ISO/IEC 42001 is a management systems certification standard not a personnel certification standard as such the object for conformity assessment, in the case of ISO/IEC 42001, is the management system not the individual. The definition of organisation in ISO/IEC 42001 does include an individual person, but that is in relation to an individual (i.e. a sole trader) operating a management system for an AI system rather than making the standard applicable to an individual's competence or understanding.

AI management system standards like ISO/IEC 42001 may be referenced by harmonised standards in regional legislative frameworks. However, their focus is primarily on organisational practices and processes. In contrast, legislation such as the EU AI Act targets the specific development and deployment of individual AI systems, with emphasis on product safety and lifecycle management. Therefore, while there may be points of alignment, currently standards and legislation serve different purposes and scopes.

Efforts are ongoing, particularly in Europe, to develop and publish draft standards for the evaluation of AI in specific application domains such as NLP and computer vision. There is also guidance available in academic literature, regulatory guidance, technical reports and from industry consortia such as the AIQI Consortium. In practice, auditors of AI systems may be supported by technical experts to assess compliance with evaluation criteria. Existing standards, such as ISO/IEC 4213 and ISO/IEC 29119-11, provide useful reference points for performance evaluation, with more drafts expected to emerge, such as ISO/IEC work items 23281 and 23282, focusing on domain-specific metrics, including hallucination detection and human-in-the-loop safeguards.

Artificial intelligence can support an organisation in analysing root causes, identifying patterns, or proposing corrective actions following the identification of a non-conformity. However, the responsibility for addressing non-conformities lies squarely with the certified organisation. It is the organisation that must take ownership of the response, ensure that any necessary changes are effectively implemented, and demonstrate sustained improvement. At present, it is expected that a human remains in the loop to evaluate AI-generated inputs and to take accountability for decisions and actions related to non-conformity management.

At this point in time, we are not aware of any organisations that are notified bodies. This is because in most European member states the competent authorities that will appoint them are not yet themselves appointed.

Organisations building bespoke LLMs often develop their own governance structures internally, using issue tracking and knowledge management software to track development stages and compliance impacts. Governance is maintained through structured policies, embedded risk identification during development (e.g., tagging features that may affect compliance), and extensive documentation. There is no shortcut, governance in this context requires ongoing effort and iteration.

As with any management system audits, audit time varies due to several factors and it is important to remember that audit time does not include the substantial time an organisation must invest in preparation, documentation, and internal readiness. Factors influencing audit time include the size, complexity, and maturity of the management system, as well as the organisation’s experience with other standards.

Organisations without existing ISO 9001 or ISO/IEC 27001 certifications may lack the foundational governance structures, such as regular review cycles, leadership engagement, and formalised risk management. As a result, an organisation may need to invest additional time and effort to establish the necessary frameworks to support ISO/IEC 42001. While there’s no formal mapping between the standards, they share a common clause structure, which can support integration once the basics are in place.

The concept of organisation in ISO/IEC 42001 is quite flexible and it could include a single department of a larger organisation.

There are currently no widely adopted standards that fully address performance consistency or drift during ML model retraining and technology migrations. This remains an open challenge. Documentation and continuous monitoring were stressed as essential practices, but the standards landscape is still catching up in this area.

There is ongoing work by international and regional standardisation bodies, including ISO/IEC JTC 1/SC 42 (often referred to informally as JTC 21), to develop standards that align with the regulatory expectations set out in legislation such as the EU AI Act. These draft standards aim to provide structured guidance on aspects such as risk management, transparency, data governance, and human oversight to support conformity with emerging legal frameworks. Monitoring draft publications and working group updates is essential for staying informed.

Description goes hereEngaging with an organisation that is in the process of establishing its operational and compliance structures presents both opportunities and risks. Key considerations include the maturity of governance, clarity of roles and responsibilities, regulatory oversight, and the robustness of emerging policies. It may be possible to pursue ISO/IEC 42001 certification as a newly formed organisation, even if the business is not yet fully operational. The key is demonstrating that appropriate procedures, policies, and governance structures are in place and can be evidenced. Operational maturity may not be a barrier to certification, provided the systems exist and are coherent with the requirements of the standard.

These three standards share common principles (defined in the Harmonised Structure in Annex SL of the ISO/IEC directives) such as continual improvement, risk-based thinking, and structured management systems. ISO/IEC 42001 draws on foundational elements present in ISO 9001 and ISO/IEC 27001, and many organisations find it helpful to conduct a gap analysis using a crosswalk approach to identify overlaps and additional requirements. Tools and guides produced by consultants or industry associations may support this process.

A growing number of tools are emerging to support AI risk management across various lifecycle stages, from data quality and bias detection to explainability and model drift monitoring. While the choice of tool depends on the domain, size, and complexity of the AI system, commonly referenced types include model explainability frameworks (e.g., SHAP, LIME), fairness assessment tools, governance platforms, and incident tracking systems. Organisations are encouraged to select tools that align with their specific risk profile and operational context.