Artificial Intelligence Management Systems

What is ISO 42001?

ISO 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it is the world's first ISO standard specifically addressing the responsible development, deployment and use of AI systems. It provides organisations with a structured framework for governing their AI activities — managing risk, ensuring transparency, maintaining human oversight, and demonstrating accountability.

ISO 42001 follows the same Annex SL high-level structure as ISO 9001, 14001, 27001 and 45001 — which means it can be integrated into an existing management system with considerably less effort than a standalone implementation.

Why ISO 42001 matters now

AI is moving from a technical feature to a boardroom governance issue. Clients, investors, regulators and supply chain partners are beginning to ask the same questions about AI that they have asked about data protection and information security — what AI are you using? Who oversees it? What happens when it goes wrong? ISO 42001 gives you a defensible, internationally recognised answer.

The EU AI Act, which came into full force in 2024, creates significant compliance obligations for AI systems deployed in or affecting EU markets. While ISO 42001 is not legally mandated by the Act, its framework maps closely to many of the Act's requirements — making it an efficient route to demonstrating compliance.

Who needs ISO 42001?

• ◆Organisations that develop, sell, or deploy AI systems as part of their products or services
• ◆Technology and software companies using AI or machine learning in client-facing applications
• ◆Businesses that use AI tools (including large language models) in processes that affect clients or employees
• ◆Companies supplying to the public sector or regulated industries where AI governance is assessed
• ◆Any organisation that wants to demonstrate responsible, trustworthy AI use to clients and stakeholders
• ◆Businesses building an ESG framework that includes technology governance

What ISO 42001 covers

The standard addresses the full lifecycle of AI systems within an organisation — from initial planning and risk assessment through to deployment, monitoring and continual improvement. Key areas include AI risk management, impact assessment, transparency and explainability, human oversight, data governance, and the responsibilities of organisations that develop AI versus those that deploy third-party AI systems.

How Anacruses helps

Anacruses has been working with ISO 42001 since its publication. Rob Pragnell contributes to the ISO ESG Committee and participates in the BSI BridgeAI standards community — which means our clients benefit from insight into not just current requirements, but where AI governance standards are heading.

We start by mapping your AI systems — what you develop, what you use, and what you deploy on behalf of clients. We then build your AI Management System: risk assessment, impact assessments, governance policies, roles and responsibilities, and the documented evidence that auditors will require.

Typical implementation timeline: 10–16 weeks. For organisations already holding ISO 27001, integration with the existing ISMS is significantly more efficient.