The Complete Guide to ISO 42001:2023 Certification

1. Introduction

Artificial intelligence is transforming every industry, from healthcare and finance to manufacturing and public services. But with the tremendous potential of AI comes a pressing need for governance, accountability, and trust. Organizations deploying AI systems face growing pressure from regulators, customers, and stakeholders to demonstrate that their AI is developed and used responsibly.

ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS). Published in December 2023, it provides a structured, certifiable framework that helps organizations of any size and sector manage the opportunities and risks associated with AI throughout the entire system lifecycle.

Whether you are a technology company building AI products, an enterprise integrating AI into your operations, or a public sector body deploying AI for decision-making, ISO 42001 gives you a proven management system approach to govern AI responsibly and demonstrate that commitment to the world through third-party certification.

2. What ISO 42001 Covers

Purpose and Scope

ISO/IEC 42001:2023 specifies the requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) within the context of an organization. Its purpose is to help organizations manage AI-related risks and opportunities in a systematic, repeatable, and auditable way.

The standard is deliberately broad in scope. It applies to any organization that develops, provides, or uses AI-based products or services. This includes companies that build AI models, organizations that integrate third-party AI into their workflows, cloud providers offering AI as a service, and even organizations that commission AI solutions from vendors. The standard does not prescribe specific technical approaches; instead, it focuses on management system processes that ensure AI is governed appropriately regardless of the underlying technology.

Published by ISO/IEC JTC 1/SC 42

ISO 42001 was developed by the Joint Technical Committee 1, Subcommittee 42 (JTC 1/SC 42), the ISO/IEC subcommittee dedicated to artificial intelligence. SC 42 brings together international experts in AI, data governance, and management systems to create standards that reflect global best practices. The standard was officially published on December 18, 2023, making it the definitive international benchmark for AI governance.

Annex SL High-Level Structure

Like other modern ISO management system standards (ISO 27001, ISO 9001, ISO 14001), ISO 42001 follows the Annex SL harmonized structure. This means it uses the same high-level clause framework — from Context of the Organization through Improvement — that organizations already know from other ISO certifications. This design makes it straightforward to integrate an AIMS with existing management systems, reducing duplication of effort and enabling combined audits.

Applicable to Any Organization

ISO 42001 is technology-agnostic and sector-agnostic. A startup building a machine learning platform, a hospital using AI-assisted diagnostics, a bank deploying credit-scoring algorithms, and a government agency automating permit processing can all implement and certify an AIMS. The standard scales to the complexity and risk profile of the organization's AI activities.

3. Standard Structure: Clause by Clause

ISO 42001 is organized into ten clauses and two normative annexes. Clauses 1 through 3 cover scope, normative references, and terms and definitions. Clauses 4 through 10 contain the certifiable requirements. Here is what each requirement clause addresses:

Clause 4: Context of the Organization

Clause 4 requires the organization to understand its internal and external context as it relates to AI. This means identifying factors that affect the AIMS — regulatory requirements, market expectations, technological capabilities, ethical considerations, and organizational culture. The organization must also identify interested parties (stakeholders such as customers, regulators, employees, affected communities) and their requirements related to AI.

Based on this analysis, the organization defines the scope of its AIMS — which AI activities, products, and services are covered — and establishes the AI Management System itself, including its processes and their interactions.

Clause 5: Leadership

Top management must demonstrate leadership and commitment to the AIMS. This includes establishing an AI policy that sets the direction for responsible AI use, ensuring that AIMS objectives are compatible with the organization's strategic direction, and integrating AIMS requirements into business processes.

Leadership must also assign clear roles, responsibilities, and authorities for the AIMS. This is not a task that can be delegated to IT alone — it requires visible executive sponsorship and cross-functional accountability.

Clause 6: Planning

Planning is where the organization addresses risks and opportunities related to AI. This includes:

• Risk assessment: Identifying, analyzing, and evaluating risks associated with the AI Management System itself and with the organization's AI activities.
• AI risk treatment: Selecting appropriate controls to treat identified AI risks, using the controls reference in Annex A as a starting point and producing a Statement of Applicability.
• AI objectives: Establishing measurable objectives for the AIMS and planning how to achieve them, including what resources are needed and who is responsible.

The planning process ensures that AI governance is proactive rather than reactive, embedding risk-based thinking into every decision about AI development and deployment.

Clause 7: Support

Clause 7 addresses the enabling resources the AIMS needs to function effectively:

• Resources: The organization must determine and provide the resources (people, technology, budget) needed for the AIMS.
• Competence: Persons working within the AIMS must have the necessary competence, achieved through education, training, or experience. This extends to AI-specific skills such as data science, ethics, and impact assessment.
• Awareness: Everyone in the organization must be aware of the AI policy, their contribution to the AIMS, and the implications of not conforming to AIMS requirements.
• Communication: The organization must determine internal and external communication needs related to the AIMS.
• Documented information: Proper documentation must be created, maintained, and controlled — including policies, procedures, risk assessments, and records of AI system decisions.

