Is ISO 42001 certification mandatory under the EU AI Act?

No. The EU AI Act does not require ISO 42001 certification. The Act sets binding obligations directly. ISO 42001 is a voluntary management system standard that can help an organisation meet several of those obligations, but it is not a substitute for compliance with the Act itself.

Does ISO 42001 satisfy EU AI Act requirements?

Partially. Operating a certified ISO 42001 management system will address many of the governance, risk management, documentation, and transparency obligations the Act places on providers and deployers of high-risk AI systems. It does not, on its own, demonstrate conformity for the technical requirements of high-risk systems under Articles 9 to 15 of the Act.

How much does ISO 42001 certification cost?

Total first-year cost typically ranges from €25,000 for a small organisation with an existing ISO 27001 baseline to €120,000 or more for a large enterprise certifying multiple in-scope AI systems for the first time.

What is the difference between ISO 42001 and ISO 27001?

ISO 27001 governs information security. ISO 42001 governs AI systems. The two share the Harmonized Structure, so an organisation already certified to ISO 27001 will find many supporting processes transferable. Annex A controls differ substantially.

Which certification bodies issue ISO 42001?

ISO 42001 certificates are issued by accredited certification bodies. As of 2026 the accreditation landscape is still developing; most major bodies including BSI, TÜV SÜD, DNV, LRQA, and Bureau Veritas offer ISO 42001 audits in the EU. Confirm accreditation status with your national accreditation body before engaging.

Can a startup achieve ISO 42001 certification?

Yes. The standard scales to the organisation. A 20-person startup operating one or two AI products can implement and certify a focused ISO 42001 management system within four to six months. See our dedicated SMB guide.

How long is ISO 42001 certification valid?

Three years, with annual surveillance audits in years two and three. A full recertification audit is required in the fourth year to issue a new three-year certificate.

What happens if we fail the ISO 42001 audit?

Nonconformities raised during a certification audit are classified as major or minor. Minor nonconformities require a corrective action plan, usually within 90 days, and do not prevent certification. Major nonconformities must be closed and verified before the certificate is issued, which typically requires a follow-up audit.

How many controls are in ISO 42001 Annex A?

39 controls organised across 9 categories from A.2 to A.10. Organisations select controls via the Statement of Applicability and justify any exclusions.

Is ISO 42001 enough for SOC 2 customers?

No. SOC 2 is a separate attestation focused on the trust services criteria. ISO 42001 complements but does not replace it. Many companies maintain SOC 2 + ISO 27001 + ISO 42001 in parallel.

Last reviewed: May 2026 · 14 min read · Category: ISO Standards

ISO 42001: The Complete Guide to AI Management System Certification (2026)

What is ISO 42001?

ISO/IEC 42001:2023 is the first international management system standard for artificial intelligence. Published in December 2023, it defines a structured approach for organisations to govern the development, deployment, and operation of AI systems. The standard follows the same Harmonized Structure used by ISO 27001 and ISO 9001, which makes it familiar to teams already operating an information security or quality management system.

ISO 42001 is certifiable. An accredited certification body audits an organisation's AI management system (AIMS) against the standard's requirements and, if compliant, issues a certificate valid for three years subject to annual surveillance audits.

ISO 42001 at a glance

Published	December 2023
Scope	AI management system (AIMS)
Structure	10 clauses + Annex A (39 controls in 9 categories)
Certification cycle	3 years + annual surveillance audits
Typical timeline	4-9 months to first certificate
Typical cost (Y1)	€25,000 - €120,000 depending on size and scope
Accredited bodies	BSI, DNV, TÜV SÜD, LRQA, Bureau Veritas + national bodies

Who needs ISO 42001 certification?

There is no statutory requirement to obtain ISO 42001 certification. In practice, three groups are driving adoption in 2026. First, providers of AI systems selling into regulated sectors — healthcare, financial services, public administration — where buyers increasingly require evidence of structured AI governance. Second, deployers of high-risk AI systems under the EU AI Act, for whom ISO 42001 provides a defensible governance baseline. Third, large enterprises establishing a single internal AI governance standard across business units.

