Two years ago, “how do you govern your AI?” was a question nobody in your sales cycle asked. In 2026 it is on procurement questionnaires, in vendor security reviews, and increasingly in regulatory expectations. For Indian companies shipping AI features — SaaS platforms, fintech credit models, healthtech triage tools, enterprise copilots — the problem is no longer building AI. It is proving you build and run it responsibly.
ISO/IEC 42001 is the standard that lets you prove it with an independent audit instead of a slide deck. This guide explains what the standard actually is, who needs it, how the certification process works, what it costs you in effort, and how it lines up with India’s DPDP Act and the obligations your global customers are already passing down to you.
What ISO/IEC 42001 is — and what an AIMS means
ISO/IEC 42001:2023, published in December 2023, is the world’s first international management system standard for artificial intelligence. The acronym you will see everywhere is AIMS — an AI Management System. It is the AI equivalent of what ISO 27001 is for information security: not a checklist of technical fixes, but a governed, documented, repeatable way of running AI across its lifecycle, with management accountability baked in.
The critical word is certifiable. Like ISO 27001, a third-party accredited certification body can audit your organisation and issue a certificate that customers, regulators, and partners recognise. That is what separates 42001 from advisory frameworks — it produces independent assurance, not a self-attestation.
It exists because AI introduces risks that conventional security and quality standards never anticipated: biased or discriminatory outputs, opaque “black-box” decisions, training-data quality and provenance problems, model drift over a system’s life, and real-world impact on the people a model is used on. ISO 42001 forces you to identify, assess, and manage those AI-specific risks deliberately rather than hoping they do not surface in production.
Who actually needs ISO 42001
You are a candidate if any of these describe you:
- AI developers — you train, fine-tune, or build models and AI-enabled products. The standard applies whether you build models from scratch or wrap third-party foundation models into a product.
- AI deployers — you do not build models but you operationalise them inside your business (an AI underwriting tool, a support chatbot handling customer data, an HR screening system). You own the outcomes, so you own the governance.
- Companies whose customers now demand AI assurance — this is the fastest-growing driver in India. Enterprise and global buyers are adding AI-governance clauses to vendor questionnaires. A certificate answers them once, credibly, instead of you fielding bespoke questionnaires for every deal.
- Anyone touching the EU AI Act — if you serve EU customers or users, the Act’s phased obligations through 2026 raise the bar on documentation, risk management, and transparency. A conformant AIMS is a strong foundation for meeting them.
If you are still deciding which framework fits — 42001 versus the NIST AI Risk Management Framework versus the EU AI Act itself — those serve different purposes, and we cover the trade-offs in our separate AI governance framework comparison. The short version: NIST AI RMF and the EU AI Act are voluntary guidance and binding law respectively; ISO 42001 is the certifiable management system that helps you operationalise both.
How the standard is structured
ISO 42001 uses the same Harmonized Structure (formerly Annex SL) as ISO 27001 and ISO 9001, built around the Plan-Do-Check-Act cycle. That is deliberate — it means the standard slots cleanly alongside management systems you may already run. The core requirements live in clauses 4 through 10:
- Context & leadership — define the scope of your AIMS, understand stakeholders, and secure genuine top-management commitment and an AI policy.
- Planning — this is where the AI-specific work concentrates: AI risk assessment, risk treatment, and an AI impact assessment for the systems in scope (covering fairness and bias, transparency, human oversight, and safety/reliability).
- Support & operation — resources, competence, data management, and lifecycle controls for designing, developing, deploying, and monitoring AI systems.
- Performance evaluation & improvement — monitoring, internal audit, management review, and corrective action.
Alongside the clauses sits Annex A — a set of roughly three dozen AI-specific controls organised into around nine control areas, spanning AI policy, internal roles, resources, impact assessment, the AI system lifecycle, data, information provided to interested parties, responsible use, and third-party relationships. (Annex B gives implementation guidance, and Annex C maps AI objectives and risk sources.) You select and justify which controls apply to your context, much as you produce a Statement of Applicability under ISO 27001.
The certification journey, step by step
Certification is awarded by an accredited certification body after a structured, two-stage external audit. Here is the realistic path from zero to certificate:
| Step | What happens | Indicative effort |
|---|---|---|
| 1. Gap assessment | Measure your current AI practices against the standard. Identify what is missing in governance, documentation, and controls. | 2–4 weeks |
| 2. Build the AIMS | Write the AI policy, run risk and impact assessments, select Annex A controls, document the lifecycle, assign roles. The heavy lift. | 2–5 months |
| 3. Operate & collect evidence | Run the system long enough to generate records the auditor can examine (the AIMS must work in practice, not just on paper). | 1–3 months |
| 4. Internal audit & management review | Audit yourself, close findings, and hold a formal management review. A clause requirement before external audit. | 2–4 weeks |
| 5. Stage 1 audit | The certification body reviews your AIMS design, documentation, scope, and readiness. | Days, on-site/remote |
| 6. Stage 2 audit | The auditor tests how the AIMS works in practice — interviews, evidence, and lifecycle review. Certificate issued on a pass. | Days, on-site/remote |
| 7. Surveillance & recertification | Annual surveillance audits keep the certificate live; full recertification at the end of the three-year cycle. | Ongoing |
For a mid-sized Indian company starting from scratch, expect roughly 6 to 12 months end to end. The dominant variables are your AI maturity, how many systems are in scope, and — critically — whether you already run a mature management system.
