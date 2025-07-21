The adoption and development of AI is progressing rapidly, but as this technology evolves it also poses significant cybersecurity and data privacy risks to organizations.

One standard has now emerged which aims to support the responsible development and use of AI systems, the Artificial Intelligence Management System (AIMS) ISO/IEC 42001.

ISO/IEC 42001 was first published as an international standard at the end of 2023 by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).

The British Standards Institution (BSI), in its role as the UK’s national standards body, has been offering ISO/IEC 42001 certification since January 2024, and has reported strong interest and rapid uptake.

Meanwhile, global assurance partner LRQA recently launched its own ISO 42001 certification service. Many other firms, including some leading accountancy firms, are also launching AI auding programs as interest in AI assurance grows.

Shirish Bapat, AI & cybersecurity product leader for LRQA, told Infosecurity, “Interest in ISO 42001 is growing rapidly and is expected to scale significantly over the next 12 months. Over the next two to three years, we anticipate a broad uptake across sectors.”

It is vital that cybersecurity professionals understand the standard and begin work towards achieving certification.

Aims of ISO 42001 and Who it Applies To

The overall aim of ISO 42001 is to guide organizations in responsible development and use of AI.

It outlines requirements and guidelines for establishing, implementing, maintaining and continually improving an AI management system based on the context of an organization.

Therefore, it is applicable to both companies who develop their own AI systems as well as those using AI to enhance products, services and internal workflows. It is also industry-agnostic and can be applicable to organizations of any size.

Bapat told Infosecurity, “AI is quickly becoming foundational to how business is done, whether you’re building models or not. Your competitors, customers and partners are adopting AI tools and understanding how these systems work will be critical to staying relevant.”

ISO 42001 provides a clear and structured way to understand and manage the risks, responsibilities and opportunities associated with AI.

The standard focuses on addressing aspects specific to AI such as unwanted bias, fairness, inclusiveness, safety, security, privacy, accountability, explainability and transparency.

Mark Thirlwell, global digital director at BSI, told Infosecurity, “As with all management systems, it takes a risk-based approach and uses a consistent high-level structure with existing management system standards, allowing them to be used together. It enables organizations to apply appropriate controls aligned to their development and/or use of AI, supporting balance between governance and innovation.”

The timeline for achieving the ISO 42001 standard varies between organizations but typically takes between six and 12 months.

Why ISO 42001 is Relevant to Cybersecurity Professionals

AI is another technology that brings cybersecurity and data privacy risks to any organization developing or deploying it.

ISO 42001 focuses on AI lifecycle management, which includes addressing cyber risks.

Thirlwell said, “Cybersecurity practitioners will be called upon to contribute, collaborate and support the implementation and continual improvements that address the associated cyber risks required by ISO/IEC 42001 to help ensure safe and responsible AI deployment and use.”

However, he noted that ISO 42001 is not suitable to give comprehensive cybersecurity and privacy management guidance. Instead, other established standards, like the information security management system standard (ISO/IEC 27001), should be a go-to for cyber practitioners for use alongside ISO/IEC 42001.