ISO/IEC 42001

What is ISO/IEC 42001?

ISO/IEC 42001:2023, “Information technology, Artificial intelligence, Management system,” is the first international management-system standard for AI. ISO and IEC jointly developed it and published it in December 2023. Its Annex SL high-level structure is shared with ISO 9001 (quality management), ISO/IEC 27001 (information security), and ISO 14001 (environmental management).

An Artificial Intelligence Management System (AIMS) is the standard’s central artifact. It is a documented set of policies, processes, roles, and controls used to manage AI risks across the AI lifecycle. Compliance is voluntary. An organization may self-attest, or pursue third-party certification through an accredited certification body.

Law firms use the standard in two ways. On the procurement side, vendor claims of ISO/IEC 42001 certification (verifiable through the certification body’s registry) give an external check on the vendor’s AI governance maturity. On the defensive side, a firm that obtains certification itself signals to malpractice carriers, regulators, and clients that its AI program is anchored in an internationally recognized framework.

Who must comply?

No one is bound by the standard’s own terms. Adoption is discretionary. Three patterns drive practical relevance:

Vendor-side adoption. AI tool vendors increasingly seek ISO/IEC 42001 certification as a competitive signal, paralleling the role ISO/IEC 27001 plays in security. Treat the certification as one input among many during vendor due diligence. Verify the certificate against the certification body’s public registry, and confirm the scope statement matches the tool the firm is procuring.

Firm-side adoption. Larger law firms with existing information-security or quality programs are positioned to add an AIMS as an extension of those programs. Because ISO/IEC 42001 shares an Annex SL structure with ISO/IEC 27001, a firm holding 27001 already has most of the framework infrastructure.

Regulator and statute reference. The Colorado AI Act expressly cites ISO/IEC 42001 alongside the NIST AI RMF as a recognized framework establishing a rebuttable presumption of reasonable care. Either framework, or another nationally or internationally recognized one, is acceptable under the Act. Other state AI regulations are likely to adopt similar reference language.

What does ISO/IEC 42001 require?

AI management is organized around the Plan-Do-Check-Act cycle inherited from the Annex SL family:

Context, leadership, and planning. Define the organization’s AI scope, its interested parties, and the AI risks the AIMS addresses. Establish leadership accountability and an AI policy. Plan to address AI risks and opportunities.

Support and operation. Provide resources, competence, awareness, and documented information. Operate an AI risk-assessment and AI-system-impact-assessment process. Manage AI-system lifecycle activities including data acquisition, system development, deployment, and decommissioning. Manage AI-system supplier relationships.

Performance evaluation. Monitor, measure, analyze, and evaluate the AIMS. Conduct internal audits and management reviews.

Improvement. Take corrective action when nonconformities arise. Continually improve the AIMS.

Annex A provides a reference set of controls grouped into nine domains: AI policies, internal organization for AI, resources, AI-system impact assessment, AI-system lifecycle, data, information for interested parties, AI system use, and third-party relationships.

What does compliance documentation look like?

Whether or not certification is on the table, an organization implementing ISO/IEC 42001 maintains the same documentation set:

• A scope statement defining the AI activities and systems covered by the AIMS.
• An AI policy approved by leadership, including the organization’s commitment to fairness, transparency, and accountability.
• A risk register and an AI-system impact-assessment record per AI system in scope.
• Lifecycle records covering each AI system’s design, data handling, validation, deployment, monitoring, and retirement.
• Supplier-management records for third-party AI components and tools.
• Internal audit records and management-review minutes.

Third-party certification adds an audit performed by an accredited certification body, plus annual surveillance audits thereafter. Each certificate is issued with a defined scope statement. Firms procuring certified vendors should read that scope statement before relying on the certificate.

How does ISO/IEC 42001 interact with NIST AI RMF and the EU AI Act?

These three frameworks are complementary, not competing. ISO/IEC 42001 is a management-system standard: certifiable, documentation-heavy, lifecycle-oriented. NIST AI RMF 1.0 is voluntary and principle-based, not certifiable, more flexible in application. By contrast, the EU AI Act is law: prescriptive, conformity-assessment-based, and limited to in-scope EU activity.

Holding ISO/IEC 42001 certification gives a firm the documentation infrastructure to demonstrate AI RMF alignment with little additional effort. It also satisfies a substantial portion of the EU AI Act’s risk-management documentation for in-scope systems. Reverse mapping is less complete: AI RMF adoption alone does not produce a certifiable AIMS, and EU AI Act compliance covers only in-scope systems.

For a US firm without a 27001 baseline, ISO/IEC 42001 is the most demanding of the three to implement. With a 27001 baseline already in place, it is the cheapest extension.

Primary sources

• ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system, published December 2023: iso.org/standard/81230.html.