UCS - Universal Certification and Services
HomeISO StandardsISO/IEC 42001:2023
Artificial Intelligence

ISO/IEC 42001:2023
Information technology — Artificial intelligence — Management system

ISO/IEC 42001:2023 AI management system certification — requirements, Annex A controls and ethical AI governance explained. Accredited certification in 7–10 days.

Accredited Certification Body
7–10 Day Certification
Globally Recognised

ISO/IEC 42001:2023 is the world's first certifiable standard for managing artificial intelligence. It sets out what an organisation must put in place to develop, deploy and use AI responsibly — and, unlike a code of ethics or a set of principles, it can be independently audited and certified.

This guide explains what the standard requires, who it applies to, what its Annex A controls cover, and how certification works.

What is ISO/IEC 42001:2023?

ISO/IEC 42001:2023 — full title Information technology — Artificial intelligence — Management system — was published in December 2023 by ISO and IEC. It specifies the requirements for establishing, implementing, maintaining and continually improving an AI Management System (AIMS).

It exists because AI creates a category of risk that existing standards do not address. A model can be perfectly secure and still produce biased outcomes, make decisions nobody can explain, or operate without a human able to intervene. ISO 42001 puts governance around exactly those risks.

Because it is a requirements standard — not a guidance document — an accredited certification body can audit an organisation against it and issue an internationally recognised certificate.

What is an AI management system (AIMS)?

An AI management system is the set of policies, processes, roles and controls through which an organisation governs its AI. It is the AI equivalent of what a quality management system does for quality, or an information security management system does for security.

An AIMS answers questions such as:

  • Who inside the organisation is accountable when an AI system produces a harmful outcome?
  • How do we know the data our models learned from was suitable and lawful?
  • Before an AI system goes live, who assessed its impact on the people it will affect?
  • Can a human override the system, and does anyone actually monitor it once deployed?
  • Do the people interacting with it know they are interacting with AI?

Certification means an independent auditor has verified you can answer those questions with evidence, not intention.

Who needs ISO 42001?

The standard applies to any organisation that provides or uses AI systems, regardless of size or sector. In practice this includes:

  • AI developers — organisations building models, algorithms or AI-enabled products
  • AI deployers — organisations embedding third-party AI into their own services, including large language models used for support, drafting or triage
  • Government and public-sector entities — where automated decisions affect citizens and transparency obligations are highest
  • Regulated industries — healthcare, financial services, insurance, transport and energy, where AI decisions carry safety or fairness consequences
  • Suppliers to enterprise or government buyers — where AI governance is increasingly a tender requirement

A common misconception is that ISO 42001 only applies to organisations that build models. It does not. If you rely on a third-party model to make or support decisions, that model is inside your scope — and the standard explicitly covers third-party and supplier relationships.

ISO 42001 requirements: clauses 4 to 10

ISO 42001 follows ISO's harmonised management-system structure, so its core requirements sit in clauses 4 through 10:

  • Clause 4 — Context of the organisation. Determine the internal and external issues affecting your AI, identify interested parties, and define the AIMS scope, including which AI systems and roles are covered.
  • Clause 5 — Leadership. Top management must own the AI policy, assign responsibilities and demonstrate commitment. AI governance cannot be delegated entirely to a technical team.
  • Clause 6 — Planning. Assess AI risks and opportunities, conduct AI system impact assessments, set objectives, and decide which Annex A controls apply.
  • Clause 7 — Support. Provide the resources, competence, awareness and documented information the AIMS needs.
  • Clause 8 — Operation. Run the AI system lifecycle under control: design, data handling, verification, deployment, monitoring and retirement.
  • Clause 9 — Performance evaluation. Monitor, measure, audit internally, and hold management reviews.
  • Clause 10 — Improvement. Address nonconformities and continually improve the system.

ISO 42001 Annex A controls

Annex A of ISO/IEC 42001:2023 contains 38 controls grouped under nine control objectives. Unlike security controls, these are governance and accountability controls. The main areas are:

  • AI policy — a documented, approved position on how AI is developed and used, reviewed at planned intervals
  • Internal organisation — defined roles, responsibilities and reporting for AI decisions
  • Resources for AI systems — accounting for data, tooling, computing and human resources
  • Assessing impacts of AI systems — evaluating consequences for individuals, groups and society before deployment
  • AI system lifecycle — controlled objectives, design, verification, validation, deployment, operation and monitoring
  • Data for AI systems — provenance, quality, preparation and governance of training and operational data
  • Information for interested parties — transparency about AI use, capabilities and limitations
  • Use of AI systems — responsible use, including human oversight and intervention
  • Third-party and customer relationships — allocating responsibility across the AI supply chain

As with other ISO management-system standards, you select the applicable controls based on your risk and impact assessments and justify any exclusions.

