ComplyAgent
Sign up
ISO/IEC 42001

ISO/IEC 42001 compliance software

Stand up an AI management system (AIMS) and reuse the classification work you already do for the EU AI Act to cover ISO/IEC 42001 Annex A controls.

ISO/IEC 42001 is the international management-system standard for artificial intelligence - the AI equivalent of ISO/IEC 27001 for information security. It is voluntary, but enterprise customers increasingly require it in procurement and RFPs, so certification is a strong commercial trust signal.

What an AI management system (AIMS) requires

Like other ISO management standards, 42001 follows the Annex SL high-level structure (clauses 4-10). In plain terms, you must:

  • Context (cl. 4) - define the scope of your AIMS and the internal/external issues that affect it.
  • Leadership & policy (cl. 5) - an AI policy, clear roles and accountability.
  • Planning (cl. 6) - AI risk assessment and AI system impact assessment, with objectives.
  • Support & operation (cl. 7-8) - resources, competence, and the operational controls that manage AI risk.
  • Evaluation & improvement (cl. 9-10) - monitoring, internal audit, management review and continual improvement.

Annex A control groups

Annex A lists the controls you select from to treat AI risks. The groups (A.2-A.10) cover, in plain English:

  • A.2-A.3 - AI policies and internal organisation / roles.
  • A.4-A.5 - resources for AI systems and AI impact assessment.
  • A.6 - the AI system lifecycle (responsible design, development and deployment).
  • A.7-A.8 - data for AI systems and information for interested parties.
  • A.9-A.10 - responsible use of AI and third-party / supplier relationships.

Reuse your EU AI Act work

The risk-management, data-governance, human-oversight and impact-assessment work the EU AI Act requires maps directly onto these Annex A controls. ComplyAgent carries a single AI-system classification across both, so you do not redo the analysis per standard - and the same evidence feeds your NIST AI RMF answers too.

ISO 42001 vs ISO 27001

ISO 27001 manages information-security risk; ISO 42001 manages AI-specific risk (bias, transparency, oversight, lifecycle governance). They share the same management-system backbone, so if you already run 27001 the 42001 lift is smaller - but the AI controls and the impact assessment are genuinely new and are exactly what ComplyAgent generates.

The certification path

The typical certification route runs in stages:

  1. Scope the AIMS.
  2. Run the AI risk and impact assessments.
  3. Select and implement the Annex A controls.
  4. Operate the system and collect evidence.
  5. Complete an internal audit and management review.
  6. Pass Stage 1 and Stage 2 audits by an accredited certification body.

ComplyAgent gives you the documentation, control evidence and a living compliance score to walk in prepared.

Get started

Start a free trial, view pricing, or read the ISO/IEC 42001 definition in our glossary.