Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The ISO 42001 Certification Requirements Explained Blog Feature
Megan Sajewski

By: Megan Sajewski

Print/Save as PDF

The ISO 42001 Certification Requirements Explained

ISO Certifications | Artificial Intelligence | ISO 42001

Published: Oct 21, 2024

Last Updated: Jul 29, 2025

When seeking ISO 42001:2023 certification, you need to ensure that your artificial intelligence management system (AIMS) aligns with the standard’s framework clauses (4-10), each of which focuses on a specific facet—context, leadership, planning, support, operation, performance evaluation, and improvement. 

For those acquainted with other, more established ISO standards, the format may feel familiar initially, but there are some key differences in ISO 42001, including its expansion of clauses 6 and 8 to cover interactions of AI with individuals and the public sector. 

To have your AIMS certified, you will need to satisfy those additional nuances, as well as the rest of the specific requirements of clauses 4 through 10 and any applicable Annex A controls, and as an experienced Certification Body with accreditation from ANAB and UKAS, we’re going to help in providing you with a starting baseline. 

In this article, we will break down each of ISO 42001’s clauses 4-10 in detail along with some basic strategies for compliance with their requirements so that you can gain a solid understanding of what will be expected of your AIMS as you begin to stand it up and engage in initial certification services. 

What are the Key Clauses of ISO 42001? 

Like other ISO standards, clauses 1-3 of ISO 42001 are more general and provide the background information you’ll need when implementing the requirements outlined in clauses 4-10: 

  • Clause 1: Scope 
    • Defines the boundaries and applicability of the ISO 42001 standard. 
  • Clause 2: Normative References 
    • Refers to documents that are referenced in the text of the ISO 42001 standard in such a way that some or all of their content constitutes requirements of the standard. That document is ISO/IEC 22989:2022, Information Technology – Artificial intelligence – Artificial intelligence concepts and terminology. 
  • Clause 3: Terms & Definitions 
    • Establishes common terminology used in the framework to facilitate consistent implementation of the standard across organizations. 

Clause 4: Context of the Organization  

What’s Required: The identification of:

 

  • The scope of your AIMS 
  • All the issues relevant to the purpose and strategic direction of your AIMS
  • The needs of both internal and external stakeholders, who may include customers, suppliers, employees, and regulatory bodies 

Every organization’s AIMS should be tailored to its individual needs, but before you can cut yours to the right fit, you must first demonstrate a complete understanding of your specific context, including things like: 

  • Your strategic business objectives (e.g., competitive market share, stakeholders’ expectations, compliance with global laws) 
  • Relevant risks (e.g., threats and vulnerabilities) 
  • Your customer expectations (e.g., required functionality of AI tools, etc.) 

How to Get Started with Compliance 

  • Determine which of your existing processes, personnel departments, activities, software dependencies, and locations should be included in your AIMS. 
  • Identify and document factors that could impact your AIMS, including relevant market trends, regulatory requirements, technological advancements, competitive pressures, organizational culture, resources, current capabilities, and performance metrics. 
  • Consider the intended purpose for the AI product or processes relating to the following: 
    • Incentives or consequences associated with the intended purpose of AI 
    • Culture, traditions, values, norms, and ethics for the development and utilization of AI, as well as the competitive landscape and trends for new products and processes relying on AI 
    • Internal context-related issues focused on governance, objectives, policies, procedures, and contractual obligations 
  •  Determine and document the needs of all relevant stakeholders (e.g., interested parties) regarding your AI products or services, quality standards, delivery schedules, and communication preferences. 
  • Develop a document that reflects your organization's commitment to meeting those needs, complying with applicable regulations, and continually improving your products, services, and processes. It's best practice to communicate this policy to your organization as well. 
  • Determine whether or not climate change is a factor in developing and continually improving the AIMS and document it either way. 

Clause 5: Leadership 

What’s Required: The commitment of top management to your AIMS, artificial intelligence policy, and AIMS roles, responsibilities, and authorities

 

To ensure the effectiveness of your AIMS’ implementation, maintenance, and continual improvement throughout the three-year certification lifecycle—from initial certification to surveillance and recertification—management must be actively involved in support, especially through the artificial intelligence policy and communicated roles and responsibilities. 

While the standard does require that, executive and senior leadership—in many cases, even the Board of Directors (BoD), if possible—can also further benefit from remaining involved in your ISO 42001 certification, as your AIMS can integrate formerly siloed departments and teams’ work and create more meaningful cross-functional collaboration. 

