ISO 42001 Readiness Checklist
ISO/IEC 42001 is the first international standard for an AI management system, published in December 2023. If buyers are asking how you govern AI, or you are deciding where to take your program, this guide explains what the standard is and gives you a checklist to see how ready you are.
What ISO 42001 is
ISO 42001 sets out how an organization should govern AI across its lifecycle: policy, risk, roles, controls, human oversight, and continual improvement. It is voluntary, and organizations can be certified against it by accredited bodies. It is built on the same management-system structure as ISO 27001, and follows the familiar plan, do, check, act cycle, so it is not a one-time exercise but an ongoing rhythm of review.
Why teams pursue it
Three reasons come up most. Buyers and partners increasingly ask for it, so it is a credible signal that AI is governed rather than improvised. The certification cycle creates a recurring review, which keeps governance from going stale. And it overlaps heavily with the EU AI Act and the NIST AI RMF, so a single program does a lot of work at once.
ISO 42001 vs ISO 27001
They share a backbone but cover different ground. ISO 27001 governs information security. ISO 42001 governs AI management. Because they use the same structure, a team that already runs 27001 will find 42001 slots in with a familiar shape, reusing much of the same governance muscle.
The readiness checklist
Mark each item as in place, partial, or missing. Mostly in place means you are on solid ground. Any missing is where to start.
- Ownership. Leadership has assigned responsibility for AI governance.
- Policy. A written AI policy exists and is communicated.
- Inventory. AI systems and uses are listed and kept current.
- Risk. Risks are identified, assessed, and logged.
- Impact assessments. Higher-impact uses get a documented assessment.
- Vendors. Third-party AI tools are risk-assessed.
- Human oversight. Consequential outputs have a named reviewer.
- Data governance. Clear rules cover how data is used with AI.
- Incidents. A response process exists and has been tested.
- Competence. Staff receive AI awareness support.
- Review. The program is revisited on a set cycle.
- Evidence. Records are kept to show the above.
The templates behind every checklist item
The Extrasphere Complete Toolkit turns this checklist into working documents: a governance charter, inventory, risk register, impact assessment, and more, mapped to ISO 42001. One-time $299, with 12 months of update re-issues included. Start free with a policy and a readiness checklist.
Where to start
You do not need to certify on day one. Start with three things: a written policy, an inventory of where AI lives in your business, and a risk log. Those cover most of what an assessor first looks for, and they are the foundation everything else builds on.
If you supply to Microsoft, the SSPA Section K Readiness Kit packages this same groundwork in the format Section K asks for.
Frequently asked questions
No. It is a voluntary standard, though it is increasingly expected by buyers and partners as a signal that AI is governed.
In December 2023. It is the first international standard for an AI management system.
Yes, by accredited certification bodies, following the same model as other management system standards.
Yes. A large share of the high-level requirements overlap, so an ISO 42001 program also supports EU AI Act and NIST AI RMF work.