ISO 42001 requirements: What your AI management system must cover
ISO 42001 sets out what your organisation needs to manage AI responsibly. To achieve certification, you'll need to meet the requirements in Clauses 4-10 and implement an effective AI Management System.
With Tempo's remote-first audit approach, you can start your ISO 42001 certification journey quickly and achieve certification with minimal disruption to your business.
What are the ISO 42001 requirements?
ISO 42001 is the first international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for building, deploying, and using AI responsibly while managing the risks that come with it. To achieve certification, your AI Management System must meet the requirements set out in:
- Clauses 4-10 - The mandatory requirements covering governance, leadership, risk management, support, operations, performance evaluation and continual improvement.
- Annex A - A catalogue of AI controls that help organisations manage AI-specific risks. You'll need to apply the controls that are relevant to your organisation and justify those that aren't.
Who is it for?
Any organisation that develops, deploys, or uses AI can certify against ISO 42001, including:
- SaaS companies
- AI product teams
- Software developers
- Enterprise technology functions
- Organisations embedding AI into their existing products or services
Important note: The ISO 42001 certification isn't just about having policies on paper. You'll need to provide evidence that your AI Management System complies with every applicable requirement and that your processes work in practice.
Quick facts about ISO 42001 requirements
ISO 42001 clauses: Inside the ISO 42001 requirements
Clauses 4 to 10 form the operational core of ISO 42001. These are the mandatory requirements every organisation must meet to achieve certification. If you've already worked with standards like ISO 27001 or ISO 9001, many of the clause structures will feel familiar. The difference is that ISO 42001 introduces AI-specific requirements, such as AI risk management, AI impact assessments, and governance for the entire AI lifecycle.
Clause 4: Context of the organisation
Before anything else, you need to understand how AI fits into your business.
You'll need to:
- Define the scope of your AI Management System (AIMS)
- Identify internal and external issues that affect AI
- Understand the needs of customers, regulators and other interested parties
An auditor will look for:
- A clearly documented AIMS scope
- A stakeholder register
- Evidence that AI-related risks were considered when defining the scope
Clause 5: Leadership
Leadership must actively support the AI Management System. This isn't something that can sit solely with the IT team.
You'll need to:
- Establish an AI policy
- Assign roles and responsibilities
- Demonstrate leadership commitment
- Embed AI governance into decision-making
An auditor will look for:
- An approved AI policy
- Defined governance roles
- Evidence that leadership regularly reviews the AIMS
Clause 6: Planning
This clause focuses on identifying AI risks and planning how you'll manage them.Unlike many other ISO standards, ISO 42001 introduces the requirement for an AI impact assessment, helping organisations consider ethical, legal and societal impacts alongside technical risks.
You'll need to:
- Identify AI risks and opportunities
- Complete AI impact assessments where appropriate
- Set measurable AI objectives
- Plan actions to address risks
An auditor will look for:
- An AI risk register
- Completed AI Impact Assessments
- Documented objectives with owners and review dates
Clause 7: Support
Your AI Management System only works if people understand it and have the right resources.
You'll need to:
- Ensure staff are competent
- Deliver AI awareness and training
- Control documented information
- Establish clear internal and external communication
An auditor will look for:
- Training records
- Competency evidence
- Document control procedures
- Communication plans
Clause 8: Operation
This is where the AI Management System moves from policy into practice. Clause 8 covers how AI systems are designed, developed, deployed, monitored, and, where necessary, retired. It also includes controls for third-party AI providers and suppliers.
You'll need to:
- Manage the AI lifecycle
- Implement operational controls
- Assess third-party AI risks
- Monitor AI system performance
An auditor will look for:
- Operational procedures
- Supplier assessments
- Development and deployment records
- Evidence that AI systems are controlled throughout their lifecycle
Clause 9: Performance evaluation
You can't improve what you don't measure. This clause requires organisations to monitor whether the AI Management System is achieving its objectives.
You'll need to:
- Monitor and measure performance
- Conduct internal audits
- Hold management reviews
- Track improvement opportunities
An auditor will look for:
- Internal audit reports (delivered by a competent and independent internal auditor)
- Management review minutes (meeting all the inputs and outputs set-out in the ISO 42001 standard)
- KPIs and performance metrics
- Evidence that issues are followed up
Clause 10: Improvement
Certification isn't the finish line. ISO 42001 expects continual improvement. When issues are identified, organisations must investigate the cause, fix the problem, and prevent it from happening again.
