ISO 42001 is the first international standard for AI management systems. It was published in December 2023. It is increasingly referenced in regulatory frameworks and procurement requirements. Most organisations operating AI systems do not yet understand what it actually requires.
ISO 42001 establishes requirements for an Artificial Intelligence Management System - a structured framework through which an organisation manages the development, provision, and use of AI systems responsibly. It follows the Annex SL high-level structure common to ISO 27001, ISO 9001, and ISO 14001, which means organisations already operating those management systems will find the structure familiar, though the content is specific to AI.
The standard applies to organisations that develop AI systems, that deploy AI systems developed by others, or that provide AI-related products or services. In the CNI context, this covers a very wide range of organisations - from AI system developers to CNI operators who have integrated AI into their operational processes.
The core requirements centre on four areas.
First, context and risk. The organisation must understand the context in which it develops or uses AI - the intended purposes, the affected parties, the regulatory environment, and the risks. For AI used in CNI contexts, this analysis will identify risks that are sector-specific and require sector-specific controls.
Second, AI policy and objectives. The organisation must establish explicit policies for responsible AI use, including commitments to human oversight, transparency, and fairness. These policies must be implemented operationally - not merely stated as principles.
Third, AI impact assessment. This is one of the most substantive requirements. For each AI system in scope, the organisation must conduct an impact assessment that analyses the potential consequences - positive and negative - of the system's deployment. In high-risk CNI contexts, this assessment will be detailed and its documentation will be subject to regulatory inspection.
Fourth, controls and operational management. The standard includes a substantial set of controls - Annex A - that organisations can apply based on their specific AI context. These include controls for data quality and provenance, for human oversight mechanisms, for AI system transparency and explainability, for bias detection and monitoring, and for incident response when AI systems behave unexpectedly.
Certification to ISO 42001 requires an independent audit by an accredited certification body. The audit assesses whether the management system is documented, implemented, and maintained in accordance with the standard's requirements. It is not an assessment of whether the AI systems themselves perform as intended - that is a different question. It is an assessment of whether the governance framework for those systems is adequate.
For CNI operators and their supply chains, the practical starting point is a gap assessment: mapping current practices against the standard's requirements, identifying where gaps exist, and prioritising the actions required to close them. The gap assessment is the foundation of the implementation plan - and, eventually, the certification audit.
Further Reading
DIRECT™ Intelligence - CNI Insight Feed - © 2026