← All articles
ISO 42001

ISO 42001 explained: how to build an AI Management System from scratch

Moonlight GRC · 9 min read

If your company builds, deploys or even just relies on AI, ISO 42001 is quickly becoming the standard that customers, investors and regulators expect you to meet. Here is what it actually is — and a realistic path to getting there.

What is ISO 42001?

ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS). Think of it as ISO 27001's younger sibling: where ISO 27001 gives you a system to manage information security, ISO 42001 gives you a system to manage artificial intelligence responsibly — across its whole lifecycle, from design and data to deployment and monitoring.

It is a management system standard, which means it is not a checklist of technical controls you install once. It is a set of ongoing processes: you define objectives, assess risks and impacts, put controls in place, measure whether they work, and improve continuously. An accredited body can then audit and certify that your system meets the standard.

Who actually needs it?

ISO 42001 is relevant if any of the following describe you:

It is not only for large companies. Startups, entrepreneurs and small teams increasingly pursue ISO 42001 precisely because it unlocks bigger deals and demonstrates maturity well beyond their size.

How ISO 42001 relates to the EU AI Act

The two are different things — one is a voluntary standard, the other is binding EU law — but they are highly complementary. The EU AI Act tells you what outcomes you must achieve (risk management, transparency, human oversight, data governance). ISO 42001 gives you a structured way to run the organisation so those outcomes happen consistently and can be evidenced. Building an AIMS is one of the most practical ways to get "AI Act ready".

The building blocks of an AIMS

A compliant ISO 42001 system typically includes:

A step-by-step path to certification

  1. Gap analysis. Map your current practices against ISO 42001 and identify what is missing. This gives you a prioritised roadmap before you spend effort building anything.
  2. Scope and context. Decide which AI systems and parts of the business the AIMS covers, and understand your stakeholders and obligations.
  3. Risk and impact assessments. Build your AI risk register and impact assessments — the analytical heart of the system.
  4. Design controls and documentation. Write the policies and procedures, and implement the controls that treat your risks (many will already overlap with ISO 27001 if you have it).
  5. Operate the system. Run it for long enough to generate evidence — records, reviews, monitoring results.
  6. Internal audit and management review. Check the system yourself and fix issues before the external auditor sees them.
  7. Certification audit (Stage 1 + Stage 2). An accredited body reviews your documentation, then your implementation, and issues the certificate.

How long and how hard?

For an organisation starting from scratch, a realistic timeline is a few months, not weeks — it depends on how many AI systems are in scope and whether you already have ISO 27001 in place. The good news: if you have an information security management system, a large share of the foundation (governance, risk process, documentation discipline) is reusable, and the two can be run as one integrated system.

The goal isn't a certificate on the wall. It's an AI governance system that keeps working after the auditor leaves — and that your customers can trust.

Thinking about ISO 42001?

Moonlight helps companies, entrepreneurs and teams of every size go from "we have nothing" to a certifiable AI Management System — fully async, no unnecessary calls.

Start with a Gap Analysis