The ethical implications of ISO 42001 for AI systems

Most organisations already have AI principles. Very few can prove they follow them. The practical value of ISO 42001 is that it converts broad ethical commitments into requirements an auditor can test:

  • Fairness stops being a value statement and becomes a documented bias evaluation with recorded results.
  • Accountability stops being distributed and becomes a named owner for each AI system and its outcomes.
  • Transparency stops being optional and becomes a duty to inform users when AI is involved, and what its limitations are.
  • Human autonomy stops being assumed and becomes a control requiring that a person can meaningfully oversee, intervene in or override the system.
  • Safety stops being a launch-day check and becomes continuous monitoring across the AI lifecycle.

Importantly, ISO 42001 does not decide your ethics for you. It does not tell you what an acceptable level of bias is, or which use cases are off-limits. It requires that you define those positions, apply them consistently, evidence them, and improve them. The standard governs the process of being responsible — the judgement remains yours.

ISO 42001 and other ISO standards

ISO 42001 shares its clause 4–10 structure with ISO/IEC 27001, ISO 9001 and other management-system standards, which means it integrates cleanly rather than duplicating effort. The most common pairing is with information security.

If your organisation already holds ISO/IEC 27001, much of the foundational governance ISO 42001 expects — data governance, access control, supplier management — is already in place. For a full breakdown of what overlaps and what does not, read our guide on ISO 42001 vs ISO 27001, or explore all standards we certify on our ISO standards page.

How ISO 42001 certification works

Certification with an accredited body follows the same structure as any ISO management-system audit:

  • Application and scoping — we define which AI systems, sites and processes fall inside the AIMS
  • Stage 1 audit — a readiness review of your AI policy, risk and impact assessments, and documented controls
  • Stage 1 report — findings and any gaps to close before the main audit
  • Stage 2 audit — verification that the AIMS is implemented and effective in practice
  • Certification — your certificate is issued, valid for three years with annual surveillance audits

With UCS, fast-track certification is typically completed within 7–10 days from Stage 2 audit completion, and we return a quote within 3–4 hours of your enquiry.

What ISO 42001 delivers for UAE organisations

The UAE has placed AI at the centre of national policy through the UAE National Strategy for Artificial Intelligence 2031, which includes strong governance and effective regulation among its objectives. For organisations bidding on government work, demonstrable AI governance is moving from advantage to expectation.

UCS has already certified UAE public-sector entities to ISO/IEC 42001:2023, including Ajman Transport Authority and the Government of Dubai Legal Affairs Department.

Beyond tenders, certified organisations report clearer internal accountability for AI decisions, faster due-diligence responses from enterprise customers, and a defensible position when regulators ask how an automated decision was reached.

Frequently asked questions

Is ISO 42001 mandatory?

No. ISO 42001 is a voluntary standard. However, it is increasingly requested in procurement, particularly by government entities and enterprise buyers assessing AI supply-chain risk.

Can we certify if we only use third-party AI?

Yes. ISO 42001 covers AI you deploy as well as AI you build. Third-party and supplier relationships are explicitly addressed in Annex A.

How long does ISO 42001 certification take?

Once your AI management system is in place, UCS completes fast-track certification typically within 7–10 days from Stage 2 audit completion.

Do we need ISO 27001 first?

It is not a prerequisite, but it helps considerably. ISO 42001 auditors expect credible data governance and access controls, which an ISMS already provides. See our ISO 42001 vs ISO 27001 comparison.

Does ISO 42001 satisfy the EU AI Act?

No standard automatically confers legal compliance. ISO 42001 does produce the governance evidence — risk assessments, impact assessments, human oversight and lifecycle records — that regulators expect, which makes demonstrating compliance substantially easier.

How long is the certificate valid?

Three years, subject to annual surveillance audits confirming the AIMS remains effective.

Why Get ISO/IEC 42001:2023 Certified?

Achieve international recognition and unlock new opportunities with UCS UAE.

Internationally Recognised

Your certificate is accepted by governments, clients, and global partners worldwide.

Fast Turnaround

UCS UAE delivers certification efficiently — typically within 7–10 business days from Stage 2 audit completion.

Win More Contracts

Many government tenders and corporate procurement processes require ISO certification as a mandatory pre-qualification.

Expert Auditors

Our qualified, experienced auditors bring deep industry knowledge to every certification engagement.

Full Support

We guide you through every step — from application to certificate issuance and ongoing surveillance.

Trusted Certification Body

UCS is an internationally recognized certification body operating across international markets.

Internationally Recognized Accreditation

Ready to Get ISO/IEC 42001:2023 Certification?

Get a free assessment and tailored quote within 3–4 hours.

1000+ Businesses Certified
7–10 Day Certification
Quote in 3–4 Hours
UCS Assistant
Online — Typically replies instantly
Book a 15-Min Call
Speak directly with our certification team.
Powered by UCS