When an SME asks us «do we need to get ISO 42001 certified?», the right question is a different one. Not «must I?» — because no law requires it — but «is it worth it as a governance infrastructure?». ISO/IEC 42001:2023 is a voluntary standard: adopting it is a choice made by the organisation, not a legal obligation. And yet, for a business that has to reckon with the AI Act, it can be the most efficient way to arrive ready. With one condition, which we clarify straight away: doing 42001 does not equal being compliant with the AI Act. It is a bridge, not a shortcut.
What ISO 42001 really is
ISO/IEC 42001:2023 is the world's first international standard dedicated to an AI Management System (AIMS). It was published jointly by ISO and IEC, through the technical committee JTC 1/SC 42, during 2023.
The keyword is management. The standard does not go into the technical merits of the individual algorithm: it specifies the requirements to establish, implement, maintain and continually improve the organisational governance of AI — policies, roles, risk and impact assessment, operational controls, human oversight, improvement. It adopts the Harmonized Structure (Annex SL), the same high-level backbone as standards like ISO/IEC 27001 (information security) and ISO 9001 (quality), built on the PDCA — Plan, Do, Check, Act cycle.
This detail, seemingly technical, is in fact the first practical argument: an organisation that already has an ISO management system reuses its structure, audits and documentation culture, drastically reducing the marginal cost of adopting the AIMS.
Why it is a «bridge» to the AI Act
The AI Act requires providers and deployers to have a series of organisational safeguards: risk management, documentation, human oversight, clear roles and responsibilities, a register of AI systems. Here is the point: ISO 42001 builds exactly that backbone. An organisation that implements a conforming AIMS equips itself with the internal governance that the European Regulation demands in any case, and structures it in an orderly, verifiable way.
Hence its role as a readiness framework: 42001 does not in itself confer AI Act conformity — no technical standard can replace a legal obligation — but it facilitates the demonstration of conformity, because it produces the evidence (policies, assessments, logs, audits) that an authority or a client might request. It is the difference between «claiming to be in compliance» and «being able to show it».
Certification: optional, and with a warning
Here a distinction must be drawn that protects the business owner. ISO 42001 is certifiable by a third party, but certification is optional: you can adopt the standard as an internal framework without getting certified. Certification has value when a reputational and commercial asset is needed — signalling to clients and partners a structured AI governance.
The warning concerns who issues the certificate. ISO/IEC 42001 certification can be issued exclusively by an accredited certification body, not by a consultant. Be wary of anyone who promises «ISO 42001 certification» as a consultancy service: they are confusing — in the best case — two roles that must remain separate.
A note of transparency: the full text of ISO/IEC 42001 is protected by copyright and is available only for a fee. Some detailed data about the standard (number of pages, national UNI/CEI adoption, specific accreditation schemes) cannot be verified free of charge from a primary source: on these we keep a verification flag and do not reproduce them as settled fact. The core — the 2023 edition, first AIMS standard, Annex SL structure, voluntary and certifiable nature — is, on the other hand, confirmed by the official ISO catalogue.
The NomotecnIA reading for an SME
Our operational path, for those weighing up 42001, is gradual:
- Define the perimeter (scope): which AI systems and processes fall within the AIMS.
- Policy and roles: adopt an AI policy and assign clear responsibilities.
- Risk and impact assessment: map risks and impacts, with documented mitigation measures.
- Controls and human oversight: safeguard the systems with controls, logs and supervision.
- PDCA cycle: internal audits, management review, documented continual improvement.
- (Optional) Certification: if attestation is needed, turn to an accredited body.
NomotecnIA can support readiness towards ISO/IEC 42001 — gap analysis, documentation framework, audit preparation. But we are not a certification body and we do not issue certification: that is issued only by an independent accredited body. Our craft is to bring you to the bridge in good order, and to cross it with you.
Informative and editorial content. It does not constitute legal or technical advice, nor an attestation of conformity. NomotecnIA is not a notified body nor a certification body. For every assessment the official source cited in the linked briefings prevails.