fairlane.systems

ISO 42001 · COMPLIANCE

ISO/IEC 42001: the international standard for AI management systems

ISO/IEC 42001:2023 is the first international AIMS standard. Who needs certification, what it costs, which Annex A controls are mandatory.

Researched & fact-checked by: · As of: 2026-05

What is ISO/IEC 42001?

ISO/IEC 42001:2023 is the international standard for an "Artificial Intelligence Management System" (AIMS). It was jointly published by ISO and IEC in December 2023 and is the first binding management-system standard tailored specifically to AI development, deployment and use. Structurally, 42001 follows the usual ISO layout (ten clauses plus an annex) familiar from ISO 9001 (quality), ISO 27001 (information security), and ISO 14001 (environment). If you already operate one of these systems under certification, you know the framework.

The ten clauses cover the classic Plan-Do-Check-Act cycle: context of the organisation (4), leadership (5), planning including risk assessment (6), support (7), operation (8), performance evaluation (9), improvement (10). The actual AI-specific tool is in Annex A – a list of 38 controls across nine areas: AI policies, internal organisation, resources for AI systems, AI-system impact assessment, AI-system life cycle, data for AI systems, information for interested parties, AI use, and third-party relationships.

As of May 2026, 42001 is established as the de-facto governance standard. Microsoft, AWS, SAP, Google have obtained 42001 certifications for their AI services or are in audit. On the European side, EN ISO/IEC 42001:2026 is in preparation as a harmonised standard – it is expected to be recognised as a presumption of conformity for obligations under the EU AI Act, in particular for high-risk systems under Annex III.

Why it is relevant

Three drivers make 42001 economically relevant for Swiss providers and users in 2026.

B2B requirements: Large clients – banks, insurers, corporations – increasingly require an "AI Trust Mark" in tenders. ISO 27001 is the standard requirement for information security; 42001 will be the analogous standard requirement for AI tools. A SME AI service provider without 42001 loses points in pre-qualification against certified competitors.

EU AI Act compliance: High-risk AI systems under Annex III of the EU AI Act (Art. 6 and 7) must, from 2 August 2026, present a risk-management system, data-quality obligations, technical documentation and post-market monitoring. A 42001-certified AIMS covers these obligations largely. Once EN ISO/IEC 42001:2026 is harmonised, a presumption of conformity applies to certified systems – direct evidence effort drops.

Insurability: Cyber and professional-liability insurers are starting in 2026 to insert AI-specific exclusion clauses. AIG, Zurich and Helvetia are offering AI modules from Q2 2026 whose premium reductions are tied to a certified 42001 AIMS. For a Swiss SME selling AI tools to third parties or operating them in-house for clients, the insurance question is a direct cost argument in 2026.

How a 42001 certification proceeds

The certification path consists of four phases.

Phase 1 – Gap analysis (1 to 2 months): A baseline assessment of existing processes, policies and technical controls against 42001 requirements. If you already run ISO 27001 under certification, you can reuse about 40 percent of the requirements – control domains for information security, supplier management, and awareness overlap.

Phase 2 – Building the AIMS (3 to 6 months): The missing Annex A controls are developed. Typical deliverables: AI policy with scope, AI inventory with risk classification, AI impact-assessment template (comparable to a DPIA but with AI-specific questions on bias, explainability, data lineage), data-quality process, logging and monitoring concept for AI outputs, supplier-assessment schema for AI providers, incident-response playbooks for AI incidents, staff training plan.

Phase 3 – Internal audit and management review (1 month): As with every ISO standard, 42001 requires an internal audit and a management review before the external audit. These steps cover not just gap-filling forms but hold senior management accountable – the management board must demonstrably own the AI strategy.

Phase 4 – External audit (Stage 1 + Stage 2, 1 to 2 months): An accredited certification body first checks documentation (Stage 1), then operational practice via samples (Stage 2). In Switzerland the Swiss Accreditation Service SAS accredits certification bodies; internationally recognised are BSI (UK), Schellman (US), DNV (NO), TUEV SUED (DE), KPMG. Certification is valid for three years, with annual surveillance audits.

ISO 42001 certification in 7 steps

  1. 01Strategic decision: define scope (which AI systems, which organisational units) and target certificate.
  2. 02Gap analysis: review existing processes (ISO 27001, ISMS, FADP compliance) against 42001 clauses 4-10 and Annex A.
  3. 03AIMS documentation: produce AI policy, risk-management procedure, AI inventory, AI-impact-assessment templates.
  4. 04Implement Annex A controls: 38 controls from 9 domains, prioritised by risk analysis.
  5. 05Internal audit: an internal or external auditor reviews AIMS documentation and effectiveness of controls.
  6. 06Management review: board documents responsibility, approves corrective actions, releases the audit.
  7. 07External audit (Stage 1 + Stage 2): an accredited certification body reviews documentation and practice; on success a 3-year certificate.