You'll need to:
- Record nonconformities
- Take corrective action
- Improve the effectiveness of the AIMS over time
An auditor will look for:
- Corrective action records
- Root cause analysis
- Evidence that improvements have been implemented and reviewed
ISO 42001 Annex A: The supporting controls
Think of Clauses 4-10 as the what and Annex A as the how. While the clauses tell you what your AI Management System must achieve, Annex A provides 38 practical controls across nine control objectives (A.2-A.10) to help you put those requirements into action.These controls cover every stage of responsible AI management, including:
- AI policies and governance
- AI risk and impact management
- Data quality and data governance
- AI system development and lifecycle management
- Transparency and information for users
- Human oversight and accountability
- Third-party AI products and supplier management
- Monitoring, review and continual improvement
Not every control will apply to every organisation. Instead, you'll assess your AI systems, identify the risks, and decide which controls are needed. If a control isn't relevant, you'll need to document why. This risk-based approach gives organisations the flexibility to build an AI Management System that reflects how they actually use AI, rather than following a one-size-fits-all checklist.Want to explore every control in detail? See our ISO 42001 controls list, where we break down each Annex A control, what it covers and what auditors expect to see during certification.
ISO 42001 requirements vs ISO 27001 requirements: What changes?
If your organisation already holds ISO 27001, you're already familiar with the management system structure. ISO 42001 follows many of the same principles but introduces additional requirements to govern AI responsibly throughout its lifecycle.
Reviews
Trusted by fast-moving tech teams across the world who value a more human audit experience.

FAQs
Trusted by fast-moving tech teams across the world who value a more human audit experience.
ISO 42001 has two main parts:
- Clauses 4-10 set out the mandatory requirements for your AI Management System (AIMS).
- Annex A contains 38 supporting controls across nine control objectives.
One of the biggest differences from other ISO standards is Clause 6, which introduces AI impact assessments. These help organisations identify and manage the broader impacts of AI, including fairness, transparency, accountability, and potential harm. To achieve certification, you'll need to provide objective evidence that your AI Management System meets every applicable clause and that the relevant Annex A controls are implemented effectively.
Start by choosing a UKAS-accredited certification body in the UK or a certification body accredited by another recognised European accreditation body, such as DAkkS in Germany. Accreditation means the certification body has been independently assessed for competence, impartiality and consistency.When comparing providers, look for:
- UKAS or equivalent European accreditation
- Experience auditing AI and technology companies
- Auditors with AI governance and technical expertise
- A clear, transparent audit process
- Flexible delivery, including remote audits where appropriate
Technology companies should look beyond price and consider the auditor's experience with AI systems, SaaS businesses, and software development environments. A good certification body should offer:
- UKAS accreditation (or equivalent quality accreditation)
- Auditors with AI and technology expertise
- Experience auditing software, SaaS and AI organisations
- A consistent, risk-based audit approach
- An efficient audit process that works around modern engineering teams
Tempo Audits specialises in certifying technology businesses. Our UKAS-accredited, remote-first audit model is designed for organisations developing, deploying, and using AI, combining technical expertise with an efficient and impartial certification process.
The preparation stage can take a few months for most organisations. Once the audit process begins, clients typically receive their ISO 42001 certificate within one month of starting the Stage 1 audit. This usually includes a 2 to 3 week gap before Stage 2, followed by a further 3 to 7 days for the certificate and audit report to be issued, assuming everything is in order.
ISO 27001 helps organisations manage information security. ISO 42001 builds on the same management system approach but focuses specifically on the responsible governance of AI.ISO 42001 introduces additional requirements, including:
- AI impact assessments
- AI lifecycle management
- AI governance and accountability
- Transparency and human oversight
- AI-specific risk management
If your organisation already holds ISO 27001, many management system requirements overlap. This can reduce duplicate audit effort, and in some cases, integrated audits may reduce overall audit time by up to 20%, depending on your certification scope.
Book a call
No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.
Alternatively, if you have all the details,
fill out this form here.





