ISO 42001

ISO 42001 readiness guide

A clause-by-clause walkthrough of the AI management system standard — what an AIMS is, the ten clauses, and the evidence each clause expects from a gap assessment onward.

What an AIMS is

ISO/IEC 42001:2023 is the first international standard for an artificial intelligence management system (AIMS). An AIMS is the set of policies, processes and controls an organisation uses to govern the development and use of AI responsibly. Rather than prescribing a single technical solution, the standard defines a management system: a repeatable way to set objectives, manage risk, assign responsibility and improve over time.

The ten clauses

ISO/IEC 42001 follows the ISO Harmonized Structure, the common framework shared across modern ISO management system standards. That structure is built around ten clauses:

  • 1. Scope — what the standard covers.
  • 2. Normative references — the documents it draws on.
  • 3. Terms and definitions — the vocabulary it uses.
  • 4. Context of the organisation — understanding the organisation, interested parties and AIMS scope.
  • 5. Leadership — top-management commitment, policy and roles.
  • 6. Planning — addressing risks and opportunities and setting objectives.
  • 7. Support — resources, competence, awareness, communication and documented information.
  • 8. Operation — planning and controlling the processes needed to meet requirements.
  • 9. Performance evaluation — monitoring, measurement, internal audit and management review.
  • 10. Improvement — nonconformity, corrective action and continual improvement.

Clauses 4 to 10 contain the requirements an organisation must meet; clauses 1 to 3 set the frame.

How to start a gap assessment

A gap assessment compares where you are today against what each clause requires. A practical way to begin:

  • Define the scope of your AIMS — which parts of the organisation and which AI systems it covers.
  • Work through clauses 4 to 10 in turn, noting what exists, what is partial and what is missing.
  • Capture the evidence you already hold against each requirement.
  • Record gaps as actions with owners, so the assessment becomes a plan rather than a report.

Evidence each clause expects

The standard expects documented information to demonstrate that the management system is in place and working. In broad terms:

  • Context — a defined AIMS scope and an understanding of interested parties.
  • Leadership — an AI policy and clearly assigned roles and responsibilities.
  • Planning — risk assessments, objectives and plans to meet them.
  • Support — records of competence, awareness and controlled documentation.
  • Operation — evidence that the planned processes and controls are actually run.
  • Performance evaluation — monitoring results, internal audit reports and management review minutes.
  • Improvement — records of nonconformities and the corrective actions taken.

Alignment with other standards

Because it uses the Harmonized Structure, ISO/IEC 42001 aligns well with ISO/IEC 27001 and other management system standards. Organisations that already run a 27001-based information security management system can often build the AIMS on top of existing leadership, planning, support and audit processes rather than starting from scratch.

How TrustedAIGov helps

The TrustedAIGov Governance Platform is designed to support work aligned to an AIMS — holding the policy, risk and evidence records the clauses expect and giving each requirement an owner. It supports your team's readiness work; it does not itself certify your management system.

Sources

ISO/IEC 42001:2023 — Artificial intelligence management system (ISO) NIST AI Risk Management Framework (crosswalk context)

Build your AIMS on solid ground

Run a clause-by-clause gap assessment and turn it into an owned, evidenced plan.

Talk to TAI → Run Exposure Scan