ISO 42001: the AI management system standard Europe needs

What is ISO 42001?

ISO/IEC 42001:2023 is the first international standard for AI Management Systems (AIMS). Published by the International Organization for Standardization (ISO) in October 2023, it is the equivalent of ISO 27001 for AI governance.

It follows the Annex SL high-level structure (also called HLS), the same framework shared by ISO 27001 (information security), ISO 9001 (quality) and ISO 14001 (environment). This makes integration with existing management systems significantly easier.

ISO 42001 applies to any organisation that develops, deploys or uses AI systems, regardless of size, sector or geographic location. Its goal is to provide a framework for establishing, implementing, maintaining and continually improving AI governance.

The 10-chapter structure

ISO 42001 is organised into 10 chapters following the Annex SL structure. Chapters 1–3 are introductory; chapters 4–10 contain the auditable requirements:

• Chapter 4 — Context of the organisation: understanding internal and external context, identifying interested parties and determining the scope of the AIMS.
• Chapter 5 — Leadership: top management commitment, AI policy, roles and responsibilities. The AI policy is the foundational document: it declares the organisation's principles and commitments to responsible AI use.
• Chapter 6 — Planning: risk and opportunity assessment related to AI, AIMS objectives and planning to achieve them. This chapter connects directly to the AI system inventory and classification.
• Chapter 7 — Support: resources, competencies, awareness, communication and documentation. Defines requirements for the team to have the capabilities needed to manage AI responsibly.
• Chapter 8 — Operation: operational planning and control, AI impact assessment, AI supply chain management. This is the most extensive chapter and includes Annex A with specific controls.
• Chapter 9 — Performance evaluation: monitoring, measurement, analysis and evaluation. Includes internal audit and management review.
• Chapter 10 — Improvement: non-conformity management, corrective actions and continual improvement.

Annex A controls

Annex A contains the specific controls for AI management, organised in categories. These controls are the most operational part of the standard and are selected based on the AIMS scope:

• A.2 — AI-related policies: AI use policy, roles and responsibilities, resource management.
• A.3 — Internal controls for AI: AI system documentation, management of impact on interested parties.
• A.4 — Resources for AI development and deployment: training data, infrastructure, tools.
• A.5 — AI impact assessment: methodology for assessing impact before and during the system lifecycle.
• A.6 — AI system management: lifecycle management, version control, incident management.
• A.7 — AI supply chain management: AI provider assessment, contracts, due diligence.
• A.8 — AI system documentation: system registry, technical datasheets, decision documentation.
• A.9 — Information security aspects for AI: security in AI development and deployment.
• A.10 — Use of AI systems: usage instructions, limitations, permitted use cases.
• A.11 — Third parties and their relationship with AI: risk management for third parties that use or are affected by the organisation's AI systems.

Relationship between ISO 42001 and the EU AI Act

ISO 42001 and the EU AI Act are complementary, not substitutes. Their relationship is similar to that of ISO 27001 and GDPR: the standard provides the management framework that facilitates compliance with the legal regulation.

The EU AI Act imposes specific legal obligations (with fines of up to 7% of global turnover). ISO 42001 provides the management system that enables meeting them in a structured and demonstrable way. Specifically:

• The risk management system (Art. 9 EU AI Act) aligns with Chapter 6 and Annex A controls A.5 of ISO 42001.
• Data governance (Art. 10) connects with controls A.4 (AI resources) and A.7 (supply chain).
• Technical documentation (Art. 11) maps to Annex A control A.8.
• Human oversight (Art. 14) has direct correspondence in controls A.6 and A.10.

The European Commission recognises that harmonised standards under the EU AI Act (being developed by CEN-CENELEC) will draw heavily from ISO 42001. Organisations certified under ISO 42001 will have a significant advantage in demonstrating regulatory conformity.

Benefits of implementing ISO 42001

• Structured governance framework: provides a proven methodology for organising AI management, based on the PDCA cycle (Plan-Do-Check-Act) familiar to quality and security teams.
• Reduced legal liability: demonstrates to regulators, customers and partners that the organisation manages AI responsibly and diligently.
• Competitive advantage: in European public tenders and B2B contracts, ISO 42001 certification is becoming an increasingly differentiating factor.
• Integration with existing systems: the Annex SL structure facilitates integration with ISO 27001, ISO 9001 and other management systems already in place.
• EU AI Act readiness: ISO 42001 controls directly cover the majority of EU AI Act obligations for high-risk systems.

How Kaitalog implements ISO 42001 controls

Kaitalog is designed to operationalise the Annex A controls of ISO 42001 in a concrete, auditable management system:

• Inventory (A.8): Kaitalog's inventory module captures all metadata required by control A.8 for each registered AI system.
• Impact assessment (A.5): Kaitalog's risk classification questionnaire implements the impact assessment methodology of control A.5.
• Supplier management (A.7): each registered system includes provider information, terms of use and supply chain risk assessment.
• Incident management (A.6): the obligations module enables registering and managing AI-related incidents with full traceability.
• Internal audit (Chapter 9): Kaitalog's change history, review cycles and evidence exports directly support AIMS internal audits.