ISO 42001 and the EU AI Act: what is the relationship?

The EU AI Act and ISO 42001 are distinct instruments with overlapping scope. The AI Act is binding European law. ISO 42001 is a voluntary management system standard. The Act sets obligations; the standard provides a framework for meeting them. ISO 42001 certification does not, on its own, demonstrate conformity with the AI Act. However, an organisation that operates a certified AI management system covering its high-risk AI systems will be substantially better positioned to demonstrate compliance during a regulatory inspection. See our high-risk AI systems guide for the mapping.

The 10 clauses of ISO 42001

ISO 42001 contains ten clauses. Clauses 1 to 3 cover scope, references, and terms. Clauses 4 to 10 set the auditable management system requirements: organisational context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A defines the control catalogue. See the full clause-by-clause walkthrough on ISO 42001 requirements.

Annex A: 39 controls in 9 categories

Ref	Category	Controls
A.2	Policies related to AI	2
A.3	Internal organisation	3
A.4	Resources for AI systems	6
A.5	Assessing impacts of AI systems	4
A.6	AI system life cycle	7
A.7	Data for AI systems	5
A.8	Information for interested parties	4
A.9	Use of AI systems	3
A.10	Third-party and customer relationships	5

Full descriptions on the dedicated Annex A controls page.

Certification process

Certification proceeds in four stages. A gap assessment establishes the starting point. The organisation implements the management system and Annex A controls. A Stage 1 audit reviews documentation; a Stage 2 audit assesses operational effectiveness. The certification body issues the certificate if both stages pass, with surveillance audits in years two and three. See our audit process guide for day-counts and the most common nonconformities, or the 9-step implementation roadmap.

How long does ISO 42001 certification take?

A first-time ISO 42001 certification typically takes between six and nine months from project kickoff to certificate issuance. Organisations with an existing ISO 27001 certification can move faster — often three to five months — because many supporting processes such as document control, internal audit, and management review are already in place. The largest variable is the time required to complete AI impact assessments across in-scope AI systems.

ISO 42001 certification cost

Total first-year cost typically ranges from €25,000 for a small SaaS company to €120,000 for a mid-sized enterprise. The certification audit itself accounts for roughly 20 to 35 percent of that total. Compliance automation software, internal staff time, and any external implementation support account for the remainder. See our dedicated guide on ISO 42001 certification cost for a detailed breakdown, or the lean path for startups in ISO 42001 for SMBs.

Which software supports ISO 42001 compliance?

Compliance automation platforms reduce the manual effort required to operate an ISO 42001 management system. Vanta, Drata, Sprinto, Secureframe, and Thoropass each released ISO 42001 framework support during 2025. OneTrust offers ISO 42001 as part of its broader AI Governance module. Coverage varies: some platforms automate evidence collection against most Annex A controls, others cover only a subset and leave the remainder to manual workflow.

Vanta homepage with ISO 42001 framework support — Vanta released ISO 42001 framework support in 2025; it now sits alongside SOC 2 and ISO 27001 in the framework catalogue. Source: vanta.com (captured May 2026)

See our full comparison of ISO 42001 compliance software for 2026 →

ISO 42001 vs ISO 27001: key differences

ISO 27001 governs information security; ISO 42001 governs artificial intelligence. The two standards share the Harmonized Structure and most management system clauses are functionally equivalent. The differences lie in scope and in Annex A. ISO 27001's Annex A focuses on the confidentiality, integrity, and availability of information. ISO 42001's Annex A addresses AI-specific risks: fairness, transparency, accountability, the data on which models are trained, and the life cycle of AI systems from design through retirement.

For a more detailed comparison see our guide on ISO 42001 vs ISO 27001.

Where to go next

Implementing for the first time? Start with the gap assessment then walk the 9-step roadmap. Scoping the impact assessment? See the AI system impact assessment guide. Building documents? Use the minimum document set.