annex A)

The 10 clauses define what your AIMS must do. Annex A defines the specific controls you implement to actually do it. ISO 42001’s Annex A contains 38 controls organized under 9 control objectives, each addressing a distinct domain of AI risk.

The 9 control objectives at a glance:

ISO 42001 Annex A control areaOptikWas es abdeckt
A.2: Policies related to AIKI-Governance-RichtlinieAI policy, supporting governance documents, and alignment with existing organizational policies.
A.3: Internal organizationRoles and accountabilityAI roles, responsibilities, reporting lines, and processes for raising AI-related concerns.
A.4: Resources for AI systemsBenötigte RessourcenData, tooling, systems, infrastructure, human expertise, and compute resources needed for AI systems.
A.5: Assessing impacts of AI systemsKI-AuswirkungsanalyseProcesses for assessing and documenting the potential impacts of AI systems on individuals, groups, organizations, and society.
A.6: AI system lifecycleLebenszyklus-GovernanceRequirements, design, development, verification, validation, deployment, operation, monitoring, and retirement of AI systems.
A.7: Data for AI systemsDatenamtData acquisition, quality, provenance, preparation, use, and ongoing suitability for AI systems.
A.8: Information for interested partiesTransparenz und KommunikationInformation provided to relevant stakeholders, including documentation, notices, transparency information, and communication about AI system use.
A.9: Use of AI systemsResponsible operationIntended use, responsible use, human oversight, operational monitoring, and controls for users of AI systems.
A.10: Third-party and customer relationshipsExterne AbhängigkeitenSupplier, partner, and customer responsibilities related to AI systems, including third-party services, customer obligations, and shared accountability.

Each control comes with implementation guidance in Annex B. Your Statement of Applicability (SoA) documents which controls apply, which you’ve excluded, and why, based on your AI system impact assessment.

Die gute Nachricht: you don’t have to build this from scratch. Sprinto pre-builds the full Annex A control set, maps it to your existing tools, and auto-collects evidence for every applicable control.

iso-9001-controls-img
Mehr auf: ISO 42001-Kontrollen Full breakdown of all 38 Annex A controls and how Sprinto maps each one.

ISO 42001 for AI risk management

AI risk is different from other types of enterprise risk. Models can drift. Training data can encode bias. Outputs can hallucinate. Systems that performed well in testing can fail unpredictably in production. Traditional risk management frameworks weren’t designed for any of this.

ISO 42001 is the first standard to formalize AI risk management as an ongoing, structured process. It introduces three concepts that most teams haven’t implemented before:

  • AI risk assessment (Clause 6.1.2): Identify risks across the AI lifecycle, from data sourcing to deployment to retirement
  • AI system impact assessment (Annex A.5): Evaluate the broader impact on individuals, groups, and society, including fairness, transparency, and rights-based concerns
  • Continuous monitoring (Annex A.6.2.8): Track AI system performance, drift, and incidents in production, not just at launch

Together, these turn AI risk from a one-time review into a continuous program. For organizations operating under the EU AI Act, this structure also serves as the foundation for Article 9 risk management compliance.

iso-9001-auditor-img
Keep reading: ISO 42001 for AI Risk Management Building an AI risk program that holds up.

Picking the right ISO 42001 auditor

ISO 42001 is new enough that the auditor market is still maturing. As of 2026, only a handful of certification bodies are accredited to issue ISO 42001 certificates, including Schellman (the first ANAB-accredited body), BSI, A-LIGN, and a few others. That short list matters, because picking the wrong body can mean delays, certificates that aren’t widely recognized, or auditors who don’t understand AI systems.

What to look for in an ISO 42001 certification body:

  • IAF MLA accreditation through a recognized national body (ANAB, UKAS, NABCB, DAkkS, etc.)
  • ISO/IEC 42001 specifically in their accreditation scope, not just ISO 27001
  • AI domain expertise on the audit team (not generic ISMS auditors)
  • Experience auditing organizations similar to yours (model providers vs. AI users)
  • Reasonable scheduling availability (demand currently exceeds supply)

Questions to ask before signing with a certification body:

  • Are you accredited specifically for ISO 42001?
  • How many ISO 42001 audits have your auditors actually conducted?
  • Do you have AI/ML technical expertise on the audit team?
  • What’s your typical audit duration and turnaround for certificate issuance?
  • Can the audit be conducted remotely or hybrid?
iso-9001-auditor-img
Keep reading: ISO 42001 Auditor How to pick the right certification body.

ISO 42001 training: what’s required, and who needs it

Clause 7.2 requires that people doing work affecting AIMS performance are competent, and you can prove it. ISO 42001 explicitly requires AI literacy under Clause 7.3, aligning with Article 4 of the EU AI Act.

Most ISO 42001 programs build training across three layers:

  • Leadership and executive awareness: So top management can defend Clause 5 commitments and AI governance decisions during an audit
  • Schulung zum internen Revisor: Lead auditor or internal auditor certifications specific to ISO 42001 (PECB, BSI, and Schellman all offer these)
  • AI literacy for all relevant staff: Covers AI risks, ethical considerations, and role-specific responsibilities

AI literacy isn’t just a nice-to-have anymore. The EU AI Act explicitly requires it, and ISO 42001 auditors are increasingly checking for evidence of structured AI awareness programs.

