ISO 42001 explained: how to build an AI Management System from scratch
If your company builds, deploys or even just relies on AI, ISO 42001 is quickly becoming the standard that customers, investors and regulators expect you to meet. Here is what it actually is — and a realistic path to getting there.
What is ISO 42001?
ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS). Think of it as ISO 27001's younger sibling: where ISO 27001 gives you a system to manage information security, ISO 42001 gives you a system to manage artificial intelligence responsibly — across its whole lifecycle, from design and data to deployment and monitoring.
It is a management system standard, which means it is not a checklist of technical controls you install once. It is a set of ongoing processes: you define objectives, assess risks and impacts, put controls in place, measure whether they work, and improve continuously. An accredited body can then audit and certify that your system meets the standard.
Who actually needs it?
ISO 42001 is relevant if any of the following describe you:
- You develop AI products or features (models, agents, recommendation engines, automated decisioning).
- You deploy AI in ways that affect people — hiring, credit, healthcare, content moderation, customer-facing decisions.
- Your enterprise customers have started asking how you govern AI before they will sign.
- You operate in or sell into the EU, where the AI Act now creates legal obligations that an AIMS helps you meet.
It is not only for large companies. Startups, entrepreneurs and small teams increasingly pursue ISO 42001 precisely because it unlocks bigger deals and demonstrates maturity well beyond their size.
How ISO 42001 relates to the EU AI Act
The two are different things — one is a voluntary standard, the other is binding EU law — but they are highly complementary. The EU AI Act tells you what outcomes you must achieve (risk management, transparency, human oversight, data governance). ISO 42001 gives you a structured way to run the organisation so those outcomes happen consistently and can be evidenced. Building an AIMS is one of the most practical ways to get "AI Act ready".
The building blocks of an AIMS
A compliant ISO 42001 system typically includes:
- AI policy and objectives — what responsible AI means for your organisation.
- AI risk assessment — identifying and treating risks specific to AI systems (bias, drift, misuse, security, explainability).
- AI impact assessment — evaluating effects on individuals, groups and society.
- Data governance for AI — how training and operational data is sourced, quality-checked and controlled.
- Lifecycle controls — from design and development through deployment, monitoring and retirement.
- Roles and oversight — who is accountable, and how humans stay in the loop.
- Monitoring and continual improvement — measuring performance and closing gaps.
A step-by-step path to certification
- Gap analysis. Map your current practices against ISO 42001 and identify what is missing. This gives you a prioritised roadmap before you spend effort building anything.
- Scope and context. Decide which AI systems and parts of the business the AIMS covers, and understand your stakeholders and obligations.
- Risk and impact assessments. Build your AI risk register and impact assessments — the analytical heart of the system.
- Design controls and documentation. Write the policies and procedures, and implement the controls that treat your risks (many will already overlap with ISO 27001 if you have it).
- Operate the system. Run it for long enough to generate evidence — records, reviews, monitoring results.
- Internal audit and management review. Check the system yourself and fix issues before the external auditor sees them.
- Certification audit (Stage 1 + Stage 2). An accredited body reviews your documentation, then your implementation, and issues the certificate.
How long and how hard?
For an organisation starting from scratch, a realistic timeline is a few months, not weeks — it depends on how many AI systems are in scope and whether you already have ISO 27001 in place. The good news: if you have an information security management system, a large share of the foundation (governance, risk process, documentation discipline) is reusable, and the two can be run as one integrated system.
The goal isn't a certificate on the wall. It's an AI governance system that keeps working after the auditor leaves — and that your customers can trust.
Thinking about ISO 42001?
Moonlight helps companies, entrepreneurs and teams of every size go from "we have nothing" to a certifiable AI Management System — fully async, no unnecessary calls.
Start with a Gap Analysis