ISO/IEC 42001¶
In one sentence¶
The world's first AI Management System standard — same shape as ISO/IEC 27001 (information security), but for AI. Certifiable, with a mandatory Statement of Applicability.
Who in your org owns it¶
- CAIO — sponsor.
- Compliance — owns certification readiness.
- 2L risk function — runs the AIMS day-to-day.
- Internal audit (3L) — independent assurance.
The two-minute explainer¶
ISO/IEC 42001:2023 was published in December 2023 and adopted as EN ISO/IEC 42001:2026 in Europe. It defines an Artificial Intelligence Management System (AIMS) — a documented, repeatable, auditable program for managing AI in an organisation.
Three things distinguish it from NIST AI RMF:
- It's certifiable. Accredited bodies can audit a firm against the standard and issue a certificate. NIST AI RMF isn't certifiable.
- It's management-system shaped. Same plan-do-check-act backbone as ISO 27001 (security), ISO 9001 (quality), ISO 14001 (environmental). If a firm already runs an ISO management system, 42001 plugs in.
- It requires a Statement of Applicability (SoA) — a documented row- per-control table showing which Annex A controls are in scope and how they're implemented.
42001 has 9 Annex A control objectives covering ~38 controls:
- A.2 — Policies related to AI
- A.3 — Internal organization
- A.4 — Resources for AI systems
- A.5 — Assessing impacts of AI systems
- A.6 — AI system life cycle
- A.7 — Data for AI systems
- A.8 — Information for interested parties
- A.9 — Use of AI systems
- A.10 — Third-party and customer relationships
What Regulus does for you¶
The Iso42001Framework class binds Regulus mechanisms to specific Annex
A controls. Highlights:
- A.2.2 (AI policy) ↔ ComplianceProfile + GovernanceFramework as policy-in-code.
- A.3.2 (AI roles and responsibilities) ↔
smf_holderattribution per audit event. - A.4.4 (tooling resources) ↔
ModelRegistry. - A.5.2 (impact assessment) ↔
model-risk-tier. - A.6.2.7 (event logs) ↔
RegulusAuditPlugin. - A.6.2.5 (operation and monitoring) ↔
post-market-monitoring. - A.8.5 (information for users) ↔ provenance fields per event.
- A.9.2 (intended use) ↔
purpose-binding. - A.10.3 (third-party suppliers) ↔ model registry +
third-party-risk.
Statement of Applicability generator¶
StatementOfApplicability is generated from
GovernanceProgramState.statusByControlId, producing one row per Annex A
control with status (IMPLEMENTED / PARTIAL / MAPPED_NOT_IMPLEMENTED /
NOT_APPLICABLE / GAP), justification, and evidence reference. The
artefact is what a certification body asks for first.
Saves you ~¶
- ~3 program-weeks to build an SoA from raw audit data without Regulus.
- ~6 program-weeks to evidence Annex A control coverage from scratch.
- Ongoing: SoA refresh per cycle (typically annually + on material change).
Activation¶
Pair with iso-23894 (risk management) and iso-23053 (AI/ML
architecture) to complete the ISO governance stack.
What an assessor will ask¶
- "Show me the SoA." Generated artefact + signed snapshot.
- "How does control A.6.2.7 operate?" Walk an audit event from the topic to the GRC tool.
- "How do you handle change management for AI systems?" Demonstrate the kill switch + model registry version pinning + audit linkage.
- "Where is policy documented?"
ComplianceProfile+GovernanceFrameworkdeclarations point to the policy text.
What this doesn't cover¶
- The certification audit itself. External body; you commission it.
- AIMS process documentation beyond what Regulus encodes (organisational charts, training records, internal reviews).
- Annex B and Annex C guidance. Implementation-supporting only.
- AIMS scope definition. Your firm decides what's in scope; Regulus exposes the artefact.
Citations¶
- ISO/IEC 42001:2023 — https://www.iso.org/standard/42001
- EN ISO/IEC 42001:2026 (European adoption).
- ISO 42001 Annex A — published with the standard.