SO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS), published by the ISO in December 2023. It provides organisations with a structured framework to develop, implement, and continually improve the responsible governance of AI and in 2026, it is one of the fastest-growing compliance credentials in regulated industries across Europe.
If you work in information security, compliance, or AI, or if your organisation is developing or using AI systems, there is an international standard you need to know about.
The EU AI Act Changed Everything
The EU Artificial Intelligence Act entered into force in August 2024 and is now in active enforcement. It is the world's first comprehensive legal framework for AI, and it applies to any organisation developing or deploying AI systems that operate in the EU, regardless of where that organisation is based.
The Act classifies AI systems by risk level and places compliance obligations on both providers and deployers. High-risk AI systems, used in areas like hiring, credit scoring, biometric identification, and critical infrastructure, must meet governance requirements covering data quality, transparency, human oversight, and risk management. The obligations applying to high-risk systems under Annex III became enforceable from August 2026.
ISO/IEC 42001 is not mandated by the EU AI Act, but it is emerging as the practical framework organisations use to demonstrate they meet those governance requirements. Regulators, auditors, and procurement teams are increasingly looking for organisations that can point to a functioning AI management system. ISO/IEC 42001 provides the structure for building one.
Professionals who can implement that system are in demand. That demand is accelerating.
What Does ISO/IEC 42001 Actually Cover?
The standard follows the same high-level structure as ISO/IEC 27001 for information security and ISO 9001 for quality management, which makes it immediately familiar to compliance professionals who have worked with either.
Its clauses cover:
- Context of the organisation — understanding internal and external factors affecting AI governance
- Leadership — senior management commitment to the AI management system
- Planning — risk assessment, objectives, and AI impact assessment
- Support — resources, competence, awareness, and communication
- Operation — operational planning and controls for AI systems
- Performance evaluation — monitoring, measurement, and internal audit
- Improvement — handling nonconformities and continually improving the AIMS
The standard also includes annexes addressing AI-specific governance challenges: responsible AI principles, risk and impact assessment, and data management considerations. These reflect the genuinely different oversight issues that AI systems present compared to traditional IT systems, where outputs can be probabilistic, opaque, or emergent in ways that static controls cannot easily govern.
What Is an AI Management System?
An AI Management System (AIMS) is the governance layer that sits above an organisation's AI tools, products, and processes. It is a defined set of policies, roles, controls, and procedures covering how AI systems are developed, deployed, monitored, and eventually decommissioned.
An AIMS answers questions that regulators, auditors, and customers are increasingly asking: Who is accountable for AI decisions in your organisation? How are AI risks identified and assessed? What happens when an AI system produces an unexpected or harmful output? How do you demonstrate compliance with the EU AI Act and other applicable obligations?
ISO/IEC 42001 gives organisations a recognised, auditable way to build and maintain that governance layer, and gives professionals a verified credential for implementing it.
Who Needs to Know About ISO/IEC 42001?
The most immediate audience is organisations that develop or deploy AI in regulated sectors: financial services, healthcare, critical infrastructure, and public administration. In these sectors, the EU AI Act creates direct compliance obligations, and ISO/IEC 42001 provides a credible path toward meeting them.
But the standard also applies directly to:
- Information security managers and CISOs whose governance remit is expanding to include AI systems alongside traditional IT
- Compliance officers and DPOs who need to understand how AI systems interact with data protection law, sector regulations, and procurement requirements
- Consultants and advisors fielding client questions about AI governance and needing a structured, internationally recognised framework to work from
- Training and L&D managers responsible for building AI competence across their organisation
- AI managers and product managers who want to demonstrate that AI development follows recognised international standards
If you work in any of these roles, ISO/IEC 42001 has either already crossed your desk or will shortly.
The Lead Implementer Certification
The PECB Certified ISO/IEC 42001 Lead Implementer credential is the professional qualification for those who need to demonstrate they can plan, build, and manage an AIMS in practice. It is awarded by PECB, the Professional Evaluation and Certification Board, an internationally recognised certification body with accreditations across more than 150 countries.
