Cybereen / Standards / ISO/IEC 42001
INTERNATIONAL · ISO/IEC 42001:2023

ISO 42001, the management system for governing AI.

The first certifiable AI management system. It governs how you build and use AI — policy, risk, impact assessments, lifecycle, and human oversight. We're AI-native and run AI with a human in the loop; 42001 is how you prove it.

Stand up your AIMS → See the control areas
At a glance → Owner · ISO + IEC (Geneva) Version · 42001:2023 Structure · Clauses 4–10 + Annex A (38 controls) Certifiable · Yes — like ISO 27001 Cybereen status · Live coverage
WHAT IT IS

A management system for AI — not a model audit.

ISO/IEC 42001:2023 is the first certifiable standard for an AI management system (AIMS). It governs how your organisation develops, provides, and uses AI responsibly — the policies, risk processes, and oversight, not the maths inside a model.

Structurally it's a twin of ISO 27001: clauses 4–10 describe the management system — context, leadership, planning, support, operation, evaluation, improvement — and Annex A lists 38 controls grouped into nine areas, which you select and justify for your AI use.

It certifies the same way: a two-stage audit by an accredited body, then a three-year cycle. It maps cleanly to the NIST AI Risk Management Framework and gives you defensible evidence of governance as the EU AI Act and regulators sharpen expectations.

The honest version: The hardest parts of 42001 aren't the policies — they're the AI system impact assessment and keeping a live inventory of where AI actually touches decisions. That's exactly the human-in-the-loop discipline Cybereen is built around.
THE AIMS LIFECYCLE

Plan · Do · Check · Act. For every AI system you run.

42001 runs on the same Plan-Do-Check-Act clock as your ISMS. Cybereen schedules each step, assigns the owner, and keeps the evidence trail.

PLAN

Policy, risk, impact.

Set your AI policy and objectives, assess AI risk, and run an impact assessment for each AI system in scope.

  • AI policy + objectives
  • AI risk assessment
  • AI system impact assessment
DO

Build & operate.

Apply lifecycle controls — data governance, design, verification, deployment — with human oversight defined and evidenced.

  • Lifecycle controls
  • Data governance
  • Human-in-the-loop records
CHECK

Monitor & review.

Monitor AI systems in production, run internal audit and management review. Regulators want this happening continuously.

  • Performance monitoring
  • Internal audit log
  • Management review
ACT

Improve.

Close nonconformities, retire or retrain models, update risk treatment. Continual improvement is clause 10 — and it's tested.

  • NCR register
  • Model change control
  • Improvement log
ANNEX A · 2023

38 controls. Nine areas. Four that carry the weight.

Annex A spans AI policy through to third-party use. These four areas are where most of the real work — and the audit scrutiny — lands.

A.2
AI policy & governance

Leadership commitment, an AI policy, roles and responsibilities, and how AI decisions are governed across the org.

Policy + roles Board-visible
A.5
Impact assessment

The AI system impact assessment — effects on individuals, groups, and society. The control auditors and regulators probe hardest.

AISIA template Per system
A.6
AI system lifecycle

Responsible design, development, verification, deployment, and operation — with data governance and human oversight throughout.

Lifecycle controls Data + oversight
A.10
Use & third parties

Responsible use of AI systems, information for affected parties, and managing AI supplied by — or to — third parties.

Supplier terms Transparency
Policy — template + sign-off workflow Evidence — impact assessments, oversight records, dated Maps to NIST AI RMF + supports EU AI Act readiness
INSIDE CYBEREEN

Your AI register. Governed, not guessed.

A live inventory of every AI system, its impact assessment, owner, and oversight model — sitting alongside your other frameworks, on one source of truth.

  • AI system register — what AI you run, where it touches decisions, who owns it.
  • Impact assessments — AISIA template per system, versioned and dated.
  • Human-in-the-loop evidence — oversight points defined and logged, not assumed.
  • Lifecycle controls — design → deploy → monitor → retire, tracked to closure.
  • Cross-framework reuse — your 27001 evidence pre-fills the AIMS controls it shares.
app.cybereen.com / standards / iso-42001 / register
LIVE
Cybereen AI management system — AI register and Annex A control coverage with impact assessments and maturity, alongside other frameworks
COMMON MISTAKES

Three places AI governance falls over.

What teams underestimate when they first stand up an AIMS.

Mistake 01

Treating it as a model audit.

42001 doesn't test your model's accuracy. It tests whether you govern AI — policy, accountability, impact, oversight. Teams that send engineers to "pass the model" miss what's actually assessed.

Fix: Stand up the management system first; the model evidence slots in.
Mistake 02

Skipping the impact assessment.

The AI system impact assessment is the control auditors and regulators scrutinise most. A generic, one-size template applied to every system is an instant finding.

Fix: Run a real AISIA per system, tied to its actual use and data.
Mistake 03

No live AI inventory.

You can't govern AI you can't see. Shadow AI — a team wiring an LLM into a workflow — is the gap that breaks an AIMS, and it grows weekly.

Fix: Keep a living AI register; review it, don't snapshot it annually.
ISO 42001 FAQ

Questions before you govern AI.

If yours isn't here, the contact form has a free-text field — answers go in the next page revision.

Is ISO 42001 certifiable, like 27001?
Yes. 42001 is a full management system standard, so you can certify against it through an accredited body — a two-stage audit, then a three-year cycle with annual surveillance, exactly like ISO 27001. It was published in December 2023, so the certification ecosystem is still young but growing fast.
How is it different from ISO 27001?
Same management-system shape (clauses 4–10 + an Annex A), different subject. 27001 governs information security; 42001 governs AI — its risks, impacts, lifecycle, and oversight. If you already run an ISMS, the muscle memory and a good chunk of evidence transfer. Cybereen reuses your 27001 controls where the two overlap.
Does it help with the EU AI Act?
It's not a substitute for legal compliance, but it's the strongest off-the-shelf governance framework to demonstrate it. 42001's policies, risk processes, and impact assessments line up with the EU AI Act's governance expectations and the NIST AI RMF — so the evidence you build is reusable across all three.
What is an AI system impact assessment?
It's the structured analysis of how an AI system could affect individuals, groups, and society — fairness, safety, transparency, and the consequences of getting it wrong. 42001 requires one per AI system in scope. Cybereen ships a template and keeps each assessment versioned against its system.
We're AI-native — where do we start?
Start with the register: list every place AI touches a decision, then run an impact assessment on the highest-stakes ones. From there the policy and lifecycle controls have something concrete to attach to. That inventory-first, human-in-the-loop approach is exactly how Cybereen is built — so the AIMS forms around how you already work.

Govern your AI before a regulator asks you to.

Stand up the register, run the impact assessments, evidence the human oversight — on the same platform as your other frameworks. Book a walk-through and we'll map it to your AI.

Book a 20-minute walk-through → See ISO 27001 (the twin standard)
Other standards on Cybereen →
Essential Eight ISO 27001 ISO 27002 ISO 42001 APRA CPS 234 NIST CSF 2.0