To become ISO 42001-certified, your organization must implement and operate an AIMS that satisfies the standard’s management system requirements and your selected Annex A control set—then pass audit by an accredited certification body.

Related: ISO 42001 controls guide · Checklist

Key takeaways

Clauses 4–10 define how you run AI governance (context, leadership, risk, operations, improvement).
Annex A provides AI-specific controls you tailor via risk and Statement of Applicability.
Certification is third-party—not self-attested.
Many teams map ISO 27001/SOC 2 evidence into the AIMS.

AIMS management clauses (4–10)

Clause theme	What you demonstrate
Context	AI use cases, stakeholders, legal drivers
Leadership	Accountability, policy, roles
Planning	AI risks, objectives, change planning
Support	Resources, competence, awareness
Operation	Lifecycle controls, suppliers, incidents
Performance	Monitoring, internal audit, management review
Improvement	Nonconformities, continual improvement

Annex A AI controls

Annex A catalogs controls for policies, data, models, monitoring, transparency, and third-party AI. You implement controls proportional to risk and document applicability.

Certification process

Typical path: gap assessment → implement AIMS → internal audit → Stage 1/2 certification audits → certificate + surveillance.

See timeline guide.

Disclaimer (legal note)

Certification body requirements may vary. Not legal or audit advice.

What are the main requirements to get ISO 42001-certified? (clauses 4–10 + Annex A)

Key takeaways

AIMS management clauses (4–10)

Annex A AI controls

Certification process

Disclaimer (legal note)

Need compliance without the complexity?