Clause 8: Operation

Clause 8 is the operational heart of the standard, covering the day-to-day execution of AI governance:

• Operational planning and control: Planning, implementing, and controlling the processes needed to meet AIMS requirements and manage AI risks.
• AI risk assessment: Performing systematic risk assessments for AI systems, considering impacts on individuals, groups, organizations, and society.
• AI impact assessment: Evaluating the potential impacts of AI systems on affected stakeholders, including fairness, transparency, accountability, and human rights considerations.
• AI system lifecycle: Managing AI systems across their entire lifecycle — from design and development through deployment, monitoring, and retirement — ensuring that controls remain effective at every stage.

Clause 9: Performance Evaluation

The organization must evaluate how well its AIMS is performing through:

• Monitoring, measurement, analysis, and evaluation: Defining what needs to be monitored (e.g., AI system performance, risk treatment effectiveness, compliance with policies) and evaluating the results.
• Internal audit: Conducting regular internal audits to verify that the AIMS conforms to the standard's requirements and the organization's own policies. Auditors must be objective and independent of the processes being audited.
• Management review: Top management must review the AIMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness, considering audit results, performance data, and changes in context.

Clause 10: Improvement

When nonconformities are identified (through audits, incidents, or complaints), the organization must take corrective action — addressing the root cause, not just the symptoms. Beyond addressing nonconformities, the organization must pursue continual improvement of the AIMS, ensuring that AI governance evolves alongside the organization's AI activities and the external landscape.

Annex A: AI Controls Reference

Annex A provides a comprehensive catalogue of AI-specific controls that organizations can select and apply based on their risk assessment. These controls cover areas such as:

• AI policies and governance structures
• Internal organization and roles for AI
• Resources and competence for AI systems
• AI system impact assessment processes
• AI system lifecycle management
• Data management for AI (quality, provenance, bias)
• Monitoring and logging of AI system behavior
• Third-party and supply chain considerations

The organization creates a Statement of Applicability documenting which Annex A controls are applied, which are excluded, and the justification for each decision.

Annex B: AI Controls Implementation Guidance

Annex B provides detailed implementation guidance for each control listed in Annex A. While Annex A states what should be controlled, Annex B explains how to implement those controls in practice, offering practical advice on data governance, model validation, transparency mechanisms, human oversight arrangements, and more. This guidance is invaluable for organizations implementing an AIMS for the first time.

4. The Certification Process

Achieving ISO 42001 certification involves a structured process that takes your organization from initial assessment through to a certified AIMS. Here is the step-by-step journey with BALTUM Certification:

Step 1: Free Assessment at baltum.ai

The process begins with a free AI readiness assessment at baltum.ai. This online tool evaluates your organization's current AI governance maturity, identifies key gaps, and provides a preliminary recommendation on the scope and effort required for certification. There is no obligation — it simply gives you a clear picture of where you stand.

Step 2: Gap Analysis and Documentation

Once you decide to proceed, our team conducts a detailed gap analysis comparing your current AI governance practices against ISO 42001 requirements. This analysis identifies specific areas where documentation, processes, or controls need to be developed or strengthened. You receive a clear action plan with prioritized recommendations.

During this phase, you also begin developing the core AIMS documentation: AI policy, risk assessment methodology, Statement of Applicability, AI impact assessment procedures, and supporting processes.

Step 3: AIMS Implementation

With the gap analysis complete, your organization implements the AIMS — putting policies into practice, establishing governance structures, training staff, conducting initial AI risk and impact assessments, and applying the selected Annex A controls to your AI systems. This is the most substantial phase, but the Annex SL structure means organizations with existing management systems can leverage much of their existing infrastructure.

Step 4: Stage 1 Audit (Documentation Review)

The Stage 1 audit is a documentation-focused review conducted by BALTUM's qualified auditors. The audit team examines your AIMS documentation — policies, procedures, risk assessments, Statement of Applicability, and supporting records — to confirm that the management system is designed to meet ISO 42001 requirements. The Stage 1 audit also assesses whether the organization is ready to proceed to Stage 2.

Any findings from Stage 1 are communicated so you can address them before the implementation audit.

Step 5: Stage 2 Audit (Implementation Assessment)

The Stage 2 audit evaluates whether the AIMS is effectively implemented and operating as documented. Auditors review evidence of the management system in action: risk assessments being conducted, controls operating as intended, AI impact assessments completed, competence records maintained, internal audits performed, and management reviews held. The audit includes interviews with key personnel across the organization.

Stage 2 is more in-depth than Stage 1 and covers all clauses of the standard. Any major nonconformities must be resolved before certification can be granted; minor nonconformities require a corrective action plan.

Step 6: Certificate Issued

Upon successful completion of both audit stages, BALTUM issues the ISO/IEC 42001:2023 certificate. The certificate is valid for three years and confirms that your AI Management System conforms to the standard's requirements. Your organization is listed in the BALTUM certification directory, and you receive the certification mark for use in communications and marketing.

Annual Surveillance Audits

To maintain certification, surveillance audits are conducted annually (typically at 12 and 24 months after initial certification). These audits verify that the AIMS continues to operate effectively, that corrective actions have been implemented, and that the organization is pursuing continual improvement. Surveillance audits are less extensive than the initial certification audit but cover all key areas of the standard over the three-year certification cycle.