How to Get Started with Compliance 

Top management should: 

  • Contribute to the establishment of your AI policy, its communication to your wider organization, and its integration into your overall business process and strategies. 
  • Provide and assign adequate resources, support, and direction for the AIMS by visibly championing AI initiatives, promoting a culture of continuous improvement, and actively engaging in AIMS activities—including regular reviews of the AIMS’ effectiveness with reporting sent up the management chain to the BoD so that the AIMS remains funded appropriately. 
  • Create roles and responsibilities that govern and provide moderated authority to personnel serving the AIMS, including top management, safety and risk committee members, and day-to-day operators of the AIMS. 

Clause 6: Planning 

What’s Required:

 

  • The setting of artificial intelligence objectives
  • The determination of AIMS risks, impact, and opportunities, as well as the planning of actions to address them

Integrating your AIMS into established processes so that it achieves organizational priorities—and so that it is set up to endure and improve—takes careful planning. But as we noted before, clause 6 within ISO 42001 goes a step further than some of the other familiar ISO standards—specifically through its required completion of an AI impact assessment. 

How to Get Started with Compliance 

  • Identify AI risk criteria and organizational AI appetite for risk that supports distinguishing acceptable from non-acceptable risks—that may mean performing AI-specific risk assessments, conducting AI-specific risk treatment, and assessing AI-specific risk impacts. 
  • Conduct a comprehensive risk assessment to identify those that may affect your ability to achieve your AI objectives and develop related mitigation (risk treatment) strategies. 
  • Develop detailed procedures—including those addressing the implementation of changes to the AIMS and contingency plans for any deviations—to ensure the ongoing effectiveness of AIMS processes and achievement of AI objectives. 
  • Consider and document formal steps for how changes to the AIMS will be enacted when the need for such a change arises. 
  • Define roles, responsibilities, and authorities for executing planned activities and ongoing monitoring of their progress. 
  • Establish metrics and targets for the effectiveness of AIMS activities and achievement of AI objectives. 
  • Maintain accurate records of all these planning activities and ensure that this documented information is accessible, up-to-date, and effectively communicated to relevant stakeholders. 

Tips for Your AI Impact Assessment  

  • Define a process to assess the potential consequences that can result from AI systems on individuals, groups, and societies. 
  • Outline the potential consequences of an AI deployment, intended use, and potential misuse for individuals, groups, and societies. 
  • Understand the context—both technical and social—where your AIMS is primarily deployed considering applicable jurisdictions. 
  • Retain documented information of the AI impact assessment, available to internal and external interested parties as determined by the organization’s strategic alignment. 
  • Use the results of the AI impact assessment as inputs for your AI risk assessment as required by ISO 42001. 

Clause 7: Support 

What’s Required: The allocation of adequate resources to support the operation and effectiveness of the AIMS, appropriate competence for persons doing work under the AIMS, personnel’s awareness of the AIMS, as well as communication and documented information regarding the AIMS

 

In requiring the allocation of resources, ISO 42001 doesn’t just mean employing adequate personnel and deploying the necessary data, tooling, systems, and assets (including human capital) to support your AIMS—the framework also mandates a certain level of competence, awareness, communication, and documented information as part of that support. 

How to Get Started with Compliance 

  • Identify the knowledge, skills, and competencies required for personnel involved in AIMS-related activities and assign or hire them, including providing any necessary training for your existing relevant workforce on AI, and document the mechanisms used to verify these competencies. 
  • Make sure that your employee base is aware of your AI policy and how everyone can aid in achieving the AIMS strategic priorities. 
  • Establish and use effective communication channels to facilitate the flow of information related to the AIMS, including the importance of individual contributions to the AIMS, policies, procedures, instructions, and feedback. 
  • Develop and maintain documented information necessary for the effective planning, operation, and control of AIMS processes—make sure that information is accurate, up-to-date, accessible, and properly controlled through designed procedures. 

Clause 8: Operation  

What’s Required: The implementation of processes regarding your artificial intelligence offerings

 

Together with Clause 6, Clause 8 is paramount for your compliance—it addresses the conformance of AI operational planning and control within your design, development, and production processes through effective, efficient, and agile implementations. 