The programme covers the full implementation lifecycle: understanding the standard's requirements from an implementer's perspective, conducting gap analysis, planning and executing AIMS implementation, preparing for third-party certification audit, and supporting continual improvement.
The exam covers six competency domains aligned directly to the implementation lifecycle, from foundational AIMS concepts through to audit preparation and ongoing improvement.
Upon passing the exam, candidates can progress through four credential levels depending on their professional experience and documented project hours: Provisional Implementer, Implementer, Lead Implementer, and Senior Lead Implementer.
The credential is internationally recognised, independently verifiable, and is increasingly appearing in job specifications for senior roles in AI governance, compliance, and information security.
How Fortify Institute Delivers This Programme
At Fortify Institute, an accredited PECB training partner in Ireland, we deliver the ISO/IEC 42001 Lead Implementer programme as a blended course designed around working professionals.
Enrolment gives you immediate access to PECB's full eLearning content, over 400 pages of materials, exercises, and quizzes, which you work through at your own pace. This is combined with four live Friday lunchtime support sessions, where we work directly with participants on course content, study strategy, and exam preparation.
The certification exam is included. So is a free retake if needed.
The next cohort starts 3 July 2026. Most participants complete the programme and sit the exam within four to six weeks.
If you'd like to discuss whether this programme is right for your role or organisation, contact me directly at [email protected].
Frequently Asked Questions
Is ISO/IEC 42001 mandatory under the EU AI Act? ISO/IEC 42001 is not explicitly mandated by the EU AI Act, but it is widely recognised as a practical framework for meeting the Act's governance requirements. Organisations subject to high-risk AI system obligations under the Act, particularly in regulated sectors, are increasingly using ISO/IEC 42001 as a structured, auditable route to demonstrating compliance.
What is the difference between ISO/IEC 42001 and ISO/IEC 27001? ISO/IEC 27001 covers information security management systems and addresses the governance of data and IT systems. ISO/IEC 42001 is specifically designed for AI management systems and addresses the unique challenges of governing AI, including algorithmic transparency, AI impact assessment, responsible use principles, and the lifecycle governance of AI models. The two standards share the same high-level structure, which means organisations that already hold ISO/IEC 27001 certification will find the implementation approach familiar.
Who is the PECB ISO/IEC 42001 Lead Implementer certification for? It is designed for professionals who are responsible for planning, implementing, or managing an AI management system within an organisation. This includes compliance officers, information security managers, AI product managers, consultants advising on AI governance, and members of AIMS implementation teams. It is appropriate for both those new to ISO/IEC 42001 and experienced practitioners looking for a recognised credential.
How long does it take to complete the Lead Implementer programme? Fortify Institute's blended programme combines self-paced PECB eLearning with four live support sessions. Most participants complete the course content and sit the certification exam within four to six weeks of enrolment. The exam is included in the programme fee, along with one free retake.
What level of experience do I need before starting? The main prerequisite is a general familiarity with AI management concepts and ISO/IEC 42001. Compliance or information security professionals with ISO/IEC 27001 or ISO 9001 experience will find the high-level structure familiar. The Fortify Institute programme includes structured support sessions to ensure participants are well-prepared regardless of their starting point.
Is the PECB ISO/IEC 42001 Lead Implementer credential internationally recognised? Yes. PECB, the Professional Evaluation and Certification Board, is an internationally accredited certification body. The Lead Implementer credential is verifiable, portable across jurisdictions, and is increasingly referenced in job specifications for senior AI governance and compliance roles across Europe and beyond.
Jan Carroll is the founder of Fortify Institute, an accredited PECB training partner specialising in cybersecurity, information security, and AI governance education for professionals and organisations in Ireland. Jan holds advanced certifications in information security and AI governance and has worked with organisations across regulated sectors on skills needs and training needs analysis.