At the end of the three-year period, a recertification audit is conducted to renew the certificate for another three-year cycle.

5. Key Benefits of Certification

Client and Stakeholder Trust

ISO 42001 certification provides independent, third-party verification that your organization governs AI responsibly. In an era of growing AI skepticism, a recognized certification mark gives clients, partners, investors, and regulators confidence that your AI systems are managed with appropriate safeguards. For B2B organizations, certification increasingly appears as a procurement requirement in RFPs and vendor assessments.

EU AI Act Compliance Foundation

The EU AI Act, which entered into force in 2024, imposes specific obligations on providers and deployers of AI systems in the European market. ISO 42001's requirements for risk assessment, impact assessment, transparency, human oversight, and documentation align closely with the AI Act's requirements — particularly for high-risk AI systems. While certification alone does not equal compliance, it provides a robust foundation and demonstrates due diligence to regulators. The European Commission has signaled that harmonized standards (potentially including ISO 42001) may provide a presumption of conformity with certain AI Act requirements.

Competitive Differentiation

As AI governance becomes a market differentiator, early adopters of ISO 42001 gain a competitive edge. Certification signals to the market that your organization takes AI governance seriously, positioning you ahead of competitors who have not yet formalized their AI management practices. This advantage is particularly pronounced in regulated industries such as financial services, healthcare, and public sector contracting.

Risk Reduction

The systematic risk assessment and treatment processes required by ISO 42001 help organizations identify and mitigate AI risks before they materialize. This includes risks related to bias and fairness, data quality, model reliability, transparency, privacy, and security. By embedding risk management into AI governance, organizations reduce the likelihood of costly AI failures, reputational damage, and regulatory penalties.

Integration with Existing Management Systems

Thanks to the Annex SL structure, ISO 42001 integrates seamlessly with other ISO management system standards. Organizations can build an integrated management system combining:

• ISO 27001 — Information security management
• ISO 27701 — Privacy information management
• ISO 9001 — Quality management
• ISO 42001 — AI management

This integration reduces duplication, streamlines audits, and creates a unified governance framework that covers information security, privacy, quality, and AI in a coherent system.

6. Common Questions

How long does certification take?

For organizations with reasonable AI governance maturity, the certification process typically takes 2 to 4 weeks from initial assessment to certificate issuance. Organizations starting from scratch may need additional time for AIMS implementation before the audit can begin. The free assessment at baltum.ai provides a personalized timeline estimate based on your current readiness.

What does certification cost?

Certification costs vary based on several factors: the size of the organization, the complexity and number of AI systems in scope, the number of locations, and whether you are pursuing ISO 42001 alone or as part of a combined certification. BALTUM provides a detailed, transparent quote after the initial assessment. There are no hidden fees — the quote covers the complete audit and certification process.

Is the process conducted online?

Yes. BALTUM conducts the entire certification process online, including both Stage 1 and Stage 2 audits. Remote auditing is fully accepted under international accreditation standards and allows organizations anywhere in the world to achieve certification without the cost and logistical burden of on-site visits. Document submission, interviews, and evidence review are all conducted through secure online platforms.

Can I combine ISO 42001 with other certifications?

Absolutely. BALTUM specializes in integrated audits covering multiple ISO standards. The most common combinations are ISO 42001 with ISO 27001 (information security) and ISO 27701 (privacy). Because these standards share the Annex SL structure, combined audits are efficient and reduce the total audit burden on your organization. You receive separate certificates for each standard.

Do I need to be a technology company?

No. ISO 42001 applies to any organization that develops, provides, or uses AI. You do not need to build AI yourself to benefit from certification. If your organization uses AI-based tools or services — whether for customer service, analytics, decision support, or any other purpose — an AIMS helps you govern that use responsibly and demonstrate accountability to stakeholders.

What happens if we fail the audit?

Certification audits are not pass/fail examinations. If major nonconformities are identified during the Stage 2 audit, the organization is given the opportunity to address them within a defined timeframe (typically 90 days). Once the corrective actions are verified, the certificate can be issued. Minor nonconformities require a corrective action plan that is reviewed during the next surveillance audit. The goal is to help organizations achieve and maintain conformity, not to create barriers.

7. Start Your ISO 42001 Certification Journey

ISO 42001:2023 represents a landmark in AI governance — the first international standard that gives organizations a certifiable framework for managing AI responsibly. Whether you are driven by regulatory requirements, stakeholder expectations, or the conviction that responsible AI is simply good business, certification provides the structure and credibility to back up your commitment.

The path to certification is clearer and faster than most organizations expect. With BALTUM's streamlined online process, you can move from initial assessment to certified AIMS in as little as two to four weeks.

The organizations that invest in AI governance today will be the ones that lead their industries tomorrow. ISO 42001 certification is not just about compliance — it is about building the foundation for trustworthy, sustainable AI.

Take the first step. Complete the free AI readiness assessment at baltum.ai and discover exactly where your organization stands and what it takes to get certified.