How to Get Started with Compliance 

  • Plan, implement, and control actions determined in your completed AI assessment by implementing and measuring the success of controls related to the operation of the AIMS (refer to the AI controls in Annex A and the implementation guidance in Annex B). 
  • Monitor the effectiveness of controls and institute corrective actions if intended results are not wholly achieved, all while forming and maintaining documented information to ensure confidence that the processes stated have been performed. 
  • Control and formalize planned changes, review the results of unintended changes, act on any perceived or real adverse effects, and verify that third-party products or services needed for the functioning of the AIMS are controlled. 
  • Perform AI risk assessment, treatment, and impact assessments at planned intervals or whenever significant changes occur. When treatment plans are not effective, review, revalidate, and update the risk assessment, treatment, and AI impact processes. 
  • Retain documented information on the process (e.g., policies, standards) and results (e.g., output, reporting, evaluation) of your AI risk assessment, AI risk treatment, and AI impact assessments. 

Clause 9: Performance Evaluation 

What’s Required: The monitoring, measurement, analysis, and evaluation of AIMS processes and performance, internal audit against the AIMS framework and applicable Annex A controls, and a dedicated management review

 

Clause 9 requires the measurement of key performance indicators, regular internal audits, and management review, which constitute inputs towards analysis and evaluation for driving AIMS effectiveness over the entire certification lifecycle. 

How to Get Started with Compliance 

  • Design and implement a systematic approach to collecting, recording, and analyzing performance data or anything you can measure for an accurate heartbeat of your AI product/tool to evaluate the effectiveness and efficiency of AI operational processes, its conformity to expected behavior, its performance versus real human capability, and real or perceived customer satisfaction, among any other relevant metrics. 
  • Conduct regular, impartial/objective internal audits against ISO 42001 requirements. These can be done by a qualified third party or by internal personnel not involved in the running of the AIMS.
  • Regularly review AIMS performance data and feedback to evaluate the effectiveness of the AIMS and identify opportunities for improvement. 
  • Document and store information related to the operational effectiveness of the AIMS, including the results of regular measuring, internal audit against ISO 42001 requirements, and the subsequent resulting reports related to both measuring and internal audit delivered to top management during planned regular management reviews. 

Clause 10: Improvement  

What’s Required:  The correction of nonconformities and continual improvement of your AIMS

 

Though taking a systemic approach to artificial intelligence management through the establishment of an AIMS is already a big step, ISO 42001 also requires that you remain vigilant and seek opportunities to further enhance the success and functioning of your AIMS, including adapting your AIMS to any changing technologies, circumstances, or objectives. 

The compliance journey will necessitate the correction of gaps, identified as major or minor nonconformities, which can be raised by your organization, your internal auditors, or by an external certification body performing a readiness assessment or initial certification. 

How to Get Started with Compliance 

  • Develop processes for identifying, documenting, and addressing nonconformities, areas of concern, and opportunities for improvement identified through internal or external assessments to ensure the implementation of necessary corrective actions to prevent recurrence. 
  • Establish and systematically analyze the root cause of any identified deviation from the ISO 42001 standard requirements and periodically evaluate the results of each applied corrective step to sustainably remediate nonconformities when they arise. 
  • Continuously monitor and review your AIMS to identify opportunities for the improvement of its suitability, adequacy, and effectiveness. 
  • Establish mechanisms for capturing and implementing improvement ideas from employees as well as internal and external stakeholders. 

Getting ISO 42001 Certified 

While you’ll require more than this outline of clauses 4-10 to implement a comprehensive AIMS, we hope that what has been provided here will make for a good start in addressing the requirements of each of these key clauses within ISO 42001 as you build out your AIMS. 

As a final tip, it’s best practice to document everything as you go through these planning and implementation motions, which is key for compliance and will also help streamline your operations throughout the certification lifecycle. 

Once you stand up your AIMS, you’ll be looking for a Certification Body to guide you through a gap assessment and eventual initial certification against the ISO 42001 requirements, and Schellman may be the right fit. Contact us today to speak with our ISO team and learn more about how a strategic partnership with us can serve your organization beyond the gap assessment and eventual certification of your AIMS. 

In the meantime, discover additional ISO 42001 insights in these helpful sources:  

About Megan Sajewski

Megan Sajewski is a Senior ISO Associate and ISO 42001 Lead Auditor with Schellman based in Dearborn, Michigan. Prior to joining Schellman in 2023, Megan worked as a Senior Associate, Attest Services, for a small public accounting company specializing in SOC and ISO reports. Megan also led and supported various other projects, including technical writing for metal forming 3D printing, and design software. Megan has over 11 years of experience comprised of serving clients in various industries, including cybersecurity, engineering, and academia. Megan is now focused primarily on ISO examinations for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.