ISO 42001:2023 on artificial intelligence: what it is and what it is for
Artificial intelligence (AI) has become a key element in the digital transformation of companies, but it is also a source of legal, ethical and reputational risks.
In this context, it is no longer enough for a model to work “well” from a purely technical perspective. Authorities, clients and business partners want to know who controls these systems, what safeguards are in place and how risks are managed. To address these questions, the ISO/IEC 42001:2023 standard has been published, the first international standard specifically focused on artificial intelligence management systems. Its purpose is to provide a governance framework that enables organisations to design, deploy and use AI in a responsible way, aligned with applicable regulation and with market expectations regarding trust.
What does ISO 42001:2023 regulate?
ISO 42001 is not a technical manual on algorithms, but a management system standard. It regulates how the company organises itself around its AI systems: which policies it approves, which processes it follows, who takes decisions and which controls are applied.
Like other standards such as ISO 9001 or ISO/IEC 27001, it follows the high-level structure used for management systems. In practice, it requires the organisation to:
- Define the context and scope of the AI management system.
- Establish a responsible AI policy, approved by top management.
- Identify risks and opportunities and plan objectives and measures.
- Ensure resources, competences and documentation management.
- Manage the life cycle of AI systems: design, acquisition, testing, deployment and monitoring.
- Assess system performance using indicators and internal audits.
What makes ISO 42001 distinctive is that it applies this logic to AI-specific risks: bias and potentially discriminatory decisions, lack of explainability, impact on fundamental rights, exposure of personal data and cyber security risks. In short, it regulates how AI is governed within the organisation, leaving room for technological freedom but requiring order, traceability and control.
Objectives of the AI management system
The AI management system (AIMS) is the set of policies, processes, roles and controls that the organisation implements to keep AI under control.
1. Good governance and accountability
The first objective is to ensure good governance. ISO 42001 seeks to prevent AI from being used in an improvised or fragmented way. The standard requires the organisation to define who does what: which body approves the AI policy and strategy, who is responsible for each system or use case, and how the areas involved coordinate with each other.
This means that, in the event of an incident, there is traceability of decisions and the company can demonstrate that it has acted diligently, which is particularly relevant in dealings with supervisory authorities, clients and business partners.
2. Risk management and regulatory compliance
The second pillar is to establish AI-specific risk management and to facilitate regulatory compliance. For each system, the organisation must identify:
- Potential impacts on individuals and on the business.
- Legal risks (data protection, consumer law, equality and non-discrimination, liability, etc.).
- Appropriate controls: review of data and models, testing prior to deployment, limits on automation, human oversight and security measures.
In addition, the AI management system must be integrated with compliance with the GDPR, Spanish data protection law (LOPDGDD), e-commerce and information society services law (LSSI), the AI Act and sector-specific regulation, generating documented evidence that can be presented to authorities, clients or partners (records, assessments, reports, minutes, etc.).
3. Trust and transparency
The third objective is to strengthen trust and transparency. A system aligned with ISO 42001 makes it easier to explain:
- When AI is used in products, services or internal processes.
- Which decisions are automated and which remain subject to human oversight.
- Which limits have been established and how incidents are handled.
This improves how clients, users, investors and regulators perceive the organisation and strengthens its reputation compared to competitors that use AI without clear controls.
How to obtain certification for your company
ISO/IEC 42001 is a certifiable standard. An independent certification body can audit the organisation’s AI management system and, if it meets the requirements, issue a certificate with a defined scope.
1. Scope and initial diagnosis
The first phase consists of defining the scope and carrying out an initial diagnosis. Top management decides which areas and AI systems will be included in the management system and, where applicable, in the certificate. A gap analysis is then performed to:
- Identify the inventory of AI systems and use cases.
- Review existing policies and procedures.
- Assess the current degree of alignment with the standard.
This provides a realistic roadmap towards compliance.
2. Design and implementation of the system
The second phase is to design and implement the AI management system. Based on the diagnosis, specific policies and procedures are drafted or adapted, objectives and indicators are defined, and roles and resources are assigned.
In parallel, the system is rolled out in practice: training teams, putting processes into operation, generating evidence through records and reports, and monitoring AI systems.
3. Audits and certification
The third phase consists of conducting audits and obtaining certification. Once the system is up and running, the organisation carries out internal audits to verify its effectiveness and identify improvements.
It can then request a certification audit from an accredited body, usually in two stages: a documentation review and an on-site verification. If the outcome is positive, the ISO/IEC 42001 certificate is issued with the agreed scope and periodic surveillance audits are scheduled to ensure that the system is maintained and continues to improve over time.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
Letslaw joins the Artificial Intelligence Cluster of the Community of Madrid
What are the misconceptions about artificial intelligence according to the AEPD?
Approved Draft Bill for an Ethical, Inclusive and Beneficial Use of Artificial Intelligence
Copyright in artificial intelligence: who is the author of AI-generated creations?
Are AI models plagiarism or synthesis? What does the New York Court think about artificial Intelligence and copyright?
Why is WhatsApp’s artificial intelligence not available in Europe?