INTERNATIONALISO/IEC 42001CERTIFIABLE

ISO/IEC 42001 — the first certifiable AI management system.

How Hael runs the substantive controls behind ISO/IEC 42001 — and produces the AIMS records, Annex A control evidence and audit packs a UKAS-accredited certification body actually opens.

Dec 2023

Published

AIMS

AI Management System

Annex A

Control framework

Certifiable

Independent audit

What ISO/IEC 42001 requires

ISO/IEC 42001 is the first international standard for AI management systems, published in December 2023. Unlike NIST AI RMF, which is a voluntary framework with outcome statements, ISO 42001 is a certifiable standard with a defined management system structure (AIMS), Annex A controls and independent third-party audit requirements. A UKAS-accredited certification body audits the organisation against the standard and issues a formal certificate.

The standard structures AI governance around the management system pattern familiar from ISO 27001 — context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. Annex A specifies 38 controls across nine objectives covering policies, internal organisation, resources, AI system lifecycle, third-party relationships, customer relationships, AI impact assessments and reporting. Each control must be implemented or excluded with documented justification.

Certification is increasingly procurement-relevant. Enterprise procurement teams in EU financial services, healthcare and critical infrastructure are beginning to scope ISO 42001 certification as a vendor requirement. The Brussels effect — EU regulatory frameworks influencing global procurement — applies. Certification has a 12-18 month build cycle including pre-audit gap analysis, implementation, internal audit and certification audit.

ISO 42001 is the first AI standard your procurement team can verify independently — auditors verify the certificate, not your word.

The artefact, not the certificate

The certificate is the visible signal. The substantive artefacts are the AIMS records the certification body examines — the AI policy, the impact assessments, the Annex A control evidence, the internal audit reports, the management review minutes. These documents are the substance of certification. The certificate is the receipt.

Hael generates these documents from operational state. The AI policy references the agent registry and the policy library. Impact assessments are generated from the fundamental rights assessment workflow. Annex A control evidence is collected continuously by the evidence collectors. Internal audit reports are generated from the audit chain. Management review minutes are generated from the governance decision records. Each document arrives as a portable, hash-chained PDF sealed with cryptographic provenance.

How Hael runs it

Hael ships a complete ISO/IEC 42001 implementation surface. The 38 Annex A controls are mapped against substantive evidence collectors, with each control's implementation status, evidence references and audit-ready artefacts visible per agent and per organisation. The AIMS structure — context, leadership, planning, support, operation, performance evaluation, improvement — is reflected in the platform's module organisation.

A pre-audit readiness report summarises Annex A coverage and surfaces gaps before the certification body arrives. During the audit, the auditor receives scoped access to the platform's audit chain and can verify hash-chained evidence in real time. Certification audits that historically required weeks of evidence gathering complete within days when the substantive evidence is already sealed and verifiable.

Certification audits complete in days when the evidence is already sealed and verifiable.

Annex AObjectiveCoverageHow Hael runs it

A.2.2AI policyFullPolicy library with version control and approval workflow

A.2.3Alignment with other policiesFullCross-policy reference engine

A.3.2AI roles and responsibilitiesFullPer-agent ownership and oversight assignments

A.3.3Reporting of AI-related concernsFullIncident reporting channel sealed in audit chain

A.4.2Resources for AI systemsFullResource attribution in management records

A.4.3Tooling resourcesFullTool inventory and vendor governance

A.4.4System and computing resourcesFullInfrastructure attribution per agent

A.4.5Human resourcesFullRole-based access and capability records

A.4.6Data resourcesFullData lineage and provenance per agent

A.5.2AI system impact assessment processFullFundamental rights and impact assessment workflow

A.5.3Documentation of impact assessmentsFullAssessment artefact generation with sealed provenance

A.5.4Assessing impacts on individuals or groupsFullBias evaluation and demographic impact analysis

A.5.5Assessing societal impactsFullSocietal impact assessment artefact

A.6.1.1Objectives for responsible AI developmentFullPer-agent responsible AI objectives in registry

A.6.1.2Processes for responsible design and developmentFullLifecycle state machine with documented gates

A.6.2.2AI system requirements and specificationFullRequirements register per agent

A.6.2.3Documentation of design and developmentFullAuto-generated technical documentation

A.6.2.4Verification and validation measuresFullV&V evidence collectors and test result archives

A.6.2.5AI system deploymentFullDeployment records with environment binding

A.6.2.6AI system operation and monitoringFullPost-deployment monitoring continuous capture

A.6.2.7AI system technical documentationFullAnnex IV-aligned technical file generation

A.6.2.8Recording of event logsFullHash-chained event log per agent

A.7.2Data for development and enhancementFullTraining data lineage and quality records

A.7.3Acquisition of dataFullData acquisition provenance and licensing records

A.7.4Quality of dataFullData quality assessment artefact

A.7.5Data provenanceFullEnd-to-end data lineage per agent

A.7.6Data preparationFullPreparation workflow records sealed in audit chain

A.8.2System documentation for usersFullUser-facing documentation generation

A.8.3External reportingFullRegulator-facing reporting workflows

A.8.4Communication of incidentsFullIncident notification routing

A.8.5Information for interested partiesFullStakeholder communication records

A.9.2Processes for responsible useFullAcceptable use policy enforcement

A.9.3Objectives for responsible useFullPer-agent responsible use objectives

A.9.4Intended useFullUse-case binding in agent registry

A.10.2Allocation of responsibilitiesFullMulti-tenant responsibility allocation

A.10.3SuppliersFullVendor governance and assessment workflows

A.10.4CustomersFullCustomer relationship records per multi-tenant deployment

Questions

Is ISO/IEC 42001 certification mandatory?

ISO/IEC 42001 is a voluntary standard. Certification is increasingly procurement-relevant for enterprise vendors in EU financial services, healthcare and critical infrastructure. Some organisations seek certification as a market differentiator; others as a procurement prerequisite their customers demand.

How long does ISO 42001 certification take?

Typical certification cycle is 12-18 months from initial gap analysis through pre-audit, implementation, internal audit and certification audit. Hael compresses this materially — much of the Annex A control evidence is sealed continuously from day one, so when the certification body arrives, evidence is already verifiable.

Can Hael generate the AIMS documentation a UKAS-accredited certification body will accept?

Yes. Hael generates the AI policy, impact assessment artefacts, Annex A control evidence, internal audit reports and management review minutes from operational state. The certification body audits the substantive evidence, not the document format. Hash-chained provenance lets the auditor verify evidence integrity in real time.

How does ISO 42001 relate to ISO 27001?

ISO 42001 is the AI-specific complement to ISO 27001. The two share the management system pattern (context, leadership, planning, support, operation, performance evaluation, improvement) and integrate cleanly. Organisations holding ISO 27001 typically achieve ISO 42001 faster because the management system structure is already in place.

How does ISO 42001 relate to the EU AI Act?

ISO 42001 is a horizontal management system standard; EU AI Act is sector-specific risk regulation with high-risk system obligations. They overlap but do not substitute. ISO 42001 certification signals organisational AI governance maturity; EU AI Act Article 11 technical files signal system-specific conformity. Hael produces both artefacts from a single evidence base — AIMS records for the certification body, Annex IV files for the notified body and competent authority.

See Hael run your ISO 42001 implementation.

A scoped four-week proof-of-value: map your AI systems to Annex A, seal your first quarter of control evidence, prepare for certification audit.

Book a demo See the platform