ISO 42001 is the first international standard for an AI management system, the AIMS. Where ISO 27001 focuses on information security, ISO 42001 is about responsibly developing, procuring and using AI. More and more organizations want to certify, driven by client questions and the EU AI Act. But how do you approach the implementation concretely? This article provides a practical roadmap.
Step 1: AI inventory
Every ISO 42001 implementation starts with an inventory of the AI systems the organization develops, procures or uses. This is consistently the hardest step, because AI is more widely present than organizations think. Not only their own models or a ChatGPT license, but also AI functionality in marketing tools, sales platforms, HR software and features that existing vendors have quietly added. Without a complete inventory the rest of the project lacks a foundation. So involve not only IT, but also business, marketing, finance and HR.
Step 2: context, scope and governance
Next you determine the scope of the AIMS and the context in which the organization deploys AI. Who are the stakeholders, which legal requirements apply, and what role does AI play in the core processes? Here you also set up governance. A common mistake is to make the security department owner of all AI risks; that makes every AI initiative dependent on a single bottleneck. The model that works is: security and compliance advise, the business decides and owns the outcomes.
Step 3: AI risk assessment
ISO 42001 requires a risk assessment of AI systems. AI risks differ from classic security risks: they also concern bias, transparency, explainability, data quality and the impact on affected people. The art is to make risks concrete instead of putting everything at 'medium'. Work with scenarios: what happens if this model makes a wrong decision, who is affected, and what is the impact on customers, reputation and compliance? This creates a shared language and lets you prioritize.
Step 4: AI impact assessments
For AI systems with meaningful impact on people you perform an impact assessment. The ISO 42005 standard provides guidance for this. You assess the consequences for affected parties, the measures to mitigate risks and how you provide transparency about automated decision-making. This connects directly to the high-risk AI obligations of the EU AI Act.
Step 5: policy, controls and evidence
Based on the risks and assessments you draft policy and controls: guidelines for responsible AI use, supplier requirements, processes for monitoring models and agreements on human oversight. Importantly, the policy must be workable. Overly strict policy leads to shadow AI: employees switch to personal accounts and bypass the rules. Involve the business in drafting, so the policy enables adoption within the agreed risk boundaries. Collect evidence along the way that the controls work.
Step 6: internal audit and management review
Like ISO 27001, ISO 42001 requires an internal audit and a management review. The internal audit verifies whether the AIMS works in practice and exposes improvement points. The management review ensures that management assesses effectiveness and adjusts course. After that the AIMS is ready for the certification audit by a certification body.
Certification is not the finish line
The most important lesson from practice: ISO 42001 is not a project with an end date but an ongoing process. Models are updated, vendors change their services, regulation shifts and new AI applications are introduced. Without ongoing monitoring the AIMS ages within six months. So set up a rhythm from the start in which the AI inventory stays current and new systems are assessed.
The connection with ISO 27001 and the EU AI Act
Many organizations implementing ISO 42001 already have ISO 27001. That is an advantage: both standards share the structure of a management system with policy, risk assessment, internal audit and management review. You can set them up in an integrated way and avoid duplicate work. In addition, ISO 42001 helps to demonstrably fulfill the governance requirements of the EU AI Act, even though it is not one-to-one proof of conformity.
Secure Audit guides organizations through a pragmatic ISO 42001 implementation, from AI inventory to certification and ongoing monitoring, supported by our own platform. Get in touch for a no-obligation conversation about AI governance.
Frequently asked questions
What is an AIMS in ISO 42001?+
An AIMS is an AI management system: the set of policy, processes, risk assessment and governance with which an organization responsibly develops, procures and uses AI. It is the AI equivalent of the ISMS from ISO 27001.
What is the first step in an ISO 42001 implementation?+
A complete AI inventory. AI is often hidden in marketing, sales and HR tools and in features of existing vendors. Without a complete picture the rest of the project lacks a foundation. So involve business, marketing, finance and HR too.
Can you combine ISO 42001 with ISO 27001?+
Yes. Both standards share the structure of a management system with policy, risk assessment, internal audit and management review. An integrated setup avoids duplicate work and is often more efficient.
Does ISO 42001 certification prove EU AI Act compliance?+
Not one-to-one. ISO 42001 helps to demonstrably fulfill the governance requirements of the EU AI Act and provides a strong basis, but it is not a direct declaration of conformity under the regulation.
About the author
Partner | IT Auditor