A quiet but significant shift is happening in enterprise procurement. Across financial services, pharmaceuticals, technology, and professional services, large organisations are adding a new requirement to their vendor onboarding questionnaires: ISO/IEC 42001 certification, or a documented roadmap toward it.
If your organisation supplies services to large corporates and you use AI in any part of your delivery — and almost every professional services firm does — this standard is about to become a commercial necessity, not just a compliance nicety.
What Is ISO 42001?
ISO/IEC 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS). Published in December 2023, it provides a structured framework for organisations to govern AI responsibly — covering risk assessment, policy development, data governance, human oversight, and continual improvement.
Think of it as ISO 27001 for AI. Just as information security certification became a procurement requirement over the past decade, AI governance certification is following the same path — but faster.
The standard is structured around the same high-level structure as other ISO management system standards, which means organisations already holding ISO 27001 or ISO 9001 can achieve ISO 42001 certification up to 40% faster by leveraging existing management system infrastructure.
Why Are Large Organisations Requiring It?
The driver is threefold: regulatory pressure, board-level risk appetite, and reputational protection.
On the regulatory side, the EU AI Act requires organisations deploying high-risk AI systems to implement risk management systems, technical documentation, and human oversight mechanisms — all of which align directly with ISO 42001 controls. Organisations that have implemented ISO 42001 are significantly better positioned to demonstrate EU AI Act compliance.
On the risk side, corporate boards are increasingly aware that AI failures — biased outputs, data breaches, hallucinated advice — carry both financial and reputational consequences. Requiring vendors to hold ISO 42001 certification transfers some of that risk back to the supply chain and provides a defensible governance record.
On the reputational side, organisations want to be able to say that their entire supply chain — not just their internal operations — meets a recognised AI governance standard. ISO 42001 provides that assurance.
In July 2024, SDAIA — Saudi Arabia’s data and AI authority — became the first government body in the world to achieve ISO 42001 certification, signalling that the standard will become a Middle East procurement requirement. In January 2026, NQA achieved UKAS accreditation for ISO 42001 certification in the UK, meaning independent, government-recognised certification is now available to UK businesses.
What Does ISO 42001 Actually Require?
The standard requires organisations to establish, implement, maintain, and continually improve an AI Management System. The key elements are:
An AI policy — a board-approved statement of the organisation’s approach to AI governance, ethical principles, and risk appetite.
An AI risk assessment process — a structured methodology for identifying, assessing, and treating risks associated with AI systems, including risks to individuals affected by AI outputs.
An AI system inventory — a documented register of all AI systems in use, including their purpose, data inputs, outputs, and risk classification.
Controls for high-risk AI systems — enhanced oversight, testing, and documentation requirements for AI systems whose outputs could significantly affect individuals.
Human oversight mechanisms — defined processes for human review of AI outputs in high-risk scenarios.
Supplier and third-party AI governance — requirements for how the organisation manages AI risks introduced by third-party AI tools and platforms.
Competence and training — evidence that staff using or managing AI systems have appropriate knowledge and skills.
The standard does not prescribe specific technical controls — it requires organisations to assess their own AI risk profile and implement proportionate governance measures. This makes it adaptable to organisations of all sizes.
What Does the Certification Process Look Like?
Certification to ISO 42001 is carried out by an accredited certification body — in the UK, NQA is UKAS-accredited to certify organisations against the standard.
The process typically involves three stages. The first is a gap assessment — comparing your current AI governance practices against ISO 42001 requirements to identify what needs to be built or documented. The second is implementation — building the required policies, procedures, risk assessments, and controls. The third is a certification audit — a formal assessment by the certification body, resulting in a certificate valid for three years with annual surveillance audits.
For organisations starting from scratch, the implementation timeline is typically four to eight months depending on the complexity of AI use and the size of the organisation. For ISO 27001-certified organisations, the timeline can be as short as two to three months.
What Should UK Businesses Do Now?
The first step for any organisation considering ISO 42001 is a readiness assessment — an honest appraisal of where you currently stand against the standard’s requirements. This tells you what you have, what you need, and how long implementation will realistically take.
The second step is building your AI system inventory. You cannot govern what you have not catalogued. Most organisations are surprised by how many AI tools are in active use across their business — from obvious deployments like AI customer service agents to less visible uses like AI-assisted email filtering, AI recruitment screening tools, and AI-powered analytics platforms.
The third step is assigning governance ownership. ISO 42001 requires clear accountability for AI governance at a senior level. Organisations need to designate an AI governance lead — whether that is the DPO, CISO, COO, or a dedicated AI governance role — before implementation can begin in earnest.
How Wishory Can Help
Wishory’s ISO 42001 Readiness Self-Assessment (£197) gives you a structured 47-point assessment against the standard’s requirements, a maturity scoring matrix across six governance domains, and a prioritised implementation roadmap. It is the fastest way to understand your current position and plan your path to certification.
If you would like a senior practitioner to lead your ISO 42001 implementation programme, book a free 30-minute AI Compliance Review. We work with UK businesses from initial readiness assessment through to certification audit preparation.