ISO 42001 requirements explained
- ISO 42001 requirements split into management-system clauses and AI-specific annex controls.
- The clauses (context, leadership, planning, support, operation, evaluation, improvement) define the operating system.
- The annex controls address specific AI risks; organisations apply those relevant to their context.
- Certification requires both a working management system and the relevant controls, kept current and evidenced.
- Current as of June 2026. This is general information, not legal advice.
The management-system clauses
Like other ISO management-system standards, ISO 42001 is structured around a familiar set of clauses:
- Context of the organisation: Understand your organisation, the interested parties, and the scope of your AI management system.
- Leadership: Demonstrate top-management commitment, establish an AI policy, and assign roles and responsibilities.
- Planning: Assess AI-related risks and opportunities, set objectives, and plan how to achieve them. This includes an AI risk assessment and, where relevant, AI system impact assessments.
- Support: Provide the resources, competence, awareness, communication, and documented information the system needs.
- Operation: Plan and control the processes that govern AI across its lifecycle, applying the necessary controls.
- Performance evaluation: Monitor and measure the system, conduct internal audits, and hold management reviews.
- Improvement: Address nonconformities and continually improve the management system.
These clauses define the ongoing operating system. They are common in shape to ISO 27001, which is why organisations with an existing ISMS find ISO 42001 familiar.
The AI-specific controls
Alongside the clauses, ISO 42001 includes an annex of controls specific to AI. These address areas such as AI risk management, the data used for AI, transparency and information for users, the AI system lifecycle, and the responsible use and oversight of AI. Organisations select and apply the controls relevant to their context, and document which they have applied and why, similar to the Statement of Applicability approach used in ISO 27001.
How the two parts work together
The clauses tell you how to run the management system; the controls tell you what specific AI risks to address within it. A certified organisation has both a working management system (the clauses) and the relevant AI-specific controls in place (the annex). Neither alone is sufficient: a strong management system that ignores AI-specific risks, or a set of controls without a system to run them, would not meet the standard.
Meeting the requirements in practice
The practical task is to build a real, operating management system and to apply the controls that fit your AI, then to keep both current and evidenced. The difficulty is sustaining this as your AI estate grows, since the risk assessments, controls, and evidence must stay connected to the systems they govern. Organisations that meet the requirements smoothly treat the management system as a living, connected practice rather than a set of documents assembled for an audit.
Key terms
- Management-system clauses
- The clauses (context, leadership, planning, support, operation, evaluation, improvement) common to ISO management standards.
- Annex A controls
- ISO 42001's AI-specific controls applied within the management system.
- Statement of Applicability
- The document recording which controls have been applied and why, including exclusions.
- Continual improvement
- The expectation that the system is monitored, audited, and improved over time.