ISO 42001: What UK Businesses Need to Know

ISO 42001 (formally ISO/IEC 42001:2023) is the international standard for artificial intelligence management systems, published in December 2023 (ISO, 2023). It provides a certifiable framework for organisations to establish, implement, maintain, and continually improve how they manage AI systems. The standard follows the same Annex SL high-level structure as ISO 27001 (information security) and ISO 9001 (quality management), making it familiar to businesses already certified to those standards. For UK businesses, ISO 42001 certification demonstrates AI governance maturity to enterprise clients, regulators, and insurers — but it requires third-party audit by an accredited certification body, which makes it more resource-intensive than voluntary frameworks like the NIST AI RMF.

What is ISO 42001?

ISO 42001 specifies the requirements for an AI management system (AIMS) — the policies, processes, and controls an organisation uses to govern its development, provision, and use of AI systems (BSI, 2024). Unlike the NIST AI RMF, which is a risk framework, ISO 42001 is a management system standard. The distinction matters: a management system defines what you must have in place, and an accredited auditor verifies that you have it.

The standard applies to any organisation involved in developing, providing, or using AI systems — regardless of size, sector, or type of AI. It is technology-neutral and does not prescribe specific technical approaches. Instead, it requires you to define your own AI objectives, assess risks, implement controls, and demonstrate continual improvement.

Key requirements of ISO 42001

The standard follows the Annex SL structure used across modern ISO management system standards. The core clauses are:

• Clause 4 — Context:Understand your organisation's context, the needs and expectations of interested parties (clients, regulators, employees), and the scope of your AIMS.
• Clause 5 — Leadership: Top management must demonstrate commitment, establish an AI policy, and assign roles and responsibilities.
• Clause 6 — Planning: Identify risks and opportunities, set AI objectives, and plan how to achieve them.
• Clause 7 — Support: Ensure adequate resources, competence, awareness, and documented information.
• Clause 8 — Operation: Implement the processes needed to meet AI objectives and manage AI system lifecycles.
• Clause 9 — Performance evaluation: Monitor, measure, analyse, and evaluate the effectiveness of your AIMS. Conduct internal audits and management reviews.
• Clause 10 — Improvement: Address nonconformities, take corrective action, and continually improve.

In addition, Annex A provides a set of reference controls (similar to Annex A in ISO 27001) that cover AI-specific areas: AI policy, AI impact assessment, data management, system development, third-party relationships, and transparency.

How ISO 42001 relates to ISO 27001 and ISO 9001

All three standards use the Annex SL high-level structure. This means the management system framework — context analysis, leadership commitment, planning, support, operation, performance evaluation, and improvement — is identical. The difference is the subject matter:

• ISO 27001: Information security controls
• ISO 9001: Quality management controls
• ISO 42001: AI management controls

If your business is already certified to ISO 27001 or ISO 9001, you can extend your existing management system rather than building a new one. The internal audit processes, management review cycles, document control systems, and corrective action procedures carry across directly. You add AI-specific policies, risk assessments, and controls on top of what you already have.

Who needs ISO 42001 certification?

ISO 42001 is voluntary. No UK law requires it. However, certification is increasingly relevant for businesses that:

• Supply AI systems or AI-enabled services to enterprise clients who include AI governance in their vendor due diligence
• Bid for public sector contracts where AI governance standards may be specified
• Operate in regulated sectors (financial services, healthcare, legal) where demonstrable AI governance may be required by sector regulators
• Want to differentiate from competitors by demonstrating independently verified AI governance
• Need to satisfy cyber insurers who increasingly ask about AI governance maturity

For most UK SMEs that use AI tools rather than develop them, ISO 42001 certification is not an immediate priority. TheBSI AIME self-assessment or theNIST AI RMF are more proportionate starting points.

The certification process

ISO 42001 certification follows the standard ISO certification pathway:

1. Gap analysis: Assess your current state against ISO 42001 requirements. Identify what you already have and what needs building.
2. Implementation: Build or extend your management system — AI policy, risk assessment, controls, documentation, staff training.
3. Internal audit: Conduct an internal audit to verify your AIMS meets the standard before the external audit.
4. Stage 1 audit: The certification body reviews your documentation to confirm your AIMS is designed to meet the standard.
5. Stage 2 audit: The certification body assesses whether your AIMS is effectively implemented and operating as documented.
6. Certification decision: If both stages pass, you receive your ISO 42001 certificate. It is valid for three years.
7. Surveillance audits: Annual audits to confirm ongoing compliance.
8. Recertification: Full recertification audit every three years.

Preparing your business for ISO 42001

Whether or not you plan to certify, the preparation activities are valuable governance exercises:

1. Inventory your AI systems. Document every AI tool your organisation uses, develops, or provides — including embedded AI in existing software. AnAI tools audit is the starting point.
2. Write an AI policy. ISO 42001 requires a documented AI policy approved by top management. Youracceptable use policy is a good foundation to build on.
3. Conduct AI risk assessments. For each AI system, assess the risks it poses to individuals, the organisation, and third parties. Use the NIST AI RMF categories as a starting framework.
4. Define AI objectives. What does your organisation want from AI? What outcomes are you managing towards? These must be measurable.
5. Establish competence. Ensure the people involved in AI governance understand their roles and have the knowledge to fulfil them.

How Governably helps build towards ISO 42001 readiness

Governably automates the AI tools discovery, data access mapping, and credential exposure assessment that form the foundation of your AI inventory — the essential first step for any ISO 42001 implementation. Rather than spending weeks manually cataloguing tools,run a free scanto get a baseline view of your organisation's AI tool landscape, email security, and credential exposure in minutes.

Frequently Asked Questions

Is ISO 42001 mandatory in the UK?

No. ISO 42001 is a voluntary international standard. No UK law requires certification. However, enterprise clients, public sector procurement, and regulated industries are increasingly asking suppliers to demonstrate ISO 42001 certification or progress towards it as part of due diligence on AI governance.

How much does ISO 42001 certification cost?

Costs vary by organisation size and complexity. For a small business (under 50 employees), expect £10,000–£25,000 for initial certification including consultancy support, internal preparation, and the certification audit itself. Annual surveillance audits add £3,000–£8,000 per year. These are indicative ranges — get quotes from accredited certification bodies like BSI, LRQA, or Bureau Veritas.

How long does it take to get ISO 42001 certified?

For an organisation with no existing management system, expect six to twelve months from start to certification. If you already hold ISO 27001 or ISO 9001, the timeline shortens to three to six months because the management system infrastructure is already in place and ISO 42001 uses the same Annex SL structure.

Do I need ISO 27001 before ISO 42001?

No — they are independent standards. However, ISO 27001 provides a strong foundation because both use the Annex SL high-level structure. Organisations already certified to ISO 27001 will find ISO 42001 implementation significantly easier, as the management system framework, internal audit processes, and management review structures can be extended rather than built from scratch.

Can a small business achieve ISO 42001 certification?

Yes, but the cost and effort may not be proportionate for very small businesses. ISO 42001 requires a documented management system, internal audits, management reviews, and a third-party certification audit. For businesses under 20 employees, theBSI AIME self-assessment is a more proportionate starting point that builds towards ISO 42001 readiness over time.