For years there was no recognised standard for managing artificial intelligence the way ISO 27001 governs information security. In December 2023 that changed. ISO/IEC 42001 was published as the world’s first AI management system standard, giving organisations a certifiable framework for developing and operating AI responsibly. For UK organisations buying or building AI, it is becoming a useful question to ask: does the supplier hold it, or is it pursuing it?
What ISO 42001 is
ISO 42001 sets out the requirements for an AI management system, often shortened to AIMS. It is a management-system standard, which puts it in the same family as ISO 27001 for information security and ISO 9001 for quality. That family shares a structure: define your objectives and risks, put controls and processes in place to address them, assign clear responsibility, and improve continually on the basis of evidence and review.
Applied to AI, the standard asks an organisation to govern how it develops and operates AI systems across their life cycle. That covers risk assessment specific to AI, the data the systems use, transparency about how they work, accountability for their outputs, and ongoing monitoring. It is a framework for doing AI deliberately rather than incidentally, and for being able to show that you do.
Being a certifiable standard, ISO 42001 can be audited by an accredited body, which means an organisation can demonstrate conformity rather than merely assert good intentions. That is the difference that matters in procurement.
How it relates to ISO 27001
The two standards are complementary, and it helps to keep them distinct. ISO 27001 governs the security of information: confidentiality, integrity, and availability. ISO 42001 governs the responsible management of AI: how the systems are built, what they do, and who answers for them. An organisation building AI for sensitive environments has reason to pursue both. ISO 27001 shows that the supplier protects information to a recognised standard; ISO 42001 shows that it manages AI to one.
For UK and European buyers, both are generally preferred over their US-originating counterparts. ISO 27001 tends to carry more weight than SOC 2 in UK and European procurement, and ISO 42001 now gives AI governance an equivalent international reference point.
Why it matters for UK procurement
Procurement teams in regulated sectors are paid to check claims, and AI has given them a new category to check. A supplier that can point to a recognised AI management standard offers something firmer than a page of principles. It signals that the organisation has thought about AI risk systematically, assigned responsibility for it, and submitted, or intends to submit, to independent scrutiny.
Because ISO 42001 is new, holding it is still uncommon, and pursuing it early is itself a signal of maturity. Over time it is likely to move from a differentiator to an expectation, as ISO 27001 did before it. Organisations that begin the work now will be ahead of that curve rather than scrambling to catch it.
A word on honest status
A standard is worth only as much as the truth of the claim attached to it. There is a meaningful difference between holding a certification, actively pursuing it, and planning to. Procurement teams check, and a supplier that blurs the three loses the trust the certification was meant to build.
Our own position is stated plainly across this site and worth repeating here. Cyber Essentials is in progress. Cyber Essentials Plus, ISO 27001, and ISO 42001 are planned, with ISO 42001 part of the roadmap precisely because building AI for regulated environments is the work we do. We label each as achieved only once it is. We would rather you trust the label than be impressed by it.
The short version
ISO 42001 gives AI governance the recognised, certifiable framework it previously lacked, sitting alongside ISO 27001 rather than replacing it. For UK organisations buying AI, it is a fair and increasingly useful thing to ask a supplier about. For organisations building AI for sensitive environments, it is a sensible standard to pursue early, and an honest account of where you stand against it matters as much as the standard itself.
If you are assessing AI suppliers and want to understand how these standards apply to a specific deployment, we are glad to talk it through and to share where we are on each.