Keep evidence of AI literacy and role-based training

AI literacy should be provable, not just assigned in a training tool. For ISO 42001, auditors will want to see that people working with AI systems understand their responsibilities and the risks associated with their roles.

Nützliche Beweise sind:

  • Role-based training for product, engineering, security, legal, compliance, procurement, support, and business users
  • Training mapped to the AI systems each group actually uses or manages
  • Guidance on approved and prohibited AI use
  • Examples of AI risks employees must recognize, such as hallucination, bias, privacy leakage, unsafe automation, and weak human oversight
  • Completion records, dates, and refresher cadence
  • Policy acknowledgements or attestations
  • Training for contractors or service providers who operate AI systems on the organization’s behalf
  • Evidence that high-risk or customer-facing AI systems receive deeper, context-specific training

The goal is not to prove that every employee is an AI expert. It is to show that people who develop, deploy, approve, or use AI systems know enough to use them responsibly and escalate risks when needed.

Sprinto handles training assignment, tracking, and reminders automatically. Completion records are stored alongside other AIMS evidence.

iso-9001-auditor-img
Keep reading: ISO 42001 Training What’s required, who needs it, and where to get it.

What actually happens during an ISO 42001 audit?

ISO 42001 audits follow the standard ISO management system audit cycle:

  • Year 0 – Initial Certification (Stage 1 + Stage 2): Stage 1 reviews your AIMS documentation; Stage 2 assesses operational evidence on-site or remotely
  • Years 1 & 2 – Surveillance Audits: Shorter audits focused on sampled controls, incident logs, and AI risk register updates
  • Year 3 – Recertification Audit: Full audit to renew your certificate for another three years

What auditors specifically look for in an ISO 42001 audit:

  • A complete AI system inventory with documented intended use for each system
  • Evidence of AI system impact assessments (not just risk assessments)
  • Documented data governance, including data quality and provenance
  • Human oversight mechanisms with documented authority (not just titles)
  • Incident response logs for AI-specific issues (drift, bias, hallucinations, harmful outputs)
  • Third-party AI supplier assessments

Common audit findings in early ISO 42001 audits:

  • Missing or thin AI system impact assessments
  • Incomplete data provenance records
  • Generic role assignments without documented authority to act
  • Insufficient evidence of human oversight in high-risk AI systems
  • Statement of Applicability that doesn’t justify excluded controls
iso-9001-auditor-img
More on ISO 42001 Audit What auditors look for and how to prepare.

The ISO 42001 certification roadmap

Most organizations move from kickoff to certificate in 4-9 months. Companies already certified to ISO 27001 typically complete certification in 4-6 months by leveraging shared controls; those starting from scratch take 6-12 months.

The journey breaks down into six phases:

  1. Preparation (Weeks 1-3): Gap assessment, AIMS scoping, AI system inventory, certification body selection
  2. Umsetzung (Woche 4-12): AI policy, Statement of Applicability, impact assessments, controls, training rollout
  3. Operation (Weeks 10-16): Run the AIMS for 2-3 months, collect evidence, track AI incidents
  4. Pre-Audit Readiness (Weeks 14-18): Internal audit, management review, evidence handover
  5. External Audit (Weeks 18-22): Stage 1 (documentation) + Stage 2 (assessment), then certificate issued
  6. Ongoing Maintenance (Years 1-3): Annual surveillance audits, recertification in year 3
iso-9001-auditor-img
More on ISO 42001 Certification Full roadmap from kickoff to certificate.

What does ISO 42001 really cost?

ISO 42001 costs vary widely based on organization size, AIMS scope, the number of AI systems in scope, and the extent of automation. Here’s a realistic breakdown of total program cost, including certification body fees, internal effort, and supporting tools.

$15-80k+

Total program cost

3 – 9 Monate

Typischer Zeitplan

60-200 Stunden

Internal effort w/ Sprinto

Estimated Total Cost by Organization Profile:

OrganisationsprofilGeschätzte KostenMit Sprinto
Small team, single AI product (typically under 50 people)$10- $20K$ 10-13K
Mid-size, multiple AI systems (50–250 people)$20– $40K$ 13-20K
Large mid-market, complex AI portfolio (250–1,000 people)40–80 US-Dollar20 30                           
Enterprise or multi-product AI organization (1,000+ people)$80– $150K+30 60                           

These ranges include certification body fees, internal time, and tooling. Costs scale with the number of AI systems in scope, complexity of impact assessments required, and whether you’re starting from scratch or already have ISO 27001 in place.

