Hael
Sign inRequest a demo
ISO/IEC 42001 · Requirements

ISO 42001 requirements explained

Updated 30 June 2026 · 7 min read
Key takeaway
The requirements of ISO 42001 fall into two parts: the management-system clauses that define how you run an AI management system, and the AI-specific controls in the standard's annex that address particular AI risks. To be certified, an organisation must meet the clause requirements and apply the relevant controls. This guide walks through both at a practical level.
  • ISO 42001 requirements split into management-system clauses and AI-specific annex controls.
  • The clauses (context, leadership, planning, support, operation, evaluation, improvement) define the operating system.
  • The annex controls address specific AI risks; organisations apply those relevant to their context.
  • Certification requires both a working management system and the relevant controls, kept current and evidenced.
  • Current as of June 2026. This is general information, not legal advice.

The management-system clauses

Like other ISO management-system standards, ISO 42001 is structured around a familiar set of clauses:

  • Context of the organisation: Understand your organisation, the interested parties, and the scope of your AI management system.
  • Leadership: Demonstrate top-management commitment, establish an AI policy, and assign roles and responsibilities.
  • Planning: Assess AI-related risks and opportunities, set objectives, and plan how to achieve them. This includes an AI risk assessment and, where relevant, AI system impact assessments.
  • Support: Provide the resources, competence, awareness, communication, and documented information the system needs.
  • Operation: Plan and control the processes that govern AI across its lifecycle, applying the necessary controls.
  • Performance evaluation: Monitor and measure the system, conduct internal audits, and hold management reviews.
  • Improvement: Address nonconformities and continually improve the management system.

These clauses define the ongoing operating system. They are common in shape to ISO 27001, which is why organisations with an existing ISMS find ISO 42001 familiar.

The AI-specific controls

Alongside the clauses, ISO 42001 includes an annex of controls specific to AI. These address areas such as AI risk management, the data used for AI, transparency and information for users, the AI system lifecycle, and the responsible use and oversight of AI. Organisations select and apply the controls relevant to their context, and document which they have applied and why, similar to the Statement of Applicability approach used in ISO 27001.

How the two parts work together

The clauses tell you how to run the management system; the controls tell you what specific AI risks to address within it. A certified organisation has both a working management system (the clauses) and the relevant AI-specific controls in place (the annex). Neither alone is sufficient: a strong management system that ignores AI-specific risks, or a set of controls without a system to run them, would not meet the standard.

Meeting the requirements in practice

The practical task is to build a real, operating management system and to apply the controls that fit your AI, then to keep both current and evidenced. The difficulty is sustaining this as your AI estate grows, since the risk assessments, controls, and evidence must stay connected to the systems they govern. Organisations that meet the requirements smoothly treat the management system as a living, connected practice rather than a set of documents assembled for an audit.

Key terms

Management-system clauses
The clauses (context, leadership, planning, support, operation, evaluation, improvement) common to ISO management standards.
Annex A controls
ISO 42001's AI-specific controls applied within the management system.
Statement of Applicability
The document recording which controls have been applied and why, including exclusions.
Continual improvement
The expectation that the system is monitored, audited, and improved over time.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to ISO/IEC 42001~ 5 MIN