ModelCharter

ISO 42001

ISO/IEC 42001:2023, AI management system · International Organization for Standardization

ISO/IEC 42001 is the first certifiable international standard for an AI management system (AIMS). Like ISO 27001 did for information security, it sets out how to establish, run and continually improve governance over AI, including policy, risk assessment, controls and an AI impact assessment.

Who it applies to

Any organisation that develops, provides or uses AI systems and wants a certifiable management system. Enterprise procurement increasingly asks for it.

Key points

Certifiable

You can be audited and certified against it by an accredited body, which is useful proof for customers and regulators.

Built on policy

Clause requirements start with an AI policy, roles and objectives, then risk and impact assessments and operational controls (Annex A).

Complements ISO 27001

It sits alongside ISO 27001 (security) and SOC 2; many vendors pursue 42001 to signal responsible-AI maturity.

What a small team should do

Full certification is a project, but the structure is a useful target: a policy, an owner, a risk/impact assessment of your AI uses, and a register of tools and controls. Building those now makes a future certification far cheaper.

How a policy helps: ISO 42001 literally requires a documented AI policy and a record of AI systems in use. That is exactly what ModelCharter's generator and register create.

FAQ

What is ISO 42001?
ISO/IEC 42001:2023 is the international standard for an AI management system: a certifiable framework for governing how an organisation develops and uses AI.
Do we need ISO 42001 to use AI?
No. It is voluntary, but enterprise customers increasingly ask about it. Even without certifying, adopting its core artefacts (policy, register, risk assessment) is good practice.