Wohin das Geld fließt:

  • Gebühren der Zertifizierungsstelle: Stage 1 + Stage 2 audit, plus annual surveillance audits
  • Internal effort: Engineering, ML, security, legal, and AIMS owner time
  • KI-Folgenabschätzungen: Documentation and analysis for each in-scope AI system
  • Documentation and tooling: AIMS platform, evidence management, training systems
  • Schulung und Beratung: Internal auditor training, gap assessments, expert advisory

Want a precise estimate based on your AI systems, team size, and existing compliance posture? Our team will walk you through a custom cost and timeline projection in a 20-minute call – Buchen Sie jetzt eine Demo

Common ISO 42001 mistakes (and how to dodge them)

ISO 42001 is new enough that most implementations are still on their first iteration, which means mistakes are common. Here’s what to watch for:

  1. Ignoring third-party AI risk.
    If you use third-party models, APIs, or services, Annex A.10 applies. Your AIMS scope needs to include supplier assessments.
  2. Treating it as a tech-only project.
    ISO 42001 is a management system standard. It requires leadership, governance, policy, and operations to come together. If only engineering is involved, you’ll fail Clause 5.
  3. Skipping the AI system inventory.
    You can’t govern what you haven’t cataloged. Build a complete inventory of every AI system, its intended use, and ownership, before doing anything else.
  4. Conflating AI risk assessment with AI system impact assessment.
    They’re different. Risk assessment covers what could go wrong. Impact assessment covers who could be affected and how. Annex A.5 requires both.
  5. Generic role assignments.
    “AI Ethics Lead” without documented authority to halt a system isn’t enough. Auditors want documented authority, not just titles.
  6. Treating Annex A as a checklist.
    The 38 controls need to be implemented proportionately to your AI risks. Document what you’ve included, what you’ve excluded, and why, in your Statement of Applicability.
  7. Underestimating documentation effort.
    ISO 42001 is documentation-heavy, especially the AI system impact assessments and data provenance records. This is where manual programs lose months.

How Sprinto helps with ISO 42001

ISO 42001 is documentation-heavy, evidence-heavy, and assessment-heavy. As an autonomous trust and compliance platform, Sprinto turns it from a multi-quarter manual project into a continuously monitored, mostly automated workflow.

  • Pre-built AIMS framework: All 10 clauses and 38 Annex A controls pre-mapped to policies, evidence requirements, and ownership. Start at 70%, not zero.
  • AI system inventory and impact assessment workflows: Templated, structured, and audit-ready.
  • Automatisierte Beweismittelsammlung: 300+ Integrationen pull evidence from your existing stack (cloud, ML platforms, ticketing, HRIS, training tools).
  • Continuous AIMS monitoring: Real-time alerts on control drift, overdue impact assessments, expired training, or stale risk register entries.
  • Built-in training management: AI literacy and role-based training, assigned, tracked, and recorded automatically.
  • Auditor portal: Read-only access for your certification body. Cuts audit duration significantly.
  • Multi-framework leverage: Already doing ISO 27001 , SOC 2den Datenschutz? Sprinto maps overlapping controls so you don’t repeat work.

Das Ergebnis: Certification in months instead of quarters. Internal effort cut by 60-80%. And an AIMS that actually improves your AI governance maturity, not just satisfies an audit.

Sprinto-Flares
See ISO 42001 inside Sprinto

Häufig gestellte Fragen

No. ISO 42001 is voluntary. But it’s quickly becoming a procurement and regulatory expectation, especially for organizations selling AI into the EU or to large enterprises. If your buyers are asking for AI governance evidence, treat it as effectively mandatory.

For organizations starting from scratch, 6-12 months. For those already certified to ISO 27001, 4-6 months by leveraging shared controls. With automation, well-prepared startups can certify in 3-5 months.

ISO 27001 covers information security, ISO 42001 covers AI governance. They share the same management system structure (clauses 4-10), but ISO 42001’s Annex A focuses specifically on AI risks: bias, impact, transparency, human oversight, and AI lifecycle management. Most AI companies need both.

Not directly. ISO 42001 provides the management system structure that maps onto many EU AI Act requirements, but it doesn’t guarantee compliance. Treat it as the governance foundation, with a separate EU AI Act gap analysis layered on top.

Yes. Most certification bodies offer remote or hybrid audits, especially for smaller scopes. Some on-site element may still apply depending on the auditor and your AI system complexity.

If you’re an AI-native startup selling to enterprises, increasingly yes. Procurement teams at large buyers are screening for AI governance evidence, and ISO 42001 is the cleanest way to provide it. For pre-revenue or pre-product-market-fit teams, it’s usually premature.

No, but it helps. ISO 27001 establishes shared management system foundations that ISO 42001 builds on. If you’re pursuing both, doing them together (or 27001 first) is more efficient than ISO 42001 alone.

For small to mid-size AI companies, total program cost typically ranges from $10,000 to $40,000, depending on scope, AI complexity, and how much of the work you automate. Enterprise certifications can run higher.

If you’re an AI-native startup selling to enterprises, increasingly yes. Procurement teams at large buyers are screening for AI governance evidence, and ISO 42001 is the cleanest way to provide it. Resource-constrained teams can scope tightly and certify in 3-5 months with the right tooling.

Read enough. See it working.

A live walkthrough of ISO 42001 inside Sprinto — 30 minutes.

Frameworks-Logos-Hintergrund
Frameworks-Logos-Mob-Hintergrund