How it relates to ISO 27001 (and why that matters)
This is the single biggest accelerator. Because 42001 shares the Harmonized Structure with ISO 27001, the management-system machinery — context, leadership, internal audit, management review, corrective action, document control — is common. Organisations already certified to ISO 27001 can reuse a large share of that existing system and integrate the AIMS into their ISMS rather than building a parallel one. In practice that can cut implementation to the 4 to 6 month range.
If you are not yet certified to 27001 and you handle meaningful volumes of data, it is usually worth doing 27001 first or in parallel — our ISO 27001:2022 implementation guide for Indian startups walks through that build, and it lays the foundation the AIMS bolts onto.
How it maps to India’s DPDP Act and AI governance
ISO 42001 is not a substitute for legal compliance, but it is a powerful enabler of it. The Digital Personal Data Protection Act 2023, with its Rules notified on 13 November 2025, requires full compliance by 13 May 2027 and carries penalties up to ₹250 crore. Any AI system that processes personal data — and most do — falls squarely under DPDP.
An AIMS gives you the governance scaffolding the DPDP regime assumes you have: documented data management, impact assessments, accountability, and lifecycle oversight. The AI impact assessment that 42001 mandates dovetails with the data-protection thinking DPDP demands. India has also been moving on broader AI governance — deepfake-labelling expectations and DPDP-times-AI guidance — so a defensible, audited governance system positions you ahead of whatever lands next. Start your data-protection groundwork at our DPDP compliance hub, and see how the pieces fit together across our India compliance hub.
A practical readiness checklist
Before you call a certification body, get these in place:
- Inventory your AI systems. You cannot govern what you have not listed. Capture every model and AI-enabled feature, what data it uses, and what decisions it influences.
- Define the AIMS scope. Decide which systems, teams, and locations the certificate covers — narrow and defensible beats broad and vague.
- Secure leadership sponsorship. The standard requires top-management commitment; a project without an executive owner stalls at the management-review stage.
- Run a gap assessment. Honestly compare today’s practice to the clauses and Annex A controls.
- Stand up AI risk and impact assessments. Make fairness, transparency, human oversight, and safety explicit and documented.
- Fix data governance. Provenance, quality, and lifecycle controls for training and operational data are where audits dig.
- Test your security posture. Models and the systems around them are attack surface — independent VAPT testing evidences the technical controls your AIMS claims.
- Choose an accredited certification body. Accreditation is what makes the certificate worth anything; verify it before you sign.
On cost: budget for two distinct things — the internal build effort (people-time, the largest line), and the external audit and surveillance fees charged by the certification body. Both scale with scope and complexity, so a tight, well-defined scope is the most effective cost control you have.
Frequently Asked Questions
Is ISO 42001 mandatory in India?
No. ISO 42001 is a voluntary international standard, not Indian law. But it is rapidly becoming a de facto market requirement as enterprise and global customers demand AI assurance, and it strengthens your position under binding obligations like the DPDP Act and the EU AI Act.
How long does ISO 42001 certification take?
Typically 6 to 12 months from a standing start for a mid-sized organisation. If you already hold ISO 27001, you can often fast-track to 4 to 6 months because the underlying management system and much of the documentation carry over.
Do I need ISO 27001 before ISO 42001?
Not strictly — 42001 can be implemented on its own. But because the two share the same Harmonized Structure, having 27001 in place dramatically reduces the 42001 effort, and most data-handling AI companies benefit from both. Many organisations pursue them together.
How long is the certificate valid?
An ISO 42001 certificate runs on a three-year cycle, kept alive by annual surveillance audits, with a full recertification audit at the end of the cycle — the same rhythm as ISO 27001.
Getting AI governance audit-ready is a build project, not a document exercise — and it pays off fastest when it is scoped tightly and integrated with the security and compliance systems you already run. If you want help mapping ISO 42001 to your AI stack, your DPDP obligations, and your existing ISO 27001 footprint, talk to RingSafe and we will help you plan a realistic path to certification.
Book a free 30-minute scoping call
Our senior consultants will review your stack and tell you honestly what to fix first. No slide deck. No obligation. Indian businesses only.