ISO/IEC 42001: Artificial intelligence management system
Published in December 2023, ISO/IEC 42001 defines requirements for an artificial intelligence management system (AIMS). It addresses organizations that develop, integrate or use AI systems, including SMBs deploying tools like ChatGPT, Claude or Gemini without building their own models.
What is ISO 42001?
ISO/IEC 42001 is structured like other ISO management standards (27001, 9001, 22301): it requires a Plan-Do-Check-Act cycle, a risk-based approach and a controls annex (Annex A) that the organization adapts to its context.
Annex A contains 38 controls grouped into nine objectives (A.2 to A.10), covering governance, policies, resources, AI lifecycle, data, use, third parties and monitoring.
Three roles in the AI value chain
The standard distinguishes the AI provider (model creator), the AI integrator (application developer on top of a model) and the AI user (organization using a turnkey tool).
All three roles are in scope, but not with the same intensity. An SMB that allows employees to use ChatGPT for writing is an AI user and must implement governance suited to that profile, without applying every control reserved for model developers.
Why care in Quebec?
As soon as an employee uses an AI tool to process client data, personal information or trade secrets, the organization enters the scope of structured AI governance.
ISO 42001 offers a recognized framework to demonstrate responsible AI use: useful in RFPs, supplier due diligence and alignment with complementary frameworks like ISO 27001 or ISO 27701.
Certification and implementation
Like ISO 27001, ISO 42001 certification is issued by an accredited certification body after an external audit of the AIMS.
For a pure user SMB (no model development or training), the program can remain realistic: acceptable use policy, designated owner, employee training, supplier contract management and periodic review.