When certification pays off

Sensible for three profiles:

AI provider with B2B business: Anyone selling AI-supported products or services to banks, insurers, corporations or the public sector faces, from 2026, the explicit RFP requirement "ISO 42001 certified or in audit" in many tenders. Without it you fail the filter.

High-risk AIA deployer: Anyone operating a high-risk AI system under the EU AI Act (e.g. AI-assisted credit decisions, applicant screening, biometric identification, critical infrastructure) can halve the conformity-evidence work with 42001.

Multi-tenant service provider: AI boutiques, MSPs and consulting houses that run AI tools for several clients (typically: a fiduciary-specific LLM stack for 30 customers) gain trust and simplified processor-vetting. Clients no longer need to audit the provider individually – the certificate suffices as evidence.

When certification does not pay off

Not sensible for pure consumer cases or small internal tools. Anyone using ChatGPT Enterprise to polish internal emails does not need 42001. Anyone running an internal AI tool with no third-party effect (an internal knowledge base via RAG) can address the material risks with a lean AI policy and an AI inventory, without sinking 50 to 150 consulting days into certification.

Also not sensible for very small providers (1 to 5 staff) whose customer base is not certification-driven. A fiduciary practice with five clients whose AI tool stays internal needs practical compliance – not certification. A 42001-template AI policy suffices, without a formal certification obligation.

Uneconomic if ISO 27001 is missing: 42001 builds conceptually heavily on 27001. Anyone without either should typically certify 27001 first (market standard, broadest insurance benefit) and add 42001 on top. Both in parallel within 12 months is feasible but costly.

Trade-offs

STRENGTHS

  • Internationally recognised standard, closes RFP filter gaps
  • Presumption of conformity under the EU AI Act expected (harmonised EN version 2026)
  • Insurance premium advantages for cyber and liability policies
  • Structured risk assessment systematically covers hallucinations, bias, data lineage

WEAKNESSES

  • Initial certification costs CHF 65,000 to 210,000 including consulting
  • Effort 6 to 12 months; unrealistic without top-management commitment
  • Annual surveillance audits tie up 2 to 5 staff-days per year
  • Oversized for small internal tools; ROI clear only with B2B focus

FAQ

What does an ISO 42001 certification in Switzerland cost?

External audit (Stage 1 + Stage 2) by an accredited body: CHF 25,000 to 60,000 for a SME, depending on complexity and number of sites. Internal preparation (consulting, documentation, training): typically CHF 40,000 to 150,000. Annual surveillance audits: CHF 8,000 to 18,000. Recertification after 3 years: about 70 percent of the initial audit cost. SMEs with existing ISO 27001 certification save 30 to 50 percent.

How long does certification take?

Initial certification: 6 to 12 months from project start, depending on maturity. Starting from scratch, plan 12 months. With ISO 27001 in place, 42001 is achievable in 6 to 9 months. The certificate is valid for three years, with annual surveillance audits (2 to 5 days of review each).

Is the certificate also valid in the EU?

Yes, ISO/IEC 42001:2023 is an international standard recognised in the EU. The harmonised European version EN ISO/IEC 42001:2026 is in preparation; it is expected to serve as a presumption of conformity for EU AI Act obligations, in particular for high-risk systems under Annex III. Anyone certifying 42001 early has a lead over competitors who only start after the harmonised standard enters force.

Is ISO 27001 enough instead of 42001?

No. ISO 27001 covers information security (confidentiality, integrity, availability), but not AI-specific risks such as bias, explainability, data-lineage drift, output hallucinations, model drift. 42001 is the AI extension of the classical ISO management system. Both complement each other; neither replaces the other. Anyone already holding 27001 reaches 42001 with 30 to 50 percent additional effort.

Related topics

EU AI ACT · COMPLIANCEEU AI Act 2026: high-risk duties from 2 August 2026 – what Swiss providers must do nowrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useAUDIT TRAIL · AI CONCEPTAI audit trail design: what to log so an AI answer stays audit-readyFINMA · COMPLIANCEFINMA awareness: AI governance for banks, insurers and asset-managing fiduciariesAI-READINESS AUDIT · SERVICEAI-Readiness Audit: where your business stands with AI today – clarified in one to five days

Sources

  1. ISO/IEC 42001:2023 – AI management systems (iso.org) · 2023-12
  2. ISO 42001 explained – What it is and how it works (iso.org) · 2026-02
  3. EN ISO/IEC 42001:2026 – European harmonised version (CEN-CENELEC catalogue) · 2026-04
  4. KPMG Switzerland – ISO/IEC 42001: AI Management System for Governance · 2026-03
  5. Schweizerische Akkreditierungsstelle SAS – Akkreditierte Stellen · 2026-04

FITS YOUR STACK?

This is not legal advice. For binding interpretation consult a Swiss lawyer / data-protection officer. We accompany ISO 42001 preparations for Swiss SMEs – gap analysis, AIMS build-up, audit support. Initial call free of charge.

Book a call