Cyber Horizon
Back to Blog
ISO 42001AI GovernanceCertification

ISO 42001: Building an AI Management System

16 June 2026·8 min read·Cyber Horizon Team

ISO/IEC 42001 is the first certifiable management-system standard for artificial intelligence. If ISO 27001 gave you a framework for managing information security, 42001 does the same for the responsible development and use of AI — and it’s fast becoming the way to prove your AI governance to customers and regulators.

What ISO 42001 actually is

It’s an Artificial Intelligence Management System (AIMS): a set of policies, processes and controls for governing AI across its lifecycle. Like other ISO management standards it follows the familiar Plan-Do-Check-Act cycle, with a set of clauses (4–10) plus an Annex A of controls you select via a Statement of Applicability.

Why it matters now

It operationalises the EU AI Act

A certified AIMS is the most credible way to demonstrate the governance the AI Act expects of high-risk systems.

Customers are starting to ask

Enterprise buyers now add AI-governance questions to security questionnaires. Certification answers them up front.

It builds on what you have

If you already run ISO 27001, much of the management-system machinery is reusable.

How it relates to ISO 27001 and the AI Act

FrameworkFocusNature
ISO 27001Information securityCertifiable standard
ISO 42001AI management & responsible useCertifiable standard
EU AI ActLegal obligations for AIRegulation (law)

Certification to ISO 42001 is voluntary; the EU AI Act is law. They complement each other — the standard is a practical route to meeting the regulation.

An implementation path

  • Define the scope: which AI systems and teams the AIMS covers.
  • Run an AI risk and impact assessment across your systems.
  • Set your AI policy, objectives and roles (accountability matters here).
  • Select Annex A controls and write your Statement of Applicability.
  • Operate the controls, collect evidence, and run internal audits.
  • Engage an accredited body for the certification audit.

The bottom line

ISO 42001 turns “we use AI responsibly” from a claim into a certifiable, auditable system. Implemented alongside ISO 27001 and mapped to the EU AI Act, it gives you one coherent governance story for security, privacy and AI.

Run ISO 42001 next to ISO 27001

Cyber Horizon supports ISO 42001 with a shared control library — so one piece of evidence can satisfy multiple frameworks, AI governance included.

Book a Demo