ISO/IEC 42001 · Artificial Intelligence Management
Move faster with AI — without losing control.
ISO/IEC 42001 establishes an AI management system that brings governance, risk-based thinking and oversight to how organisations develop, provide and use AI. We help you build it proportionately — for AI developers, providers and users.
What it is
A brief introduction to ISO/IEC 42001
ISO/IEC 42001 defines requirements for an AI management system, including AI policy, roles, risk and impact assessment, data and information management, transparency, human oversight, supplier governance and continual improvement.
CroftSpurr summaries are written in our own words. We do not reproduce copyrighted clauses from ISO standards.
Why organisations pursue it
Common business drivers.
You build, embed or deploy AI in products or operations.
Customers, investors or regulators are asking AI governance questions.
Internal use of AI has outpaced your policies and oversight.
You want a defensible position on responsible AI.
You plan to align with the EU AI Act and other emerging regulation.
Business benefits
Outcomes a well-built system can support.
Visibility of where AI is used, by whom and for what
Clear AI accountability across leadership, product and operations
Risk and impact assessment in advance — not after incidents
Confident answers to customer and investor scrutiny
Supplier AI governance, not blind trust
A foundation for emerging AI regulation
Common triggers
What usually prompts a project.
- A flagship customer asks how AI is governed.
- An investor or board member raises AI risk concerns.
- An incident involving an AI tool has surfaced weak controls.
- An AI feature is being launched without an approval route.
- Internal use of generative AI is uncontrolled.
What implementation involves
The core building blocks.
- 01
AI policy, objectives and organisational roles.
- 02
AI system inventory, use cases and risk assessment.
- 03
AI system impact assessment.
- 04
Data and information management for AI.
- 05
Transparency, communication and human oversight.
- 06
Supplier AI governance and incident handling.
How CroftSpurr helps
A focused, hands-on approach.
Relationship with other standards
How it fits the wider picture.
- ISO/IEC 23894 - Artificial Intelligence — Guidance on Risk ManagementGuidance on AI risk management — feeds 42001 risk processes.
- ISO/IEC 42005Guidance on AI system impact assessment.
- ISO/IEC 38507Governance implications of AI for the governing body.
- ISO/IEC 27001Information security underpins AI management.
Typical project journey
What a project usually looks like.
- 01AI landscape workshop
- 02Use case inventory
- 03AI risk and impact assessment
- 04Policy and control design
- 05Implementation and oversight
- 06Internal audit and certification readiness
Certification
Consultancy and certification are different.
CroftSpurr helps you understand requirements, implement your management system and prepare for the certification audit. Independent certification is carried out by a separate certification body. We do not sell or issue ISO certificates.
FAQs
Common questions.
Is ISO/IEC 42001 only for AI developers?+
No. It applies to organisations that develop, provide or use AI. Many of our engagements involve organisations using third-party AI extensively.
How does ISO/IEC 42001 relate to the EU AI Act?+
They are not the same, but an ISO/IEC 42001-aligned management system gives you a strong foundation to meet AI Act and other regulatory obligations.
Can we combine ISO/IEC 42001 with ISO/IEC 27001?+
Yes — and we encourage it. The structures align and many controls overlap.
Fact check or approval required — verify implementation timeframes against client-specific scope