ISO 42001 is the first international standard for AI management systems.

If you’re using or building AI and want to show that your systems are safe, ethical and well-governed, this is the standard to work towards.

As ISO 42001 implementers, we help organisations make this practical. Here’s a short guide to how it works and what to expect on the path to certification.

Map Your AI Use

Start with a simple inventory of AI systems. Include tools you build as well as third-party platforms using AI. For each one, capture its purpose, the data it relies on and who might be affected. This helps define the scope of your AI governance system.

Set Objectives and Assign Roles

Be clear about why you use AI and who is responsible for it. Define governance roles across technical, operational and oversight teams. If you already use standards like ISO 27001 or 9001, these roles can usually be aligned.

Assess AI Risks

AI brings new risks, from bias and opacity to overreliance. ISO 42001 requires you to assess and manage these in a consistent way. That might mean setting up an AI risk register, reviewing model behaviours or documenting known limitations. You don’t need to fix everything immediately, but you do need to show a clear, repeatable process.

Build Practical Policies

You’ll need documented policies covering transparency, data quality, human oversight and accountability. These should be applied in real workflows and reviewed regularly. Start small and focus on relevance over perfection.

Train People and Embed Oversight

Teams building or using AI need to understand your governance approach. Training, templates and embedded review points all help bring the system to life. ISO 42001 is not just about documents, it’s about making governance real and ongoing.

Get Ready for Certification

When your AI management system is running, prepare for audit by:

• Reviewing your documentation and processes

• Running an internal assessment or gap analysis

• Choosing a certification body with ISO 42001 credentials

Certification involves a two-stage audit. Stage one checks your documentation, stage two looks at how it’s implemented.

Final Word

We implement ISO 42001 with clients across sectors, from health to finance to tech. What matters most is starting with what you already do, being honest about your risks, and building a structure that helps teams make better decisions with AI.

Certification is one goal, but the bigger one is responsible, explainable and well-managed AI.

If you want to start your journey, give us a shout!