ISO 42001: Frequently Asked Questions

Danny Manimbo, Principal and ISO & AI Practice Leader at Schellman, is here to answer the most frequently asked questions surrounding ISO 42001 Certification.  

What is ISO 42001 and who is it for?  

ISO 42001 was first released in December 2023 and is the first international standard focused on promoting trustworthy AI. It is designed for organizations who develop, provide, or use AI in the delivery of their services.  

What are the benefits of ISO 42001?  

ISO 42001 certification demonstrates a commitment to responsible AI practices. It allows organizations who adopt the standard to promote their trustworthy and responsible use of AI. It gives organizations the opportunity to address AI-specific risks and considerations related to ethics, bias, fairness, safety, and responsible use. 

How much does an ISO 42001 audit cost? 

The cost varies based on complexity. However, in year one, the cost of this full system (Stage 1 & Stage 2) audit typically ranges from the $20,000’s up to the $40,000’s. In years two and three in surveillance reviews years, it typically costs between $13,000 to $20,000+ annually. 

What ISO standards best compliment ISO 42001? 

The ISO 42001 standard references three existing ISO management system standards: 

• ISO 27001 for security 
• ISO 27701 for privacy 
• ISO 9001 for quality 

How closely does ISO 27001 align with ISO 42001? 

As ISO 27001 and ISO 42001 are both management system frameworks, they share the same look, format, and structure. They are both structured around clauses 4-10 and have an annex of controls.  However, the focus of ISO 27001 is around establishing an ISMS which is specific to information security, whereas ISO 42001 was designed to address everything specific to AI that was not addressed by ISO 27001.  

Can ISO 42001 be integrated into an existing management system certification?  

ISO 42001 was designed to integrate seamlessly into existing management system certifications. It’s meant to be holistically integrated into an existing security, privacy, or quality program such that AI risk is being managed as a holistic governance program within an organization. Organizations with ISO 27001, 27701, or 9001 certifications can incorporate AI-specific risk management into their existing governance programs. 

What is the certification process for ISO 42001? 

As a management system standard, ISO 42001 certification follows the same process as other commonly known standards like ISO 27001, 9001, or 27701.  

The certification process follows a two-phase approach in year one, where organizations undergo stage one and stage two. Upon successful completion of stage two, organizations would be certified for a period of three years. In years two and three, organizations undergo surveillance reviews which are intended to be annual check-ins to ensure that your management system is continuing to operate effectively and in conformance with the requirements of the standard.  

Do I need to use an ISO 42001 accredited certification body?  

Using an accredited certification body ensures compliance with ISO 42001 requirements, guarantees a thorough audit by competent professionals, and provides an accredited certification that stakeholders can trust. 

What are some factors to consider when choosing a certification body?  

You want to ensure that they are credited for ISO 42001. You should also consider any other compliance needs that you might have in addition to ISO 42001, such as other ISO management system standards that might complement 42001 well. Examples include ISO 27001 for information security, ISO 27701 for privacy, ISO 9001 for quality as well as other commonly used compliance frameworks and assessments such as SOC 2, FedRAMP, penetration tests, and HITRUST.  

How does ISO 42001 compare to NIST AI RMF? 

NIST AI RMF and ISO 42001 were the first AI risk management frameworks released in 2023, respectively. However, ISO 42001 has gained greater recognition due to its alignment with the widely adopted ISO name brand. There are clear business values and benefits with ISO 42001 because of the proliferation of ISO certifications in the US such as ISO 27001 and ISO 27701. Additionally, ISO 42001 certification provides a formal deliverable which seems to be attracting a lot of interest, whereas NIST AI RMF does not have that internationally accepted deliverable associated with it.  

How does SOC 2 relate to ISO 42001? 

While SOC 2 is a framework around security, availability, confidentiality, processing integrity, and privacy, it’s not specifically catered to address all risk considered by AI. Whereas ISO 42001 is intended to specifically address the risks that are unique to AI such as bias, transparency, responsible use, ethics, and safety.  

Can I expand my SOC 2 to include AI specific considerations?  

Yes. Organizations have the option to expand their existing SOC 2 reports to include AI-specific frameworks, and any other existing controls frameworks using what's called a SOC 2+ approach. These controls can be added to section four which is our tests of the operational effectiveness of controls and included within our opinion. 

Does ISO 42001 require an AI Pen Test or Red Team Assessment?  

While it’s not specifically mandated by the standard, vulnerabilities should always be incorporated as part of an effective risk management program system to ensure that you have effective controls in place for mitigating any identified vulnerabilities. Additionally, as part of your Annex A control framework, you are required to assess these risks on a continual basis prior to deploying AI systems and while they are in deployment.  

How has ISO 42001 impacted supply chain considerations and risks?  

Similar to ISO 27001 and 27701, certain industries are starting to incorporate ISO 42001 controls and requirements into vendor security questionnaires.  Larger, trend-setting organizations like Microsoft are also updating their SSPA program, which is essentially their vendor due diligence network to require any vendors using AI in their supply chain to abide by certain requirements.  

How does ISO 42001 help organizations comply with emerging regulations?  

With governments introducing AI risk-based regulations, ISO 42001 serves as an effective framework for compliance. It categorizes AI roles as producers, providers, or users, helping organizations align with evolving global regulatory requirements. 

Ready to learn more about ISO 42001? 

Achieving ISO 42001 Certification is a significant step towards responsible AI governance. That’s why Schellman became the first ISO 42001 ANAB accredited certification body, and we’re here to help. If you have further questions, or you’re ready to join other AI-responsible companies like StackAware and Evisort in starting your own ISO 42001 journey with Schellman, contact us today to learn more.  

In the meantime, learn additional information about the ISO 42001 process, including preparation tips and certification requirements in these helpful resources:  

• How to Prepare for ISO 42001 Certification 
• What are the ISO 42001 Requirements? 
• What is Your ISO 42001 AI Role? 
• How to Assess and Treat AI Risks and Impacts with ISO/IEC 42001:2023