Home / Guides / ISO 42001 Readiness Checklist
ISO 42001

ISO 42001 Readiness Checklist

ISO/IEC 42001 is the first international standard for an AI management system, published in December 2023. If buyers are asking how you govern AI, or you are deciding where to take your program, this guide explains what the standard is and gives you a checklist to see how ready you are.

What ISO 42001 is

ISO 42001 sets out how an organization should govern AI across its lifecycle: policy, risk, roles, controls, human oversight, and continual improvement. It is voluntary, and organizations can be certified against it by accredited bodies. It is built on the same management-system structure as ISO 27001, and follows the familiar plan, do, check, act cycle, so it is not a one-time exercise but an ongoing rhythm of review.

Why teams pursue it

Three reasons come up most. Buyers and partners increasingly ask for it, so it is a credible signal that AI is governed rather than improvised. The certification cycle creates a recurring review, which keeps governance from going stale. And it overlaps heavily with the EU AI Act and the NIST AI RMF, so a single program does a lot of work at once.

ISO 42001 vs ISO 27001

They share a backbone but cover different ground. ISO 27001 governs information security. ISO 42001 governs AI management. Because they use the same structure, a team that already runs 27001 will find 42001 slots in with a familiar shape, reusing much of the same governance muscle.

The readiness checklist

Mark each item as in place, partial, or missing. Mostly in place means you are on solid ground. Any missing is where to start.

Do it faster

The templates behind every checklist item

The Extrasphere Complete Toolkit turns this checklist into working documents: a governance charter, inventory, risk register, impact assessment, and more, mapped to ISO 42001. One-time $299, with 12 months of update re-issues included. Start free with a policy and a readiness checklist.

Where to start

You do not need to certify on day one. Start with three things: a written policy, an inventory of where AI lives in your business, and a risk log. Those cover most of what an assessor first looks for, and they are the foundation everything else builds on.

If you supply to Microsoft, the SSPA Section K Readiness Kit packages this same groundwork in the format Section K asks for.

Frequently asked questions

Is ISO 42001 mandatory?

No. It is a voluntary standard, though it is increasingly expected by buyers and partners as a signal that AI is governed.

When was ISO 42001 published?

In December 2023. It is the first international standard for an AI management system.

Can a company be certified?

Yes, by accredited certification bodies, following the same model as other management system standards.

Does it overlap with the EU AI Act?

Yes. A large share of the high-level requirements overlap, so an ISO 42001 program also supports EU AI Act and NIST AI RMF work.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.