> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ayliea.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ISO/IEC 42001

> The international AI management system standard — governance, risk, lifecycle, and operations for organizations deploying AI responsibly.

# ISO/IEC 42001 — AI Management System

ISO/IEC 42001:2023 is the world's first international standard for an **AI Management System (AIMS)**. It applies the same management-system pattern used by ISO 27001 (information security) and ISO 9001 (quality) to AI: a documented, audited, continuously-improving system that governs how an organization designs, deploys, and operates AI.

ISO 42001 is the natural certification path for organizations that need a formal, third-party-auditable AI governance program — regulated industries, EU AI Act high-risk system providers, and enterprises whose customers require AI-program attestation.

<Note>
  ISO 42001 certification requires a registered certification body audit. Ayliea's assessment maps your current state to the standard's clauses + Annex A controls, identifies gaps, and produces evidence you can carry into the certification audit.
</Note>

## What this framework covers

The assessment is organized around the standard's six management-system clauses plus Annex A controls. Each clause maps to one or more sub-clauses with structured questions.

<AccordionGroup>
  <Accordion title="MS-1 — Context & Leadership">
    Understanding the organization and its context, interested parties, AIMS scope, top-management leadership, the AI policy, and assigned roles + responsibilities + authorities.
  </Accordion>

  <Accordion title="MS-2 — Planning & Risk Management">
    Risk and opportunity treatment, AI risk assessment processes, AI system impact assessment, AI objectives, and planning of AIMS changes.
  </Accordion>

  <Accordion title="MS-3 — Support">
    Resources, competence, awareness, communication, and documented information requirements for the AIMS.
  </Accordion>

  <Accordion title="MS-4 — Operation">
    Operational planning and control, AI risk assessment and impact assessment in execution.
  </Accordion>

  <Accordion title="MS-5 — Performance Evaluation">
    Monitoring, measurement, analysis, evaluation, internal audit, and management review of the AIMS.
  </Accordion>

  <Accordion title="MS-6 — Improvement">
    Nonconformity, corrective action, and continual improvement of the AIMS.
  </Accordion>

  <Accordion title="Annex A — Controls">
    The controls catalog covering AI policy, internal organization, resources, impact assessment, lifecycle, data, third-party, customer information, and use of AI systems.
  </Accordion>
</AccordionGroup>

## Why this matters for customers

ISO 42001 gives an organization a single, auditable framework to demonstrate "we govern our AI responsibly" — backed by the same management-system rigor that regulated industries already trust for information security (ISO 27001). For customers selling into the EU, financial services, healthcare, or government markets, an ISO 42001 program shortens the procurement-review cycle on every deal.

This assessment surfaces:

* Whether your AI policy, scope, and risk approach are documented at the level a certification audit expects
* Whether AI impact assessments are conducted before high-risk systems go live
* Whether your AIMS has the leadership commitment, resources, and review cadence the standard requires
* Whether your operational controls (Annex A) are implemented and evidenced

## How it relates to other frameworks

ISO 42001 is the management-system layer. For the technical control specifics, pair it with:

* **AI Security (AISS)** — control-level technical depth on AI security
* **NIST AI RMF** — the risk-management lifecycle that ISO 42001's clauses formalize
* **NIST AI 600-1 (GAI Profile)** — generative-AI-specific risk patterns
* **ISO/IEC 27001:2022** — information security management system (sister standard for InfoSec scope)

## Glass-Box scoring

Every score cites the specific ISO 42001 clause and Annex A control behind each question. Auditors and certification bodies can map directly from your answers to the standard text.
